Windows Analysis Report
cuenta para pago1.exe

Overview

General Information

Sample name:	cuenta para pago1.exe
Analysis ID:	1410998
MD5:	93d1942c204022e792af256d0ccbe8e5
SHA1:	76649fb41dc760d4c9ad8be23e239fcb7b0e2418
SHA256:	c44904bfb8b44d8071f33359f824028597145f76bd1a6baf86d91679215e3c7d
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected FormBook

Yara detected GuLoader

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: cuenta para pago1.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.dreadbed.com/v3ka/	Avira URL Cloud: Label: malware
Source: http://www.mvmusicfactory.org/v3ka/	Avira URL Cloud: Label: malware
Source: http://www.stellerechoes.xyz/v3ka/?c4qx7JIP=GFfLE978cTjgJhl6jgUZbEhmCeB5iD6iCpjaC2ljIm715WZCCh3yMSG+VpY2eWrvhd9eQ+mGyZHjkiS2WPxVQ0dW/wG4u7YMAwOv3hEtYSzM6b6AuWOV5s4=&K4W=bb2HuFjPIN	Avira URL Cloud: Label: malware
Source: http://www.stellerechoes.xyz/v3ka/	Avira URL Cloud: Label: malware
Source: http://www.mvmusicfactory.org/v3ka/?c4qx7JIP=svB+aVl3D/Qs3yYm3uEZx4nnJil+hT1lh9v7sh/m91IvNeiskalMkbjGhLmhKb4ZrcP91hx+1jPTfxZ9U4bWGVnRMNWmuwE3Nqa36DGpX5UBaKLpwaX6qds=&K4W=bb2HuFjPIN	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: cuenta para pago1.exe

ReversingLabs: Detection: 47%

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.8749789268.0000000002DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8752868489.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4215364100.0000000034570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8752999026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.8751671842.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4216278898.0000000034BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.8751957709.00000000026D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: cuenta para pago1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.65.174:443 -> 192.168.11.30:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.41.1:443 -> 192.168.11.30:49804 version: TLS 1.2

Source: cuenta para pago1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: cuenta para pago1.exe, 00000002.00000001.3959353601.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: cuenta para pago1.exe, 00000002.00000003.4095218580.000000003453C000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4099312779.00000000346E3000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4215456125.0000000034890000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cuenta para pago1.exe, cuenta para pago1.exe, 00000002.00000003.4095218580.000000003453C000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4099312779.00000000346E3000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4215456125.0000000034890000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: cuenta para pago1.exe, 00000002.00000001.3959353601.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: rasautou.pdbGCTL source: cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rasautou.pdb source: cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 0_2_0040635D FindFirstFileW,FindClose,	0_2_0040635D
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 0_2_0040580B GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040580B
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49810 -> 172.67.130.3:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49811 -> 82.180.172.14:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49812 -> 82.180.172.14:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49815 -> 82.180.172.14:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49816 -> 198.54.117.242:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49817 -> 198.54.117.242:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49819 -> 198.54.117.242:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49820 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49821 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49823 -> 198.177.123.106:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49824 -> 194.191.24.38:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49825 -> 194.191.24.38:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49827 -> 194.191.24.38:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49828 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49829 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49831 -> 84.32.84.32:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49832 -> 62.149.128.45:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49833 -> 62.149.128.45:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49835 -> 62.149.128.45:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49836 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49837 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49839 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49840 -> 103.146.179.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49841 -> 103.146.179.172:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49843 -> 103.146.179.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49844 -> 109.234.166.81:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49845 -> 109.234.166.81:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.30:49847 -> 109.234.166.81:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.30:49852 -> 172.67.130.3:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.stellerechoes.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 194.191.24.38 194.191.24.38
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GREENgreenchAGAutonomousSystemEU GREENgreenchAGAutonomousSystemEU
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: HIITL-AS-APHongKongFireLineNetworkLTDHK HIITL-AS-APHongKongFireLineNetworkLTDHK

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFyd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFyd&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=5DSEd0ATp85KgzdrFCdxbLJep/S6iKShPg/Ik1pbcxCGQNrpEtjfCeVcF04T3qlunhYKINQJ6NoaGwxZUUZob6VNNlK6Td1e1fYChuA8Yf+ZyRKX9C6Zn4U=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.wbyzm5.buzzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=dNjCJvlouN0lJiHjmW6o9laKqXafrGVThPe+fRU03jlQNeIZZXj0HZnF0wYmB7+6kDtWMlD6FZc6rz3hPOSCoZPNCiuZ/LMstJjl/Jmg62t+iuZuHiG5vvg=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.xiefly.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=6uRTEcONOSwyaRtl3SIdI/7ZcaxdnFD0iGrt2seiEdMiqBKCwYyYvMrO5fxXMQNYUGElLXPpIQYaUrVgpe2t46086L+DcudheMq8m5F90vo+8IbH2nL0hLQ=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.dreadbed.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=GFfLE978cTjgJhl6jgUZbEhmCeB5iD6iCpjaC2ljIm715WZCCh3yMSG+VpY2eWrvhd9eQ+mGyZHjkiS2WPxVQ0dW/wG4u7YMAwOv3hEtYSzM6b6AuWOV5s4=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.stellerechoes.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=bbTJsjbns1egJ9JPkt58MNAjZkRhgchDkV02q5vokHm6S8Qgk9c4A4/rVALt8kpaWPL/RyZRbRAxNoIAik6Ahn7XchDP755TKRWw96XVZ2F1n8YO16SVy/I=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.b-r-consulting.chConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=si7FLVHJ8iWuYVaGSkvjNM53tbCy++USJ5em8DLLO2leI9d5bok8bcXzE4IwU2K08OGpdZcld0QPM+bL/KkbuGKMc/2hsM2YOWzLfNROmTcvWRWJJAUk/s4=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.teenpattimasterapp.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=J4AzjciiJVojUGFuzrYbXLmTAhGMI5W/z8Zu4GWgm/9FzWPCzEiuTS1rwMX9pE5r2vC14B8Wx1zW9w/trsCTKSg2AEld6ylXwESzvlSrq/FwhsHRtw64/YA=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.clarycyber.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=svB+aVl3D/Qs3yYm3uEZx4nnJil+hT1lh9v7sh/m91IvNeiskalMkbjGhLmhKb4ZrcP91hx+1jPTfxZ9U4bWGVnRMNWmuwE3Nqa36DGpX5UBaKLpwaX6qds=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.mvmusicfactory.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=TQDhdygg/6k1FrT3duJj1OYD3+fr21m2MLjtTeKUejKDGRun2D/B3i3kqoFCSoO3Pw/E65XWfWwoO6YHx8j54r/FSG1v4bIQ+pjQtA18fUYdL5hShFxGKN0=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.kmyangjia.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /v3ka/?c4qx7JIP=FpC4ctUTedBaFzLAmx5OBNlXlmn8zXWsfuWaCxk5g1trlxnFx7v6dtr2+OePcWisPCE1uISKUROI1tM11v9REV8vlVyrWAjZBU/BkE4yHxOZw90SexyJFP0=&K4W=bb2HuFjPIN HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enHost: www.globalworld-travel.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: unknown

HTTP traffic detected: POST /v3ka/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enHost: www.xiefly.shopOrigin: http://www.xiefly.shopContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 205Cache-Control: max-age=0Referer: http://www.xiefly.shop/v3ka/User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Data Raw: 63 34 71 78 37 4a 49 50 3d 51 50 4c 69 4b 59 68 4c 33 4e 51 30 49 51 58 6d 68 43 75 47 38 6b 50 38 37 77 53 78 72 47 35 51 6a 62 53 61 52 6e 35 38 37 45 31 58 50 4d 63 6b 61 6e 37 4d 46 4f 62 73 33 48 56 73 50 62 75 52 6f 69 31 66 47 58 58 68 46 4b 55 33 39 54 71 47 50 75 32 50 72 36 4b 59 46 30 54 63 69 4b 45 30 31 70 54 79 68 2f 47 6a 6a 53 56 64 6e 74 6c 51 50 47 65 65 67 63 52 46 73 51 4a 4b 49 56 70 49 53 5a 48 2f 41 70 52 4e 6e 66 53 6d 64 54 34 68 43 73 6f 63 75 44 49 77 43 62 56 5a 31 67 49 4c 71 44 2f 59 53 71 43 5a 7a 7a 4f 56 73 69 77 63 78 37 69 72 30 67 31 41 30 4e 56 62 42 48 2b 4d 56 41 3d 3d Data Ascii: c4qx7JIP=QPLiKYhL3NQ0IQXmhCuG8kP87wSxrG5QjbSaRn587E1XPMckan7MFObs3HVsPbuRoi1fGXXhFKU39TqGPu2Pr6KYF0TciKE01pTyh/GjjSVdntlQPGeegcRFsQJKIVpISZH/ApRNnfSmdT4hCsocuDIwCbVZ1gILqD/YSqCZzzOVsiwcx7ir0g1A0NVbBH+MVA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Thu, 23 Jun 2022 13:08:36 GMTetag: "999-62b465d4-7483b18151e2685e;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Mon, 18 Mar 2024 14:08:45 GMTserver: LiteSpeedplatform: hostingerData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2 28 1a d2 a5 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Thu, 23 Jun 2022 13:08:36 GMTetag: "999-62b465d4-7483b18151e2685e;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Mon, 18 Mar 2024 14:08:48 GMTserver: LiteSpeedplatform: hostingerData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2 28 1a d2 a5 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Thu, 23 Jun 2022 13:08:36 GMTetag: "999-62b465d4-7483b18151e2685e;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Mon, 18 Mar 2024 14:08:51 GMTserver: LiteSpeedplatform: hostingerData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2 28 1a d2 a5 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Thu, 23 Jun 2022 13:08:36 GMTetag: "999-62b465d4-7483b18151e2685e;;;"accept-ranges: bytescontent-length: 2457date: Mon, 18 Mar 2024 14:08:53 GMTserver: LiteSpeedplatform: hostingerData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 18 Mar 2024 14:08:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingServer: namecheap-nginxContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Vp/JLII&T";Ct@}4l"(//=3YNf>%mx0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 18 Mar 2024 14:09:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingServer: namecheap-nginxContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Vp/JLII&T";Ct@}4l"(//=3YNf>%mx0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 18 Mar 2024 14:09:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingServer: namecheap-nginxContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Vp/JLII&T";Ct@}4l"(//=3YNf>%mx0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Mar 2024 14:09:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:09:35 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 39 36 0d 0a a1 50 06 00 20 06 cc ab af a4 5b 28 73 84 1c 85 17 6c 79 e0 f0 97 74 45 61 16 24 92 ec 66 03 1b e0 70 18 4f e7 36 76 56 61 06 41 4b c4 87 48 9a 89 51 76 a9 05 c2 05 69 a5 87 9e 01 a1 c6 e9 59 a5 4d 87 32 44 f5 ce 51 0c 4d 5b 71 e4 c1 fc 5c 2f b2 5c 84 f0 1a 81 11 10 df 3f c8 30 3f 58 8b 4d cc 19 57 d1 3f 71 df 58 b9 af dd 58 99 10 1f 72 99 eb 10 57 e3 f3 04 55 cb 8f fe f1 67 4f e3 df bf 71 bb 7f b0 bd e2 e5 0b b6 0c 4a a4 1f 23 00 6e 22 4d 8a 09 0d 0a 30 0d 0a 0d 0a Data Ascii: 96P [(slytEa$fpO6vVaAKHQviYM2DQM[q\/\?0?XMW?qXXrWUgOqJ#n"M0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:09:38 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 39 36 0d 0a a1 50 06 00 20 06 cc ab af a4 5b 28 73 84 1c 85 17 6c 79 e0 f0 97 74 45 61 16 24 92 ec 66 03 1b e0 70 18 4f e7 36 76 56 61 06 41 4b c4 87 48 9a 89 51 76 a9 05 c2 05 69 a5 87 9e 01 a1 c6 e9 59 a5 4d 87 32 44 f5 ce 51 0c 4d 5b 71 e4 c1 fc 5c 2f b2 5c 84 f0 1a 81 11 10 df 3f c8 30 3f 58 8b 4d cc 19 57 d1 3f 71 df 58 b9 af dd 58 99 10 1f 72 99 eb 10 57 e3 f3 04 55 cb 8f fe f1 67 4f e3 df bf 71 bb 7f b0 bd e2 e5 0b b6 0c 4a a4 1f 23 00 6e 22 4d 8a 09 0d 0a 30 0d 0a 0d 0a Data Ascii: 96P [(slytEa$fpO6vVaAKHQviYM2DQM[q\/\?0?XMW?qXXrWUgOqJ#n"M0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:09:40 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: brData Raw: 39 36 0d 0a a1 50 06 00 20 06 cc ab af a4 5b 28 73 84 1c 85 17 6c 79 e0 f0 97 74 45 61 16 24 92 ec 66 03 1b e0 70 18 4f e7 36 76 56 61 06 41 4b c4 87 48 9a 89 51 76 a9 05 c2 05 69 a5 87 9e 01 a1 c6 e9 59 a5 4d 87 32 44 f5 ce 51 0c 4d 5b 71 e4 c1 fc 5c 2f b2 5c 84 f0 1a 81 11 10 df 3f c8 30 3f 58 8b 4d cc 19 57 d1 3f 71 df 58 b9 af dd 58 99 10 1f 72 99 eb 10 57 e3 f3 04 55 cb 8f fe f1 67 4f e3 df bf 71 bb 7f b0 bd e2 e5 0b b6 0c 4a a4 1f 23 00 6e 22 4d 8a 09 0d 0a 30 0d 0a 0d 0a Data Ascii: 96P [(slytEa$fpO6vVaAKHQviYM2DQM[q\/\?0?XMW?qXXrWUgOqJ#n"M0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:09:43 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 203Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 33 6b 61 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v3ka/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 18 Mar 2024 14:10:01 GMTConnection: closeContent-Length: 4956Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 18 Mar 2024 14:10:04 GMTConnection: closeContent-Length: 4956Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 18 Mar 2024 14:10:07 GMTConnection: closeContent-Length: 4956Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 18 Mar 2024 14:10:09 GMTConnection: closeContent-Length: 5105Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:10:34 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:10:37 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:10:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Mar 2024 14:10:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: cuenta para pago1.exe, 00000002.00000003.4056696301.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096362930.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096216292.000000000469A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056969680.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4095703343.00000000046A6000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: cuenta para pago1.exe, 00000002.00000003.4056696301.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096362930.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096216292.000000000469A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056969680.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4095703343.00000000046A6000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: cuenta para pago1.exe, 00000002.00000001.3959353601.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: cuenta para pago1.exe, 00000000.00000000.3658397167.0000000000409000.00000008.00000001.01000000.00000003.sdmp, cuenta para pago1.exe, 00000000.00000002.4057835590.0000000000409000.00000004.00000001.01000000.00000003.sdmp, cuenta para pago1.exe, 00000002.00000000.3957453711.0000000000409000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cuenta para pago1.exe, 00000002.00000001.3959353601.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: cuenta para pago1.exe, 00000002.00000001.3959353601.0000000000626000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: cuenta para pago1.exe, 00000002.00000002.4198736310.0000000004628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: cuenta para pago1.exe, 00000002.00000002.4199743170.0000000004920000.00000004.00001000.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4198736310.0000000004628000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4198736310.000000000466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFyd
Source: cuenta para pago1.exe, 00000002.00000002.4198736310.0000000004628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFydmQx
Source: cuenta para pago1.exe, 00000002.00000003.4056696301.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096362930.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096216292.000000000469A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056969680.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4095703343.00000000046A6000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: cuenta para pago1.exe, 00000002.00000002.4198923341.0000000004688000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056696301.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096362930.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096502054.0000000004688000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096216292.000000000469A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056969680.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4095703343.00000000046A6000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096502054.000000000467A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4198923341.000000000467C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFyd&export=download
Source: cuenta para pago1.exe, 00000002.00000003.4056696301.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096362930.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096216292.000000000469A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056969680.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4095703343.00000000046A6000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFyd&export=download)
Source: cuenta para pago1.exe, 00000002.00000003.4056696301.00000000046A1000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096362930.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4096216292.000000000469A000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4056969680.00000000046A4000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000003.4095703343.00000000046A6000.00000004.00000020.00020000.00000000.sdmp, cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TDplZO5f2MIfee6mC03XCNbyFO9KMFyd&export=downloadw
Source: cuenta para pago1.exe, 00000002.00000001.3959353601.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803

Source: unknown	HTTPS traffic detected: 142.250.65.174:443 -> 192.168.11.30:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.41.1:443 -> 192.168.11.30:49804 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\cuenta para pago1.exe

Code function: 0_2_004052B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052B8

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000004.00000002.8749789268.0000000002DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8752868489.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4215364100.0000000034570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.8752999026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.8751671842.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4216278898.0000000034BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.8751957709.00000000026D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.8749789268.0000000002DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.8752868489.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.4215364100.0000000034570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.8752999026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.8751671842.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.4216278898.0000000034BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.8751957709.00000000026D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_349034E0 NtCreateMutant,LdrInitializeThunk,	2_2_349034E0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902D10 NtQuerySystemInformation,LdrInitializeThunk,	2_2_34902D10
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902B90 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_34902B90
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34904570 NtSuspendThread,	2_2_34904570
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34904260 NtSetContextThread,	2_2_34904260
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34903C90 NtOpenThread,	2_2_34903C90
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902CD0 NtEnumerateKey,	2_2_34902CD0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902CF0 NtDelayExecution,	2_2_34902CF0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902C10 NtOpenProcess,	2_2_34902C10
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34903C30 NtOpenProcessToken,	2_2_34903C30
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902C30 NtMapViewOfSection,	2_2_34902C30
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902C20 NtSetInformationFile,	2_2_34902C20
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902C50 NtUnmapViewOfSection,	2_2_34902C50
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902DA0 NtReadVirtualMemory,	2_2_34902DA0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902DC0 NtAdjustPrivilegesToken,	2_2_34902DC0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902D50 NtWriteVirtualMemory,	2_2_34902D50
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902E80 NtCreateProcessEx,	2_2_34902E80
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902EB0 NtProtectVirtualMemory,	2_2_34902EB0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902ED0 NtResumeThread,	2_2_34902ED0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902EC0 NtQuerySection,	2_2_34902EC0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902E00 NtQueueApcThread,	2_2_34902E00
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902E50 NtCreateSection,	2_2_34902E50
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902FB0 NtSetValueKey,	2_2_34902FB0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902F00 NtCreateFile,	2_2_34902F00
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34902F30 NtOpenDirectoryObject,	2_2_34902F30

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\cuenta para pago1.exe

Code function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040326A

Detected potential crypto function

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 0_2_004066E2	0_2_004066E2
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 0_2_00404AF5	0_2_00404AF5
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D0445	2_2_348D0445
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498F5C9	2_2_3498F5C9
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_349875C6	2_2_349875C6
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3499A526	2_2_3499A526
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D0680	2_2_348D0680
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498A6C0	2_2_3498A6C0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348CC6E0	2_2_348CC6E0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498F6F6	2_2_3498F6F6
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348EC600	2_2_348EC600
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3496D62C	2_2_3496D62C
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3497D646	2_2_3497D646
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348F4670	2_2_348F4670
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34986757	2_2_34986757
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D2760	2_2_348D2760
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348DA760	2_2_348DA760
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348C00A0	2_2_348C00A0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348DB0D0	2_2_348DB0D0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_349870F1	2_2_349870F1
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3497E076	2_2_3497E076
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D51C0	2_2_348D51C0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348EB1E0	2_2_348EB1E0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3499010E	2_2_3499010E
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348BF113	2_2_348BF113
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3496D130	2_2_3496D130
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348BD2EC	2_2_348BD2EC
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348C1380	2_2_348C1380
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348DE310	2_2_348DE310
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498F330	2_2_3498F330
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34969C98	2_2_34969C98
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348E8CDF	2_2_348E8CDF
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348EFCE0	2_2_348EFCE0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3499ACEB	2_2_3499ACEB
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348C0C12	2_2_348C0C12
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348DAC20	2_2_348DAC20
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3497EC4C	2_2_3497EC4C
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D3C60	2_2_348D3C60
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34986C69	2_2_34986C69
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498EC60	2_2_3498EC60
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348E2DB0	2_2_348E2DB0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D9DD0	2_2_348D9DD0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3496FDF4	2_2_3496FDF4
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348CAD00	2_2_348CAD00
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498FD27	2_2_3498FD27
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34987D4C	2_2_34987D4C
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D0D69	2_2_348D0D69
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34980EAD	2_2_34980EAD
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D1EB2	2_2_348D1EB2
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34989ED2	2_2_34989ED2
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348C2EE8	2_2_348C2EE8
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34970E6D	2_2_34970E6D
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498EFBF	2_2_3498EFBF
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_34981FC6	2_2_34981FC6
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348D6FE0	2_2_348D6FE0
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348DCF00	2_2_348DCF00
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_3498FF63	2_2_3498FF63
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: 2_2_348E6882	2_2_348E6882

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: String function: 348BB910 appears 149 times
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: String function: 34917BE4 appears 61 times
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: String function: 3494EF10 appears 79 times
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Code function: String function: 3493E692 appears 62 times

PE / OLE file has an invalid certificate

Source: cuenta para pago1.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: cuenta para pago1.exe, 00000002.00000003.4099312779.0000000034810000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cuenta para pago1.exe
Source: cuenta para pago1.exe, 00000002.00000003.4095218580.000000003465F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cuenta para pago1.exe
Source: cuenta para pago1.exe, 00000002.00000002.4199073124.00000000046A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerasdlui.exej% vs cuenta para pago1.exe
Source: cuenta para pago1.exe, 00000002.00000002.4215456125.0000000034B60000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs cuenta para pago1.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasdlg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Uses 32bit PE files

Source: cuenta para pago1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 00000004.00000002.8749789268.0000000002DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.8752868489.0000000004E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.4215364100.0000000034570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.8752999026.0000000004E50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.8751671842.00000000015C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.4216278898.0000000034BE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.8751957709.00000000026D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/10@30/15

Source: C:\Users\user\Desktop\cuenta para pago1.exe

0_2_0040326A

Source: C:\Users\user\Desktop\cuenta para pago1.exe

Code function: 0_2_00404579 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404579

Source: C:\Users\user\Desktop\cuenta para pago1.exe

Code function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_00402095

Source: C:\Users\user\Desktop\cuenta para pago1.exe

File created: C:\Users\user\Pictures\industrialisere

Source: unknown	Process created: C:\Users\user\Desktop\cuenta para pago1.exe C:\Users\user\Desktop\cuenta para pago1.exe
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Process created: C:\Users\user\Desktop\cuenta para pago1.exe C:\Users\user\Desktop\cuenta para pago1.exe
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Process created: C:\Windows\SysWOW64\rasautou.exe C:\Windows\SysWOW64\rasautou.exe
Source: C:\Windows\SysWOW64\rasautou.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Process created: C:\Users\user\Desktop\cuenta para pago1.exe C:\Users\user\Desktop\cuenta para pago1.exe	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe	Process created: C:\Windows\SysWOW64\rasautou.exe C:\Windows\SysWOW64\rasautou.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: Yara match	File source: 00000002.00000002.4188957643.0000000001794000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4059690339.0000000004F84000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rasautou.exe TID: 4564	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 4564	Thread sleep time: -244000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 9128	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 4564	Thread sleep count: 9838 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe TID: 4564	Thread sleep time: -19676000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe TID: 4644	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe TID: 4644	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe TID: 4644	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe TID: 4644	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\rasautou.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rasautou.exe	Last function: Thread delayed

Source: cuenta para pago1.exe, 00000002.00000002.4198736310.0000000004628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: cuenta para pago1.exe, 00000002.00000003.4096502054.0000000004691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWE
Source: cuenta para pago1.exe, 00000002.00000003.4096502054.0000000004691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\cuenta para pago1.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\cuenta para pago1.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: NULL target: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\cuenta para pago1.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rasautou.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files (x86)\xWRDBjNurNxAHXPmPUzJfASReCWRqOHlLKYYBZzCUvQGolgpFHtbZtyYBPNPuKZHFpMIT\YRrrNrIQCTKNXVoSiuJzTSdqxJTSo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\rasautou.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.41.1	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
142.250.65.174	drive.google.com	United States	15169	GOOGLEUS	false
194.191.24.38	www.b-r-consulting.ch	Switzerland	1836	GREENgreenchAGAutonomousSystemEU	true
84.32.84.32	teenpattimasterapp.org	Lithuania	33922	NTT-LT-ASLT	true
103.146.179.172	cname.x172.zbwdj.com	unknown	136950	HIITL-AS-APHongKongFireLineNetworkLTDHK	true
156.232.32.175	www.t3c1srf.site	Seychelles	8100	ASN-QUADRANET-GLOBALUS	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
172.67.130.3	www.wbyzm5.buzz	United States	13335	CLOUDFLARENETUS	true
82.180.172.14	xiefly.shop	Denmark	29100	BROADCOMDK	true
198.177.123.106	www.stellerechoes.xyz	United States	395681	FINALFRONTIERVG	true
109.234.166.81	globalworld-travel.com	France	50474	O2SWITCHFR	true
198.54.117.242	www.dreadbed.com	United States	22612	NAMECHEAP-NETUS	true
154.39.248.133	k2-ld.wakak1.shop	United States	174	COGENT-174US	false
154.55.135.138	unknown	United States	174	COGENT-174US	false
62.149.128.45	clarycyber.com	Italy	31034	ARUBA-ASNIT	true

Name	Malicious	Antivirus Detection	Reputation
http://www.dreadbed.com/v3ka/	true	Avira URL Cloud: malware	unknown
http://www.globalworld-travel.com/v3ka/?c4qx7JIP=FpC4ctUTedBaFzLAmx5OBNlXlmn8zXWsfuWaCxk5g1trlxnFx7v6dtr2+OePcWisPCE1uISKUROI1tM11v9REV8vlVyrWAjZBU/BkE4yHxOZw90SexyJFP0=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.xiefly.shop/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.wbyzm5.buzz/v3ka/?c4qx7JIP=5DSEd0ATp85KgzdrFCdxbLJep/S6iKShPg/Ik1pbcxCGQNrpEtjfCeVcF04T3qlunhYKINQJ6NoaGwxZUUZob6VNNlK6Td1e1fYChuA8Yf+ZyRKX9C6Zn4U=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.kmyangjia.com/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.kmyangjia.com/v3ka/?c4qx7JIP=TQDhdygg/6k1FrT3duJj1OYD3+fr21m2MLjtTeKUejKDGRun2D/B3i3kqoFCSoO3Pw/E65XWfWwoO6YHx8j54r/FSG1v4bIQ+pjQtA18fUYdL5hShFxGKN0=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.b-r-consulting.ch/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.teenpattimasterapp.org/v3ka/?c4qx7JIP=si7FLVHJ8iWuYVaGSkvjNM53tbCy++USJ5em8DLLO2leI9d5bok8bcXzE4IwU2K08OGpdZcld0QPM+bL/KkbuGKMc/2hsM2YOWzLfNROmTcvWRWJJAUk/s4=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.clarycyber.com/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.mvmusicfactory.org/v3ka/	true	Avira URL Cloud: malware	unknown
http://www.b-r-consulting.ch/v3ka/?c4qx7JIP=bbTJsjbns1egJ9JPkt58MNAjZkRhgchDkV02q5vokHm6S8Qgk9c4A4/rVALt8kpaWPL/RyZRbRAxNoIAik6Ahn7XchDP755TKRWw96XVZ2F1n8YO16SVy/I=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.wbyzm5.buzz/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.xiefly.shop/v3ka/?c4qx7JIP=dNjCJvlouN0lJiHjmW6o9laKqXafrGVThPe+fRU03jlQNeIZZXj0HZnF0wYmB7+6kDtWMlD6FZc6rz3hPOSCoZPNCiuZ/LMstJjl/Jmg62t+iuZuHiG5vvg=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.clarycyber.com/v3ka/?c4qx7JIP=J4AzjciiJVojUGFuzrYbXLmTAhGMI5W/z8Zu4GWgm/9FzWPCzEiuTS1rwMX9pE5r2vC14B8Wx1zW9w/trsCTKSg2AEld6ylXwESzvlSrq/FwhsHRtw64/YA=&K4W=bb2HuFjPIN	true	Avira URL Cloud: safe	unknown
http://www.stellerechoes.xyz/v3ka/?c4qx7JIP=GFfLE978cTjgJhl6jgUZbEhmCeB5iD6iCpjaC2ljIm715WZCCh3yMSG+VpY2eWrvhd9eQ+mGyZHjkiS2WPxVQ0dW/wG4u7YMAwOv3hEtYSzM6b6AuWOV5s4=&K4W=bb2HuFjPIN	true	Avira URL Cloud: malware	unknown
http://www.globalworld-travel.com/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.stellerechoes.xyz/v3ka/	true	Avira URL Cloud: malware	unknown
http://www.teenpattimasterapp.org/v3ka/	true	Avira URL Cloud: safe	unknown
http://www.mvmusicfactory.org/v3ka/?c4qx7JIP=svB+aVl3D/Qs3yYm3uEZx4nnJil+hT1lh9v7sh/m91IvNeiskalMkbjGhLmhKb4ZrcP91hx+1jPTfxZ9U4bWGVnRMNWmuwE3Nqa36DGpX5UBaKLpwaX6qds=&K4W=bb2HuFjPIN	true	Avira URL Cloud: malware	unknown

ID:	1410998
Product:	CloudBasic
Start time:	15:04:16
Start date:	18.03.2024
Sample:	cuenta para pago1.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	93d1942c204022e792af256d0ccbe8e5
SHA1:	76649fb41dc760d4c9ad8be23e239fcb7b0e2418
SHA256:	c44904bfb8b44d8071f33359f824028597145f76bd1a6baf86d91679215e3c7d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\-49-u729	SQLite 3.x database, last written using SQLite version 3041002, page size 2048, file counter 3, database pages 92, cookie 0x3a, schema 4, UTF-8, version-valid-for 3	BE092D0FC1A86091764AABD40B25CB9E	1372556BBC211898F393CC02C4285705AACAE3D7	3A83C0434C667BB30FD9D85D908E652A2569239BBD61079849F299409A48D545
C:\Users\user\AppData\Local\Temp\nsqE113.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A4DD044BCD94E9B3370CCF095B31F896	17C78201323AB2095BC53184AA8267C9187D5173	2E226715419A5882E2E14278940EE8EF0AA648A3EF7AF5B3DC252674111962BC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Afsvkningers148\Grundstddene\Hypertragically\Gaudiest.pre	data	9CB88B1AE7827818B29E20B15C82A937	A60DFA07CBF65C96A3C7019D99452F138A12746E	445AA65354C5F1118FE748FE21ACFA11A69400398DD1CEAE2362242B187CF754
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Laver46\Fjeldklftens38.bio	data	910B94BB45EC253A90F4CA8FA56BC584	ED29E140FE94207B697953B8D1466F7C02F4E60E	BE72DFD9F250BBD69DCFD4508D08A327CBB9B3FBB11964FD5F66BEE35A9FD5C9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Laver46\Paunchful.Tau	data	0AA47FD86AD62B9DED911F927E5AA454	D3F9EE25803FFB0736EB9BCA9AB96DEB211F2F29	DE0776B8B0B30E7CC76DB135BA55343E6E98CECC53B95BAFCD1A463B0BA8E00B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Roadhouses.Sem74	data	94F9D794B89C4C3A5CDBFA0E544C3ED2	97AF9B3577CA9BEAC5C3D67668F1CD9D7CC21DA0	E339E88007B243D5C0F7A655B959AE78B38F899A97AAE53D6807255B948E0879
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Spidsgattedes\Pushwainling\Bimbashi\Undervisningsform.bek	data	93A04CCDF51474B877C9414AE5AD2760	1321C10A4CC69A33235C87ABF2779A57619533BB	D9DCAF7157CB66EFE264672D39EA0D004DD2CECDAC777BDB857509AEDDF040FF
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Spidsgattedes\Pushwainling\Bimbashi\floddeltaets.mar	data	1171715CBB2206BFF607138FEF73877F	D7059E4A741A345239A17FE037C8605D4219E28C	27A8BF54AD65E1DC2C3C88BE4A56792C4960365F12BFF185676D0D4966AE3B31
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Spidsgattedes\Pushwainling\Bimbashi\gagers.rec	data	B013C10185F365E645B1A8A4090DE5AF	20F0178AD225AEC8785EA741E82729E6D816CEF0	0A403F11C29743BFFF4A5CBB13DA533121BC9CEC2F2BD38473F3939895422E4C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Afskrkkelsesvaabnet84\Fodboldenke\biltyven\Spidsgattedes\Pushwainling\Bimbashi\kannevasen.txt	ASCII text, with CRLF line terminators	9F716DE9908957BD324DCC4ADA5A33F7	5AA93CFD2DF40B9ED1F46A728EEE203258DC05DD	CDBC11AE1032690D95484A15A78C94AECFEE10103E26372894547D7B25C01A94

Windows Analysis Report cuenta para pago1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
cuenta para pago1.exe

Malware Threat Intel
Provided by