Edit tour

Windows Analysis Report
Orden Compra.exe

Overview

General Information

Sample name:	Orden Compra.exe
Analysis ID:	1608098
MD5:	2aa0ec31f50329360a96724b3dd92047
SHA1:	341dcd7efecd746e7c9cace466885c09cd39c642
SHA256:	e211c49ddf8d6e76094e69624ac9339a07b3c210af780c125ff924833d227969
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected FormBook

Allocates many large memory junks

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Orden Compra.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\Orden Compra.exe" MD5: 2AA0EC31F50329360A96724B3DD92047)

cmd.exe (PID: 5532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\JufzpndpF.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6540 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

pdnpzfuJ.pif (PID: 180 cmdline: C:\Users\Public\Libraries\pdnpzfuJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)

co98GJ8nh.exe (PID: 3888 cmdline: "C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\aaFg9q0T1e.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

SearchProtocolHost.exe (PID: 7356 cmdline: "C:\Windows\SysWOW64\SearchProtocolHost.exe" MD5: 727FE964E574EEAF8917308FFF0880DE)

co98GJ8nh.exe (PID: 3592 cmdline: "C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\ptSEu5YkzR5Cs1.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7540 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.1572166081.0000000025610000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3721138662.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1271314488.00000000022D3000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000A.00000002.1569799118.00000000230B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.3727212082.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.3721181837.00000000040E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1552628219.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3714042314.0000000000630000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3721214127.0000000002C20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.pdnpzfuJ.pif.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.pdnpzfuJ.pif.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Orden Compra.exe.22d30d8.1.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.Orden Compra.exe.2810000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.Orden Compra.exe.22d30d8.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\Orden Compra.exe, ProcessId: 6880, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\pdnpzfuJ.pif, CommandLine: C:\Users\Public\Libraries\pdnpzfuJ.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\pdnpzfuJ.pif, NewProcessName: C:\Users\Public\Libraries\pdnpzfuJ.pif, OriginalFileName: C:\Users\Public\Libraries\pdnpzfuJ.pif, ParentCommandLine: "C:\Users\user\Desktop\Orden Compra.exe", ParentImage: C:\Users\user\Desktop\Orden Compra.exe, ParentProcessId: 6880, ParentProcessName: Orden Compra.exe, ProcessCommandLine: C:\Users\Public\Libraries\pdnpzfuJ.pif, ProcessId: 180, ProcessName: pdnpzfuJ.pif

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\pdnpzfuJ.pif, CommandLine: C:\Users\Public\Libraries\pdnpzfuJ.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\pdnpzfuJ.pif, NewProcessName: C:\Users\Public\Libraries\pdnpzfuJ.pif, OriginalFileName: C:\Users\Public\Libraries\pdnpzfuJ.pif, ParentCommandLine: "C:\Users\user\Desktop\Orden Compra.exe", ParentImage: C:\Users\user\Desktop\Orden Compra.exe, ParentProcessId: 6880, ParentProcessName: Orden Compra.exe, ProcessCommandLine: C:\Users\Public\Libraries\pdnpzfuJ.pif, ProcessId: 180, ProcessName: pdnpzfuJ.pif

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T08:43:47.583626+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53906	198.252.102.131	80	TCP
2025-02-06T08:44:10.794494+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53973	13.248.169.48	80	TCP
2025-02-06T08:44:24.388431+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53977	66.29.133.199	80	TCP
2025-02-06T08:44:37.617901+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53981	199.59.243.228	80	TCP
2025-02-06T08:44:52.117234+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53985	172.67.184.178	80	TCP
2025-02-06T08:45:06.707569+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53989	106.54.8.254	80	TCP
2025-02-06T08:45:20.038063+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53993	178.254.0.81	80	TCP
2025-02-06T08:45:33.193799+0100	2855465	1	A Network Trojan was detected	192.168.2.7	53997	76.223.113.161	80	TCP
2025-02-06T08:45:46.376650+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54001	13.248.169.48	80	TCP
2025-02-06T08:46:00.796052+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54005	103.49.251.5	80	TCP
2025-02-06T08:46:13.992407+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54009	199.59.243.228	80	TCP
2025-02-06T08:46:27.313186+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54013	104.21.54.53	80	TCP
2025-02-06T08:46:40.518755+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54017	13.248.169.48	80	TCP
2025-02-06T08:46:54.041088+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54021	188.114.97.3	80	TCP
2025-02-06T08:47:07.217332+0100	2855465	1	A Network Trojan was detected	192.168.2.7	54025	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T08:44:03.138181+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53970	13.248.169.48	80	TCP
2025-02-06T08:44:05.667572+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53971	13.248.169.48	80	TCP
2025-02-06T08:44:08.239261+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53972	13.248.169.48	80	TCP
2025-02-06T08:44:16.707070+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53974	66.29.133.199	80	TCP
2025-02-06T08:44:19.301555+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53975	66.29.133.199	80	TCP
2025-02-06T08:44:21.906656+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53976	66.29.133.199	80	TCP
2025-02-06T08:44:29.971142+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53978	199.59.243.228	80	TCP
2025-02-06T08:44:32.503252+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53979	199.59.243.228	80	TCP
2025-02-06T08:44:35.064996+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53980	199.59.243.228	80	TCP
2025-02-06T08:44:44.180968+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53982	172.67.184.178	80	TCP
2025-02-06T08:44:46.728413+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53983	172.67.184.178	80	TCP
2025-02-06T08:44:49.282511+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53984	172.67.184.178	80	TCP
2025-02-06T08:44:59.056209+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53986	106.54.8.254	80	TCP
2025-02-06T08:45:01.572878+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53987	106.54.8.254	80	TCP
2025-02-06T08:45:04.164704+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53988	106.54.8.254	80	TCP
2025-02-06T08:45:12.399503+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53990	178.254.0.81	80	TCP
2025-02-06T08:45:14.949012+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53991	178.254.0.81	80	TCP
2025-02-06T08:45:17.487010+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53992	178.254.0.81	80	TCP
2025-02-06T08:45:25.562483+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53994	76.223.113.161	80	TCP
2025-02-06T08:45:28.098453+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53995	76.223.113.161	80	TCP
2025-02-06T08:45:30.643891+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53996	76.223.113.161	80	TCP
2025-02-06T08:45:38.697973+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53998	13.248.169.48	80	TCP
2025-02-06T08:45:41.255085+0100	2855464	1	A Network Trojan was detected	192.168.2.7	53999	13.248.169.48	80	TCP
2025-02-06T08:45:43.829582+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54000	13.248.169.48	80	TCP
2025-02-06T08:45:53.159662+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54002	103.49.251.5	80	TCP
2025-02-06T08:45:55.736500+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54003	103.49.251.5	80	TCP
2025-02-06T08:45:58.246721+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54004	103.49.251.5	80	TCP
2025-02-06T08:46:06.354105+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54006	199.59.243.228	80	TCP
2025-02-06T08:46:08.923532+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54007	199.59.243.228	80	TCP
2025-02-06T08:46:11.442116+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54008	199.59.243.228	80	TCP
2025-02-06T08:46:19.624549+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54010	104.21.54.53	80	TCP
2025-02-06T08:46:22.199060+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54011	104.21.54.53	80	TCP
2025-02-06T08:46:24.780225+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54012	104.21.54.53	80	TCP
2025-02-06T08:46:32.853312+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54014	13.248.169.48	80	TCP
2025-02-06T08:46:35.417402+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54015	13.248.169.48	80	TCP
2025-02-06T08:46:37.943794+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54016	13.248.169.48	80	TCP
2025-02-06T08:46:46.619957+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54018	188.114.97.3	80	TCP
2025-02-06T08:46:49.150764+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54019	188.114.97.3	80	TCP
2025-02-06T08:46:51.691249+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54020	188.114.97.3	80	TCP
2025-02-06T08:46:59.551324+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54022	13.248.169.48	80	TCP
2025-02-06T08:47:02.121073+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54023	13.248.169.48	80	TCP
2025-02-06T08:47:04.677298+0100	2855464	1	A Network Trojan was detected	192.168.2.7	54024	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Windows \SysWOW64\NETUTILS.dll

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: Orden Compra.exe	Virustotal: Detection: 28%			Perma Link
Source: Orden Compra.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 10.2.pdnpzfuJ.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.pdnpzfuJ.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1572166081.0000000025610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3721138662.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1569799118.00000000230B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3727212082.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3721181837.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552628219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3714042314.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3721214127.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Orden Compra.exe

Joe Sandbox ML: detected

Source: Orden Compra.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: easinvoker.pdb source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020693000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1253391764.000000007F240000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1307867741.000000007F5C0000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1305708457.000000002067B000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1253391764.000000007F253000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1305708457.0000000020620000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: wntdll.pdbUGP source: pdnpzfuJ.pif, 0000000A.00000003.1453395928.00000000215F2000.00000004.00000020.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000003.1455417594.00000000217AC000.00000004.00000020.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000002.1569231524.0000000021960000.00000040.00001000.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000002.1569231524.0000000021AFE000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3723195431.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000003.1552631512.0000000002AD4000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000003.1555907490.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3723195431.000000000301E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pdnpzfuJ.pif, pdnpzfuJ.pif, 0000000A.00000003.1453395928.00000000215F2000.00000004.00000020.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000003.1455417594.00000000217AC000.00000004.00000020.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000002.1569231524.0000000021960000.00000040.00001000.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000002.1569231524.0000000021AFE000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, SearchProtocolHost.exe, 0000000F.00000002.3723195431.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000003.1552631512.0000000002AD4000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000003.1555907490.0000000002CCE000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3723195431.000000000301E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdbUGP source: pdnpzfuJ.pif, 0000000A.00000003.1518038113.000000002150D000.00000004.00000020.00020000.00000000.sdmp, co98GJ8nh.exe, 0000000E.00000003.1489308002.0000000000FE5000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020693000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1253391764.000000007F240000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1307867741.000000007F5C0000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1305708457.000000002067B000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1253391764.000000007F253000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1265387842.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1265387842.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1305708457.0000000020620000.00000004.00001000.00020000.00000000.sdmp, svchost.pif.0.dr
Source:	Binary string: SearchProtocolHost.pdb source: pdnpzfuJ.pif, 0000000A.00000003.1518038113.000000002150D000.00000004.00000020.00020000.00000000.sdmp, co98GJ8nh.exe, 0000000E.00000003.1489308002.0000000000FE5000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: co98GJ8nh.exe, 0000000E.00000000.1469965163.00000000008BF000.00000002.00000001.01000000.00000007.sdmp, co98GJ8nh.exe, 00000010.00000000.1621387899.00000000008BF000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281534C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,		0_2_0281534C
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_0064C2F0 FindFirstFileW,FindNextFileW,FindClose,		15_2_0064C2F0

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 4x nop then xor eax, eax	15_2_00639F30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 4x nop then pop edi	15_2_0063DF5A
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 4x nop then mov ebx, 00000004h	15_2_02D704E1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53906 -> 198.252.102.131:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53970 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53974 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53973 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53971 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53977 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53981 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53976 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53978 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53980 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53994 -> 76.223.113.161:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53975 -> 66.29.133.199:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53989 -> 106.54.8.254:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54007 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53984 -> 172.67.184.178:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54001 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53986 -> 106.54.8.254:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53972 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54016 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53991 -> 178.254.0.81:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53993 -> 178.254.0.81:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54018 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54009 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53982 -> 172.67.184.178:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54006 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53979 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53998 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54010 -> 104.21.54.53:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53992 -> 178.254.0.81:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54021 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53995 -> 76.223.113.161:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53983 -> 172.67.184.178:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53987 -> 106.54.8.254:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54000 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53999 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53997 -> 76.223.113.161:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:53985 -> 172.67.184.178:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53990 -> 178.254.0.81:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53988 -> 106.54.8.254:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54015 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54011 -> 104.21.54.53:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54002 -> 103.49.251.5:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54025 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54008 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54023 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54012 -> 104.21.54.53:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54014 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:53996 -> 76.223.113.161:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54020 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54013 -> 104.21.54.53:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54004 -> 103.49.251.5:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54005 -> 103.49.251.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54003 -> 103.49.251.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54022 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54019 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:54017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:54024 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.boyacii.xyz
Source:	DNS query: www.garfo.xyz
Source:	DNS query: www.zkplant.xyz
Source:	DNS query: www.nullus.xyz

Source: global traffic

TCP traffic: 192.168.2.7:53763 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 76.223.113.161 76.223.113.161

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v21v/?dft=EDflZ0HXpniPFR&JN64i8A=oU9xR2WMImYnj6ntb8S35427CMXlcLsF1GyYbNK2Lr8YL9jx/DVd1D1eNRi4VmROATXZD+pQHKudJatQMlVcoT+G4UcGmHqXQvCUA3v3AkW+loeqJKvxL+aXEW9nTUxMZmplCUMH9pt3 HTTP/1.1Host: www.boyacii.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /yl4h/?JN64i8A=Bpp1PRBXZpBzygvWChsxy5AxiWhRtG/xkHEANtLCJ8mRZI706T3hhy4C5TBR+w5JVYA0p8Vk377LiL2EaWmVOPixMdCHjyw3/LM0PRx/MUqrQrcZb7VMre10Tq2lLlo9LuVXbdOpTW8s&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.garfo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /a6hp/?JN64i8A=yyD4Sgd3S2ZF3m7pm0ToURnsXeZz03Sj9T/+hzdMmfZWdEMMM6z8JSCfYe2y/BvUFJF49ozqjx1+blVbbobIQImKKK0VWfrwx8mtwteioNsWe9UM9PGemo8kvYchg7IuDDi1P6qZY5cB&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.pureven.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uvkw/?JN64i8A=IakgSzQ7yZlEmNooprxapon2XheaYp41joqx3hQhkSe2ZhmcS1fCwlIhi8HFRcJUA7heboKzZ1oipDtyTLzKAuQANM3SxYLcEa20cfoFMPn0kO2Y8HYxTVDpXuXCs7iWRDXpBDinp2Ef&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.caral.tokyoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jwmi/?dft=EDflZ0HXpniPFR&JN64i8A=5piOVe3YX8EwruU4jaknfUXkRm2YBsi9YwJBdzZv+bQ8qvmQZ2qS25aMZJa8NfsgTlw5S4mvsb6qJju9cYSzLSKfQMLEEKCqHxvdHH5DYHv6FqH9d7cYPMrr5Y/XFcyDItSY3el4ItNP HTTP/1.1Host: www.keo88.bondAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /cj0c/?JN64i8A=121DiTRywrd43lNndt1n566V3LF/bs7sxtVyIPmi8c8GTd/e+WjYE/W3mp2cIwH+p3SfGvcSbQoCjQerWxRlbL82EQaJSmYNIPPA6JQsvgHLRI3HWDJrXnU1M/2Z+9TwA+33iS6K89KX&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.xiuqicloud.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b5xa/?dft=EDflZ0HXpniPFR&JN64i8A=GskU2PdJyin93nEF4EqQF8JlPYUIruF3ow1aTxTggKi0MwyAEFy1V9Sqwhj1gPQGwoXnbVs57uFnPSbYjN0K9ihXVmVcAjZTBmKHRwgLxwKTFf9MKnWz552+rmE9tHLeMpA4R7d3kTic HTTP/1.1Host: www.autoabmeldung.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6qsx/?JN64i8A=CTO0Rg4hCV2EKl3iv7VX+gyqE66Nj8YBKhZMSlNdDMlQgcn6pvLBwFgVYPR45yy5bTk0K4yzmr5Le5DrmFYu3CMlKVwH6k88sisJt59h5kxyHBwG+RLKqGHtgpIUA0we5a2YLldyoKMB&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.spadessyndicate.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lhub/?dft=EDflZ0HXpniPFR&JN64i8A=zc63EnPsXoEqIWlnx4hbPeMN88ZmQIRsMwtTwZDE2W2UMrHiHP1PynV5Uhib92FQItyi2/6noPlB8120FMXL/mXCInbZqq/GMMyUlCsUjZS239AyBwGCHMzlCguAqOMXdUeSSiEjZmd2 HTTP/1.1Host: www.renco.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2azj/?JN64i8A=h2jxPFcYBmfEvZHU1COGx7wIJCwQnQAUVwO8apFcndTdWRSTzO4X9wBbOY5dRT41CyfY6BrJoq2Pp4ScnHWViIBqJhenkEDMILQp/H81vO3WlH2UmzQYNM+hrG7KX9qsPxwet2NJUTTW&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.218735.bidAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /10ua/?dft=EDflZ0HXpniPFR&JN64i8A=P+QdWsdIWYekYXp9yn5DvJXmgVqr094YoMbxj8dp4+f5xA2vJhxSvfjbYaybLEZ3oHGTv+WLA9X4fWBLVKxLCpVNrhjXOm2ZpabLSZndVByKtzUvhS3NB2Zwq5HSEVrykrirmFZvGmJc HTTP/1.1Host: www.epdemexi.latAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ucgd/?JN64i8A=xbzM6T958bLu+lU6KBF0ZMzYVPLeQBzAe3ARLevtjlpOO1Lme6XtAr1i2BSwXn6ecKwNe2G0lJ8/5pzuYApul4nlCS9TOSTmGgpBgmK/1HZScwN2ySM61N/PC71D+KqB3y1VOg7FO9kC&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.zhuanphysical.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bu24/?JN64i8A=IOK+qd/qwK8L6YNqbt3OQVsETHn5l2iYlg2kDZ4zfFT+6mDb6lC7y/nEJ3Cpn6tPx737H8UVLbtadsCx5mowL0WSIi0udxosdwowasKbDOfZ/57wOb0QGVsDxr8BnBE5Fue2Kc30bvO+&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.zkplant.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uwcj/?JN64i8A=IgkbghiDX+yVNkvnSqU2GTebOatM7V9CBh/yoC9nOiu0aUOcF68+HUQMLBP9mwjoDQmJtAWgvkxe6etLg1y5jrn7VlQvsXlEabllDGPp47GUpwWbwFcOyVi92JPzMROSTwN4QWLfQCxZ&dft=EDflZ0HXpniPFR HTTP/1.1Host: www.serenityos.devAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /g3p7/?dft=EDflZ0HXpniPFR&JN64i8A=tqlMboidSLPm0+kG/UnEHWWQKDdkFXs+hJnnYIhOwrarqgCwSxTeC4brzsswoG+vvcxL2jM6LOVfSEaPdo1804o1G0Uh79/A8o8SqowPfQDdvl00QqRTM4KHhKgLrlAxmOgY85GfT06L HTTP/1.1Host: www.nullus.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.boyacii.xyz
Source: global traffic	DNS traffic detected: DNS query: www.garfo.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pureven.life
Source: global traffic	DNS traffic detected: DNS query: www.caral.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.keo88.bond
Source: global traffic	DNS traffic detected: DNS query: www.xiuqicloud.website
Source: global traffic	DNS traffic detected: DNS query: www.autoabmeldung.net
Source: global traffic	DNS traffic detected: DNS query: www.spadessyndicate.net
Source: global traffic	DNS traffic detected: DNS query: www.renco.tech
Source: global traffic	DNS traffic detected: DNS query: www.218735.bid
Source: global traffic	DNS traffic detected: DNS query: www.epdemexi.lat
Source: global traffic	DNS traffic detected: DNS query: www.zhuanphysical.shop
Source: global traffic	DNS traffic detected: DNS query: www.zkplant.xyz
Source: global traffic	DNS traffic detected: DNS query: www.serenityos.dev
Source: global traffic	DNS traffic detected: DNS query: www.nullus.xyz

Source: unknown

HTTP traffic detected: POST /yl4h/ HTTP/1.1Host: www.garfo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Connection: closeContent-Length: 220Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.garfo.xyzReferer: http://www.garfo.xyz/yl4h/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36Data Raw: 4a 4e 36 34 69 38 41 3d 4d 72 42 56 4d 6e 30 4e 47 72 46 30 6c 46 50 66 4d 58 45 31 2b 4c 4d 4c 74 58 56 54 72 45 79 4a 6a 58 59 7a 41 50 54 77 58 4d 79 4e 4a 62 72 73 34 43 44 4b 70 44 6b 50 6b 67 5a 6f 38 47 46 72 56 4b 55 50 6d 4a 4d 35 75 59 65 74 38 4d 6e 46 4c 6b 76 6c 50 38 69 6d 49 61 71 4b 6e 30 6c 75 34 76 4d 47 47 42 77 49 49 48 57 37 51 2b 34 47 51 59 6f 6f 6c 50 67 68 46 49 2b 4f 54 57 51 70 53 4a 45 72 47 2b 32 63 59 53 67 50 39 6a 74 5a 55 69 4a 44 44 53 6d 34 64 55 58 61 64 4a 44 37 4b 4c 63 69 65 64 33 51 59 74 75 4b 6d 61 32 6b 2f 55 65 56 4e 45 47 53 38 55 34 63 75 56 51 4a 70 54 5a 51 69 42 5a 62 36 54 36 33 34 43 71 58 54 41 3d 3d Data Ascii: JN64i8A=MrBVMn0NGrF0lFPfMXE1+LMLtXVTrEyJjXYzAPTwXMyNJbrs4CDKpDkPkgZo8GFrVKUPmJM5uYet8MnFLkvlP8imIaqKn0lu4vMGGBwIIHW7Q+4GQYoolPghFI+OTWQpSJErG+2cYSgP9jtZUiJDDSm4dUXadJD7KLcied3QYtuKma2k/UeVNEGS8U4cuVQJpTZQiBZb6T634CqXTA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 06 Feb 2025 07:43:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:44:16 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:44:19 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:44:21 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:44:24 GMTServer: ApacheContent-Length: 13840Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 2e 66 75 6e 64 6f 7b 0a 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 63 61 6c 65 73 20 33 73 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 62 61 69 78 6f 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 31 34 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 70 61 6f 2d 63 69 6d 61 7b 0a 20 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 72 6f 74 61 74 65 70 61 6f 20 37 73 20 31 73 20 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 2c 2e 34 39 2c 2e 34 31 2c 2e 39 37 29 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 6c 65 66 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 31 35 30 70 78 20 31 35 36 70 78 3b 0a 7d 0a 0a 2e 72 69 67 68 74 2d 73 70 61 72 6b 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6c 65 66 74 2d 73 70 61 72 6b 73 20 20 20 34 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 33 31 30 70 78 20 31 35 30 70 78 3b 0a 7d 0a 0a 2e 6f 6c 68 6f 73 7b 61 6e 69 6d 61 74 69 6f 6e 3a 20 6f 6c 68 6f 73 20 20 20 32 73 20 20 61 6c 74 65 72 6e 61 74 65 20 20 69 6e 66 69 6e 69 74 65 3b 0a 20 20 20 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 40 6b 65 79 66 72 61 6d 65 73 20 73 63 61 6c 65 73 7b 0a 20 20 66 72 6f 6d 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 30 2e 39 38 29 7d 0a 20 20 74 6f 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 73 63 61 6c 65 28 31 29 7d 0a 7d 0a 0a 40 6b 65 79 66 72 61 6d 65 73 20 72 6f 74 61 74 65 70 61 6f 7b 0a 20 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20 72 6f 74 61 74 65 28 30 64 65 67 29 7d 0a 20 20 35 30 25 20 2c 20 36 30 25 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 06 Feb 2025 07:44:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 31 0b c2 30 10 85 77 c1 ff 70 6e 3a a4 69 a5 63 c8 22 0a 0e ba 88 3f 20 f5 ce 36 90 5e 24 a6 60 ff bd a9 b6 20 ce 8e 8e f7 ee 7b 8f c7 53 4d 6c 9d 9e cf 54 43 06 b5 8a 36 3a d2 65 5e c2 d1 47 d8 f9 8e 51 c9 b7 a8 e4 0b 49 68 e5 b1 1f 2c 17 e2 48 41 ab a6 f8 76 24 45 c9 f1 3d 64 27 68 bc b8 b6 fc 90 45 b6 2e b3 1c 96 e7 aa e3 d8 ad 3e 59 39 a5 cb a9 d9 42 08 30 70 33 88 96 6b 88 1e d0 de 4d e5 08 0e a7 fd 16 0c 23 6c 9a e0 5b 82 6b b0 c4 e8 7a a0 10 7c 48 8e 9a 40 88 a1 e9 3f e2 97 5b 3c 01 f0 75 41 1e 34 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b910wpn:ic"? 6^$` {SMlTC6:e^GQIh,HAv$E=d'hE.>Y9B0p3kM#l[kz\|H@?[<uA40
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 06 Feb 2025 07:45:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 31 0b c2 30 10 85 77 c1 ff 70 6e 3a a4 69 a5 63 c8 22 0a 0e ba 88 3f 20 f5 ce 36 90 5e 24 a6 60 ff bd a9 b6 20 ce 8e 8e f7 ee 7b 8f c7 53 4d 6c 9d 9e cf 54 43 06 b5 8a 36 3a d2 65 5e c2 d1 47 d8 f9 8e 51 c9 b7 a8 e4 0b 49 68 e5 b1 1f 2c 17 e2 48 41 ab a6 f8 76 24 45 c9 f1 3d 64 27 68 bc b8 b6 fc 90 45 b6 2e b3 1c 96 e7 aa e3 d8 ad 3e 59 39 a5 cb a9 d9 42 08 30 70 33 88 96 6b 88 1e d0 de 4d e5 08 0e a7 fd 16 0c 23 6c 9a e0 5b 82 6b b0 c4 e8 7a a0 10 7c 48 8e 9a 40 88 a1 e9 3f e2 97 5b 3c 01 f0 75 41 1e 34 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b910wpn:ic"? 6^$` {SMlTC6:e^GQIh,HAv$E=d'hE.>Y9B0p3kM#l[kz\|H@?[<uA40
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 06 Feb 2025 07:45:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 31 0b c2 30 10 85 77 c1 ff 70 6e 3a a4 69 a5 63 c8 22 0a 0e ba 88 3f 20 f5 ce 36 90 5e 24 a6 60 ff bd a9 b6 20 ce 8e 8e f7 ee 7b 8f c7 53 4d 6c 9d 9e cf 54 43 06 b5 8a 36 3a d2 65 5e c2 d1 47 d8 f9 8e 51 c9 b7 a8 e4 0b 49 68 e5 b1 1f 2c 17 e2 48 41 ab a6 f8 76 24 45 c9 f1 3d 64 27 68 bc b8 b6 fc 90 45 b6 2e b3 1c 96 e7 aa e3 d8 ad 3e 59 39 a5 cb a9 d9 42 08 30 70 33 88 96 6b 88 1e d0 de 4d e5 08 0e a7 fd 16 0c 23 6c 9a e0 5b 82 6b b0 c4 e8 7a a0 10 7c 48 8e 9a 40 88 a1 e9 3f e2 97 5b 3c 01 f0 75 41 1e 34 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b910wpn:ic"? 6^$` {SMlTC6:e^GQIh,HAv$E=d'hE.>Y9B0p3kM#l[kz\|H@?[<uA40
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 06 Feb 2025 07:45:06 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:45:12 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:45:14 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:45:17 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:45:19 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.3Date: Thu, 06 Feb 2025 07:45:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.3</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.3Date: Thu, 06 Feb 2025 07:45:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.3</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.3Date: Thu, 06 Feb 2025 07:45:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.3</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.3Date: Thu, 06 Feb 2025 07:45:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.3</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:45:53 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:45:55 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:45:58 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:46:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fy0d1d89%2FYz4lcfuydF3saVP2wxLkNUarpIju9lj9Un6S2xoiJTuCBHbfVImW6XHYfls3Y3cMSqT8xVXytkRgej7fRo1SIBDw6KGK0HQuFVzKqXiKujy8Abw2q164Z9T1MdRYYNTOxhh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d986978c594213-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2086&min_rtt=2086&rtt_var=1043&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=784&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6lA3QQhXSMgbdrHe7%2FSpCYEE9qtO%2BZAOkbfBgoYyb6P4f%2BRjddjL8%2Fl6tMHRWoGoyKVxznnbSBppkOOg8ntUR084f2CC9Re2azfI2pR7kswmxlIm6h%2BqKOgP%2BvPTdy%2Ff2PE7yv0KlJsv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d986a79c6f4407-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1531&rtt_var=765&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=804&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f1Jta82uPh13V7H4ftiuGVrqIPTjtTt4YnqE77yVwFXQd5Lj%2Fon3AEmbwaWjmzU2DiG07q7DFW2APNhwnRUvkwRvHao1Rx2Oqg1iAhAlAUlAAqeIJ948uqDSSxOGgDVMx2qtvlWFbOWN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d986b7aca96a55-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1817&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sn6B6WdhnQJcxRRCFvm0XXNoMG0BLL6TfiN3XjfKTmtXkGKUeunp2mX2TBUxIQe2oq2iLJ2%2FqdK%2BYxZu2LuSBjNaTFpvGL7SAU84viiTLxdWNSxqniqnoYTi5TpDODgWnVPAMk7jBE2d"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d986c788988c5f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1835&min_rtt=1835&rtt_var=917&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=514&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome fri
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XDaTGuYkceh8Na1qXQPAud28GrV5FT0cpkK3jwOc4BxikQ%2FeYU%2Fw2XXySyFkhReXZQBG7f1sAtMD4NhUNC%2BlwyUjlwqWswcC4QR6O7Xz0DgtVYluKZFKdORDfu2v%2Fa809YcsonE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9873d6901c461-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1635&rtt_var=817&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=772&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 61 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 73 d3 30 10 bd f3 2b 1e e1 5a c7 36 29 4c c7 56 72 29 74 38 30 d0 81 f4 c0 51 91 36 91 a6 8a e4 4a eb 10 93 e1 bf 77 5c 67 1a 7b 38 70 d2 ae 76 df db b7 1f e2 ed a7 ef b7 eb 5f f7 9f 61 78 ef 56 6f c4 f0 00 80 30 24 f5 60 be b8 6c d9 d1 ea ba b8 c6 b7 c0 b8 0b ad d7 22 1f 3e 2f 49 7b 62 09 c3 dc 64 f4 d4 da c3 72 76 1b 3c 93 e7 6c dd 35 34 83 1a bc e5 8c e9 c8 79 5f ab 86 32 32 26 e2 e5 c3 fa 2e bb 99 8d b8 12 77 63 ee 4d d0 1d 4e e8 91 99 74 76 e7 2b 28 f2 4c b1 46 23 b5 b6 7e 57 a1 2c 8a e6 88 0f 45 73 ac f1 f7 15 69 4a 9c b0 0d 9e b3 64 ff 50 f5 4f fc cc dc 67 54 78 df 33 7c 21 77 20 b6 4a 5e 41 46 2b dd 15 92 f4 29 4b 14 ed b6 86 0a 2e c4 0a ef 16 8b c5 98 46 46 b6 ca 11 4e d0 36 35 4e 76 15 36 2e a8 c7 7a a2 d9 d1 96 6b fc b6 9a 4d 85 8f 83 94 bd 8c 3b eb 2b 14 90 2d 87 09 27 4e af e5 8a e2 a6 d4 ea cc a6 49 85 28 d9 06 5f c1 07 4f 13 50 65 c2 81 e2 08 fa a2 f4 bf 38 91 8f 46 2e f2 cb fe 45 3f a1 b3 79 ee 72 b4 27 53 ae fa 8b d8 f6 17 31 17 b9 29 47 b1 66 b5 36 84 48 29 b4 51 f5 c6 53 4b 89 49 43 85 d6 69 f8 c0 d8 d0 00 45 f0 60 63 13 12 c5 03 c5 b9 c8 9b 09 d1 bd 23 99 08 ca 90 7a 04 1b c2 c3 8f af 73 fc 0c 31 76 90 9b d0 32 d8 48 be c0 44 3e 91 2a f2 a1 09 91 0f 27 Data Ascii: 1a4RMs0+Z6)LVr)t80Q6Jw\g{8pv_axVo0$`l">/I{bdrv<l54y_22&.wcMNtv+(LF#~W,EsiJdPOgTx3\|!w J^AF+)K.FFN65Nv6.zkM;+-'NI(_OPe8F.E?yr'S1)Gf6H)QSKICiE`c#zs1v2HD>*'
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEYTjLVoNiVk3rAsf8sLusTI9rdPnr%2Bhl%2Fj9B3M5rH8EVgexWEpzPU4YdB7%2F3YMzufM5JcKcpyBHsAVPPUKTI9ZdV3pKiZscWrQ%2F0hplVbaQazTGElkLJVp4m8Yyo3qyqw1lAfg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9874d5b61422f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1672&rtt_var=836&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=792&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 61 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 73 d3 30 10 bd f3 2b 1e e1 5a c7 36 29 4c c7 56 72 29 74 38 30 d0 81 f4 c0 51 91 36 91 a6 8a e4 4a eb 10 93 e1 bf 77 5c 67 1a 7b 38 70 d2 ae 76 df db b7 1f e2 ed a7 ef b7 eb 5f f7 9f 61 78 ef 56 6f c4 f0 00 80 30 24 f5 60 be b8 6c d9 d1 ea ba b8 c6 b7 c0 b8 0b ad d7 22 1f 3e 2f 49 7b 62 09 c3 dc 64 f4 d4 da c3 72 76 1b 3c 93 e7 6c dd 35 34 83 1a bc e5 8c e9 c8 79 5f ab 86 32 32 26 e2 e5 c3 fa 2e bb 99 8d b8 12 77 63 ee 4d d0 1d 4e e8 91 99 74 76 e7 2b 28 f2 4c b1 46 23 b5 b6 7e 57 a1 2c 8a e6 88 0f 45 73 ac f1 f7 15 69 4a 9c b0 0d 9e b3 64 ff 50 f5 4f fc cc dc 67 54 78 df 33 7c 21 77 20 b6 4a 5e 41 46 2b dd 15 92 f4 29 4b 14 ed b6 86 0a 2e c4 0a ef 16 8b c5 98 46 46 b6 ca 11 4e d0 36 35 4e 76 15 36 2e a8 c7 7a a2 d9 d1 96 6b fc b6 9a 4d 85 8f 83 94 bd 8c 3b eb 2b 14 90 2d 87 09 27 4e af e5 8a e2 a6 d4 ea cc a6 49 85 28 d9 06 5f c1 07 4f 13 50 65 c2 81 e2 08 fa a2 f4 bf 38 91 8f 46 2e f2 cb fe 45 3f a1 b3 79 ee 72 b4 27 53 ae fa 8b d8 f6 17 31 17 b9 29 47 b1 66 b5 36 84 48 29 b4 51 f5 c6 53 4b 89 49 43 85 d6 69 f8 c0 d8 d0 00 45 f0 60 63 13 12 c5 03 c5 b9 c8 9b 09 d1 bd 23 99 08 ca 90 7a 04 1b c2 c3 8f af 73 fc 0c 31 76 90 9b d0 32 d8 48 be c0 44 3e 91 2a f2 a1 09 91 0f 27 Data Ascii: 1a4RMs0+Z6)LVr)t80Q6Jw\g{8pv_axVo0$`l">/I{bdrv<l54y_22&.wcMNtv+(LF#~W,EsiJdPOgTx3\|!w J^AF+)K.FFN65Nv6.zkM;+-'NI(_OPe8F.E?yr'S1)Gf6H)QSKICiE`c#zs1v2HD>*'
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sGJtfcWns%2B%2BpqfXsbS%2FsVw8RMYbnJSlI17FqAfCoWp%2F3b6lmtczqQdfFkIuAU%2Ftp8F%2FlDKD3CRMbsjrYN%2FMHHUy5FZ3mVh%2F1scOrKBpOjlwyNn4D6mTFKR4SbNaz3V8zy38oBMo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9875d385143aa-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2094&min_rtt=2094&rtt_var=1047&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1805&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 61 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 52 4d 73 d3 30 10 bd f3 2b 1e e1 5a c7 36 29 4c c7 56 72 29 74 38 30 d0 81 f4 c0 51 91 36 91 a6 8a e4 4a eb 10 93 e1 bf 77 5c 67 1a 7b 38 70 d2 ae 76 df db b7 1f e2 ed a7 ef b7 eb 5f f7 9f 61 78 ef 56 6f c4 f0 00 80 30 24 f5 60 be b8 6c d9 d1 ea ba b8 c6 b7 c0 b8 0b ad d7 22 1f 3e 2f 49 7b 62 09 c3 dc 64 f4 d4 da c3 72 76 1b 3c 93 e7 6c dd 35 34 83 1a bc e5 8c e9 c8 79 5f ab 86 32 32 26 e2 e5 c3 fa 2e bb 99 8d b8 12 77 63 ee 4d d0 1d 4e e8 91 99 74 76 e7 2b 28 f2 4c b1 46 23 b5 b6 7e 57 a1 2c 8a e6 88 0f 45 73 ac f1 f7 15 69 4a 9c b0 0d 9e b3 64 ff 50 f5 4f fc cc dc 67 54 78 df 33 7c 21 77 20 b6 4a 5e 41 46 2b dd 15 92 f4 29 4b 14 ed b6 86 0a 2e c4 0a ef 16 8b c5 98 46 46 b6 ca 11 4e d0 36 35 4e 76 15 36 2e a8 c7 7a a2 d9 d1 96 6b fc b6 9a 4d 85 8f 83 94 bd 8c 3b eb 2b 14 90 2d 87 09 27 4e af e5 8a e2 a6 d4 ea cc a6 49 85 28 d9 06 5f c1 07 4f 13 50 65 c2 81 e2 08 fa a2 f4 bf 38 91 8f 46 2e f2 cb fe 45 3f a1 b3 79 ee 72 b4 27 53 ae fa 8b d8 f6 17 31 17 b9 29 47 b1 66 b5 36 84 48 29 b4 51 f5 c6 53 4b 89 49 43 85 d6 69 f8 c0 d8 d0 00 45 f0 60 63 13 12 c5 03 c5 b9 c8 9b 09 d1 bd 23 99 08 ca 90 7a 04 1b c2 c3 8f af 73 fc 0c 31 76 90 9b d0 32 d8 48 be c0 Data Ascii: 1a4RMs0+Z6)LVr)t80Q6Jw\g{8pv_axVo0$`l">/I{bdrv<l54y_22&.wcMNtv+(LF#~W,EsiJdPOgTx3\|!w J^AF+)K.FFN65Nv6.zkM;+-'NI(_OPe8F.E?yr'S1)Gf6H)QSKICiE`c#zs1v2H
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:46:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1PoQDuFZyGF3ZjQOryE7PyeK%2BwN19fqx8lIxDADMZ7%2BYVw6g%2FM2D%2FWkaSyCVeLhTYy8CkGMFvcZjzmAlNk4KVXRnm87C06dLxsm73OFF%2BBoct3s2yTxtGkAxw9nTNirKKqiaiiU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90d9876d4d3a4233-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=864&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=510&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 35 30 70 78 3b 20 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 70 78 3b 20 7d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 20 66 6f 6e 74 3a 20 32 30 70 78 20 48 65 6c 76 65 74 69 63 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 20 7d 0a 20 20 20 20 20 20 20 20 61 72 74 69 63 6c 65 20 7b 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 20 77 69 64 74 68 3a 20 36 35 30 70 78 3b 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 20 7d 0a 20 20 20 20 20 20 20 20 61 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 38 31 Data Ascii: 2fa<!DOCTYPE html><html> <head> <title>404 Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style> body { text-align: center; padding: 100px 50px; } h1 { font-size: 50px; } body { font: 20px Helvetica, arial, sans-serif; color: #333; } article { display: block; text-align: left; width: 650px; margin: 0 auto; } a { color: #0081

Source: co98GJ8nh.exe, 00000010.00000002.3727212082.0000000004E85000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nullus.xyz
Source: co98GJ8nh.exe, 00000010.00000002.3727212082.0000000004E85000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nullus.xyz/g3p7/
Source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020693000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1270908433.0000000000900000.00000004.00000020.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1306688456.0000000020FC0000.00000004.00000020.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1253391764.000000007F299000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1307867741.000000007F619000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000003.1253391764.000000007F253000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1305708457.0000000020620000.00000004.00001000.00020000.00000000.sdmp, Orden Compra.exe, 00000000.00000002.1305708457.0000000020702000.00000004.00001000.00020000.00000000.sdmp, pdnpzfuJ.pif, 0000000A.00000000.1269225953.0000000000416000.00000002.00000001.01000000.00000005.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3726618169.00000000034AC000.00000004.10000000.00040000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3714943420.00000000028E9000.00000004.00000020.00020000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3722926058.00000000029BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.1843601359.000000002D44C000.00000004.80000000.00040000.00000000.sdmp, pdnpzfuJ.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SearchProtocolHost.exe, 0000000F.00000002.3726618169.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3722926058.00000000033EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://keo88.bond/jwmi/?dft=EDflZ0HXpniPFR&JN64i8A=5piOVe3YX8EwruU4jaknfUXkRm2YBsi9YwJBdzZv
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.li
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033D
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.000000000290A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: SearchProtocolHost.exe, 0000000F.00000003.1734056238.000000000768B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: SearchProtocolHost.exe, 0000000F.00000002.3729120182.00000000076AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SearchProtocolHost.exe, 0000000F.00000002.3726618169.0000000004848000.00000004.10000000.00040000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3728985955.0000000005C20000.00000004.00000800.00020000.00000000.sdmp, SearchProtocolHost.exe, 0000000F.00000002.3726618169.0000000003D4A000.00000004.10000000.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3722926058.000000000325A000.00000004.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3722926058.0000000003D58000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Orden Compra.exe	String found in binary or memory: https://www.istockphoto.com/photo/license-gm1721592530-?utm_medium=organic&utm_source=google&amp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.pdnpzfuJ.pif.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.pdnpzfuJ.pif.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1572166081.0000000025610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3721138662.0000000002BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1569799118.00000000230B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3727212082.0000000004DF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3721181837.00000000040E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1552628219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3714042314.0000000000630000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3721214127.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

PE file contains section with special chars

Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .

Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028232F8 NtAllocateVirtualMemory,	0_2_028232F8
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02829388 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02829388
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02823644 NtWriteVirtualMemory,	0_2_02823644
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028294F4 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_028294F4
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028244F4 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_028244F4
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02829410 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02829410
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02823B98 NtReadVirtualMemory,	0_2_02823B98
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02823E08 NtUnmapViewOfSection,	0_2_02823E08
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028232F6 NtAllocateVirtualMemory,	0_2_028232F6
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02829334 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02829334
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028244F2 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_028244F2
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_0042C4A3 NtClose,	10_2_0042C4A3
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2B60 NtClose,LdrInitializeThunk,	10_2_219D2B60
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_219D2DF0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_219D2C70
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D35C0 NtCreateMutant,LdrInitializeThunk,	10_2_219D35C0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D4340 NtSetContextThread,	10_2_219D4340
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D4650 NtSuspendThread,	10_2_219D4650
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2B80 NtQueryInformationFile,	10_2_219D2B80
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2BA0 NtEnumerateValueKey,	10_2_219D2BA0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2BF0 NtAllocateVirtualMemory,	10_2_219D2BF0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2BE0 NtQueryValueKey,	10_2_219D2BE0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2AB0 NtWaitForSingleObject,	10_2_219D2AB0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2AD0 NtReadFile,	10_2_219D2AD0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2AF0 NtWriteFile,	10_2_219D2AF0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2DB0 NtEnumerateKey,	10_2_219D2DB0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2DD0 NtDelayExecution,	10_2_219D2DD0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2D10 NtMapViewOfSection,	10_2_219D2D10
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2D00 NtSetInformationFile,	10_2_219D2D00
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2D30 NtUnmapViewOfSection,	10_2_219D2D30
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2CA0 NtQueryInformationToken,	10_2_219D2CA0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2CC0 NtQueryVirtualMemory,	10_2_219D2CC0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2CF0 NtOpenProcess,	10_2_219D2CF0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2C00 NtQueryInformationProcess,	10_2_219D2C00
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2C60 NtCreateKey,	10_2_219D2C60
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2F90 NtProtectVirtualMemory,	10_2_219D2F90
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2FB0 NtResumeThread,	10_2_219D2FB0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2FA0 NtQuerySection,	10_2_219D2FA0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2FE0 NtCreateFile,	10_2_219D2FE0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2F30 NtCreateSection,	10_2_219D2F30
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2F60 NtCreateProcessEx,	10_2_219D2F60
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2E80 NtReadVirtualMemory,	10_2_219D2E80
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2EA0 NtAdjustPrivilegesToken,	10_2_219D2EA0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2EE0 NtQueueApcThread,	10_2_219D2EE0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D2E30 NtWriteVirtualMemory,	10_2_219D2E30
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D3090 NtSetValueKey,	10_2_219D3090
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D3010 NtOpenDirectoryObject,	10_2_219D3010
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D39B0 NtGetContextThread,	10_2_219D39B0
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D3D10 NtOpenProcessToken,	10_2_219D3D10
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_219D3D70 NtOpenThread,	10_2_219D3D70
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF4340 NtSetContextThread,LdrInitializeThunk,	15_2_02EF4340
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF4650 NtSuspendThread,LdrInitializeThunk,	15_2_02EF4650
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2AF0 NtWriteFile,LdrInitializeThunk,	15_2_02EF2AF0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2AD0 NtReadFile,LdrInitializeThunk,	15_2_02EF2AD0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_02EF2BE0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_02EF2BF0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2BA0 NtEnumerateValueKey,LdrInitializeThunk,	15_2_02EF2BA0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2B60 NtClose,LdrInitializeThunk,	15_2_02EF2B60
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2EE0 NtQueueApcThread,LdrInitializeThunk,	15_2_02EF2EE0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_02EF2E80
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2FE0 NtCreateFile,LdrInitializeThunk,	15_2_02EF2FE0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2FB0 NtResumeThread,LdrInitializeThunk,	15_2_02EF2FB0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2F30 NtCreateSection,LdrInitializeThunk,	15_2_02EF2F30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_02EF2CA0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2C60 NtCreateKey,LdrInitializeThunk,	15_2_02EF2C60
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_02EF2C70
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_02EF2DF0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2DD0 NtDelayExecution,LdrInitializeThunk,	15_2_02EF2DD0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_02EF2D30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_02EF2D10
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF35C0 NtCreateMutant,LdrInitializeThunk,	15_2_02EF35C0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF39B0 NtGetContextThread,LdrInitializeThunk,	15_2_02EF39B0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2AB0 NtWaitForSingleObject,	15_2_02EF2AB0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2B80 NtQueryInformationFile,	15_2_02EF2B80
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2EA0 NtAdjustPrivilegesToken,	15_2_02EF2EA0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2E30 NtWriteVirtualMemory,	15_2_02EF2E30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2FA0 NtQuerySection,	15_2_02EF2FA0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2F90 NtProtectVirtualMemory,	15_2_02EF2F90
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2F60 NtCreateProcessEx,	15_2_02EF2F60
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2CF0 NtOpenProcess,	15_2_02EF2CF0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2CC0 NtQueryVirtualMemory,	15_2_02EF2CC0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2C00 NtQueryInformationProcess,	15_2_02EF2C00
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2DB0 NtEnumerateKey,	15_2_02EF2DB0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF2D00 NtSetInformationFile,	15_2_02EF2D00
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF3090 NtSetValueKey,	15_2_02EF3090
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF3010 NtOpenDirectoryObject,	15_2_02EF3010
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF3D70 NtOpenThread,	15_2_02EF3D70
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02EF3D10 NtOpenProcessToken,	15_2_02EF3D10
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_00658E80 NtCreateFile,	15_2_00658E80
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_00658FE0 NtReadFile,	15_2_00658FE0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_006590D0 NtDeleteFile,	15_2_006590D0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_00659170 NtClose,	15_2_00659170
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_006592D0 NtAllocateVirtualMemory,	15_2_006592D0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02D7F1A0 NtQueryInformationProcess,	15_2_02D7F1A0
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: 15_2_02D7F8F8 NtMapViewOfSection,	15_2_02D7F8F8

Source: C:\Users\user\Desktop\Orden Compra.exe

Code function: 0_2_0282AB58 InetIsOffline,Sleep,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

0_2_0282AB58

Source: C:\Users\user\Desktop\Orden Compra.exe	File created: C:\Windows \SysWOW64\svchost.pif	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	File created: C:\Windows \SysWOW64\NETUTILS.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Windows \SysWOW64	Jump to behavior

Source: C:\Users\user\Desktop\Orden Compra.exe

File deleted: C:\Windows \SysWOW64\svchost.pif

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: String function: 02F07E54 appears 111 times
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: String function: 02F2EA12 appears 86 times
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: String function: 02EF5130 appears 58 times
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: String function: 02EAB970 appears 277 times
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Code function: String function: 02F3F290 appears 105 times
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: String function: 0281424C appears 62 times
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: String function: 028240E4 appears 56 times
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: String function: 028145D0 appears 828 times
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: String function: 02814444 appears 245 times
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: String function: 02824168 appears 45 times
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: String function: 219D5130 appears 58 times
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: String function: 219E7E54 appears 102 times
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: String function: 21A1F290 appears 105 times
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: String function: 2198B970 appears 277 times
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: String function: 21A0EA12 appears 86 times

Source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020693000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020693000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000003.1265387842.00000000008C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000003.1265387842.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1270908433.0000000000900000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1306688456.0000000020FC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000003.1253391764.000000007F299000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000003.1253391764.000000007F299000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1307867741.000000007F619000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1307867741.000000007F619000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1305708457.000000002067B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000003.1253391764.000000007F253000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000003.1253391764.000000007F253000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020620000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020702000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs Orden Compra.exe
Source: Orden Compra.exe, 00000000.00000002.1305708457.0000000020702000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs Orden Compra.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_03

Source: C:\Users\user\Desktop\Orden Compra.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Orden Compra.exe "C:\Users\user\Desktop\Orden Compra.exe"
Source: C:\Users\user\Desktop\Orden Compra.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\JufzpndpF.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Orden Compra.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Orden Compra.exe	Process created: C:\Users\Public\Libraries\pdnpzfuJ.pif C:\Users\Public\Libraries\pdnpzfuJ.pif
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Orden Compra.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\JufzpndpF.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Process created: C:\Users\Public\Libraries\pdnpzfuJ.pif C:\Users\Public\Libraries\pdnpzfuJ.pif	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 0.2.Orden Compra.exe.22d30d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden Compra.exe.2810000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Orden Compra.exe.22d30d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1271314488.00000000022D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: pdnpzfuJ.pif.0.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: NETUTILS.dll.0.dr	Static PE information: real checksum: 0x23151 should be: 0x220e3
Source: Orden Compra.exe	Static PE information: real checksum: 0x0 should be: 0x13b82c

Source: svchost.pif.0.dr	Static PE information: section name: .imrsiv
Source: svchost.pif.0.dr	Static PE information: section name: .didat
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: .
Source: NETUTILS.dll.0.dr	Static PE information: section name: /4
Source: NETUTILS.dll.0.dr	Static PE information: section name: /19
Source: NETUTILS.dll.0.dr	Static PE information: section name: /31
Source: NETUTILS.dll.0.dr	Static PE information: section name: /45
Source: NETUTILS.dll.0.dr	Static PE information: section name: /57
Source: NETUTILS.dll.0.dr	Static PE information: section name: /70
Source: NETUTILS.dll.0.dr	Static PE information: section name: /81
Source: NETUTILS.dll.0.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028362A4 push 0283630Fh; ret	0_2_02836307
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02813240 push eax; ret	0_2_0281327C
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0282425A push 02824294h; ret	0_2_0282428C
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0282425C push 02824294h; ret	0_2_0282428C
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02826263 push 0282629Ch; ret	0_2_02826294
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02826264 push 0282629Ch; ret	0_2_02826294
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028360AC push 02836125h; ret	0_2_0283611D
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02824004 push 02824046h; ret	0_2_0282403E
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028161BE push 02816202h; ret	0_2_028161FA
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028161C0 push 02816202h; ret	0_2_028161FA
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028361F8 push 02836288h; ret	0_2_02836280
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02836144 push 028361ECh; ret	0_2_028361E4
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0282A628 push ecx; mov dword ptr [esp], edx	0_2_0282A62D
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281F677 push 0281F6C5h; ret	0_2_0281F6BD
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281F678 push 0281F6C5h; ret	0_2_0281F6BD
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_028357AC push 02835988h; ret	0_2_02835980
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02822488 push ecx; mov dword ptr [esp], edx	0_2_0282248A
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0282A5C4 push ecx; mov dword ptr [esp], edx	0_2_0282A5C9
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281C50B push 0281C696h; ret	0_2_0281C68E
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281C510 push 0281C696h; ret	0_2_0281C68E
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281F56C push 0281F5E2h; ret	0_2_0281F5DA
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281BE90 push ecx; mov dword ptr [esp], edx	0_2_0281BE95
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_0281CE58 push 0281CE84h; ret	0_2_0281CE7C
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02822F52 push 02822FFFh; ret	0_2_02822FF7
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02822F54 push 02822FFFh; ret	0_2_02822FF7
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02815DF2 push 02815E4Fh; ret	0_2_02815E47
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: 0_2_02815DF4 push 02815E4Fh; ret	0_2_02815E47
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_00417875 push edx; iretd	10_2_00417879
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_0041403F push edi; ret	10_2_00414056
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_004140E1 push edi; iretd	10_2_004140E2
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Code function: 10_2_0041818F push ss; ret	10_2_00418190

Source: C:\Users\user\Desktop\Orden Compra.exe	File created: C:\Windows \SysWOW64\svchost.pif			Jump to dropped file
Source: C:\Users\user\Desktop\Orden Compra.exe	File created: C:\Users\Public\Libraries\pdnpzfuJ.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 2810000 memory commit 500064256	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 2811000 memory commit 500154368	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 2836000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 2837000 memory commit 500056064	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 2845000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 293D000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\Orden Compra.exe	Memory allocated: 293E000 memory commit 500015104	Jump to behavior

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7416	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7416	Thread sleep time: -500000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7416	Thread sleep count: 9723 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 7416	Thread sleep time: -19446000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe TID: 7436	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe TID: 7436	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe TID: 7436	Thread sleep time: -61500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe TID: 7436	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe TID: 7436	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Last function: Thread delayed

Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: -2102K2N2.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: -2102K2N2.15.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: -2102K2N2.15.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: -2102K2N2.15.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: -2102K2N2.15.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Orden Compra.exe, 00000000.00000002.1270908433.000000000083E000.00000004.00000020.00020000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3714445912.00000000007B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000012.00000002.1847995000.00000287AD3AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
Source: -2102K2N2.15.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: -2102K2N2.15.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: -2102K2N2.15.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: -2102K2N2.15.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: -2102K2N2.15.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SearchProtocolHost.exe, 0000000F.00000002.3714943420.00000000028E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: -2102K2N2.15.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: -2102K2N2.15.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: -2102K2N2.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: -2102K2N2.15.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: -2102K2N2.15.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: -2102K2N2.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: -2102K2N2.15.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Orden Compra.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtUnmapViewOfSection: Direct from: 0x77762D3C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtSetInformationThread: Direct from: 0x77762ECC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Orden Compra.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Orden Compra.exe

Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Section loaded: NULL target: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\pdnpzfuJ.pif	Section loaded: NULL target: C:\Windows\SysWOW64\SearchProtocolHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files (x86)\TjgmfNiFTWmzHVvAYbWStrjJGpJAfSArprQSypYCgjBRWIqPopaFRay\co98GJ8nh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: co98GJ8nh.exe, 0000000E.00000002.3717867684.0000000001621000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 0000000E.00000000.1470537693.0000000001620000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3716315056.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: co98GJ8nh.exe, 0000000E.00000002.3717867684.0000000001621000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 0000000E.00000000.1470537693.0000000001620000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3716315056.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: co98GJ8nh.exe, 0000000E.00000002.3717867684.0000000001621000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 0000000E.00000000.1470537693.0000000001620000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3716315056.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: co98GJ8nh.exe, 0000000E.00000002.3717867684.0000000001621000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 0000000E.00000000.1470537693.0000000001620000.00000002.00000001.00040000.00000000.sdmp, co98GJ8nh.exe, 00000010.00000002.3716315056.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02815510
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: GetLocaleInfoA,	0_2_0281A130
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: GetLocaleInfoA,	0_2_0281A17C
Source: C:\Users\user\Desktop\Orden Compra.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_0281561C

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	125 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 Software Packing	NTDS	421 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	1 Timestomp	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	2 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	612 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking