Edit tour

Windows Analysis Report
SHIPPING DOC.exe

Overview

General Information

Sample name:	SHIPPING DOC.exe
Analysis ID:	1665682
MD5:	6e59935cf07f82cd386736133a6d1a35
SHA1:	02ce7c501cc225ad26968b07d246bca8b631efc7
SHA256:	b89e42786fc9e75e23b241322d5781efa6d9da3d034c98c471e5e53ccda6e83f
Tags:	exeFormbookuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Drops VBS files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SHIPPING DOC.exe (PID: 7668 cmdline: "C:\Users\user\Desktop\SHIPPING DOC.exe" MD5: 6E59935CF07F82CD386736133A6D1A35)

InstallUtil.exe (PID: 7796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

M4FGq0ceDE8wA.exe (PID: 6820 cmdline: "C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

timeout.exe (PID: 6224 cmdline: "C:\Windows\SysWOW64\timeout.exe" MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

M4FGq0ceDE8wA.exe (PID: 6924 cmdline: "C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\OUhIybrKu1.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7808 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

wscript.exe (PID: 8160 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

IsFixedSize.exe (PID: 6344 cmdline: "C:\Users\user\AppData\Roaming\IsFixedSize.exe" MD5: 6E59935CF07F82CD386736133A6D1A35)

InstallUtil.exe (PID: 6388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1313826317.0000000002521000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1313826317.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.3783220621.0000000004D30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1331586975.0000000003553000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1644020841.0000000000560000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3781158766.0000000003040000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1341143677.0000000005220000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.3783010348.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3783163752.00000000028C0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3785705010.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1645167113.0000000000AE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1505175223.0000000002711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000001.00000002.1648529171.0000000001010000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: SHIPPING DOC.exe PID: 7668	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: SHIPPING DOC.exe PID: 7668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: IsFixedSize.exe PID: 6344	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: IsFixedSize.exe PID: 6344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.InstallUtil.exe.560000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.SHIPPING DOC.exe.363b818.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.InstallUtil.exe.560000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.SHIPPING DOC.exe.5220000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.SHIPPING DOC.exe.5220000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" , ProcessId: 8160, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs" , ProcessId: 8160, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SHIPPING DOC.exe, ProcessId: 7668, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs

Suricata Signatures

ETPRO EXPLOIT_KIT FoxTDS Initial Check

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T18:45:31.342164+0200	2859622	1	Exploit Kit Activity Detected	104.21.64.1	80	192.168.2.5	49717	TCP
2025-04-15T18:45:34.033602+0200	2859622	1	Exploit Kit Activity Detected	104.21.64.1	80	192.168.2.5	49718	TCP
2025-04-15T18:45:36.917932+0200	2859622	1	Exploit Kit Activity Detected	104.21.64.1	80	192.168.2.5	49719	TCP
2025-04-15T18:45:39.540583+0200	2859622	1	Exploit Kit Activity Detected	104.21.64.1	80	192.168.2.5	49720	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T18:45:07.273310+0200	2856318	1	A Network Trojan was detected	192.168.2.5	49710	172.67.196.46	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SHIPPING DOC.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe

Avira: detection malicious, Label: HEUR/AGEN.1323683

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe

ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: SHIPPING DOC.exe	Virustotal: Detection: 37%			Perma Link
Source: SHIPPING DOC.exe	ReversingLabs: Detection: 58%

Yara detected FormBook

Source: Yara match	File source: 1.2.InstallUtil.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.InstallUtil.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3783220621.0000000004D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1644020841.0000000000560000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3781158766.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3783010348.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3783163752.00000000028C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785705010.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1645167113.0000000000AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1648529171.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.9%

Source: SHIPPING DOC.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SHIPPING DOC.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: SHIPPING DOC.exe, 00000000.00000002.1331586975.0000000003749000.00000004.00000800.00020000.00000000.sdmp, SHIPPING DOC.exe, 00000000.00000002.1342276541.0000000005340000.00000004.08000000.00040000.00000000.sdmp, SHIPPING DOC.exe, 00000000.00000002.1331586975.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, IsFixedSize.exe, 00000003.00000002.1593998665.000000000391E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: timeout.pdbGCTL source: InstallUtil.exe, 00000001.00000002.1644358362.0000000000626000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1644358362.0000000000617000.00000004.00000020.00020000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000006.00000003.1584732705.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: InstallUtil.exe, 00000001.00000002.1645426974.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, timeout.exe, 00000007.00000003.1648230011.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.3783520868.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.3783520868.000000000512E000.00000040.00001000.00020000.00000000.sdmp, timeout.exe, 00000007.00000003.1643901544.0000000004C3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: timeout.pdb source: InstallUtil.exe, 00000001.00000002.1644358362.0000000000626000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1644358362.0000000000617000.00000004.00000020.00020000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000006.00000003.1584732705.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: SHIPPING DOC.exe, 00000000.00000002.1331586975.0000000003749000.00000004.00000800.00020000.00000000.sdmp, SHIPPING DOC.exe, 00000000.00000002.1342276541.0000000005340000.00000004.08000000.00040000.00000000.sdmp, SHIPPING DOC.exe, 00000000.00000002.1331586975.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, IsFixedSize.exe, 00000003.00000002.1593998665.000000000391E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 00000001.00000002.1645426974.0000000000BC0000.00000040.00001000.00020000.00000000.sdmp, timeout.exe, 00000007.00000003.1648230011.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.3783520868.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.3783520868.000000000512E000.00000040.00001000.00020000.00000000.sdmp, timeout.exe, 00000007.00000003.1643901544.0000000004C3E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: timeout.exe, 00000007.00000002.3781616571.0000000003295000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.3784153763.00000000055BC000.00000004.10000000.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000000.1719737741.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1949858876.0000000030D9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: timeout.exe, 00000007.00000002.3781616571.0000000003295000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000007.00000002.3784153763.00000000055BC000.00000004.10000000.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000000.1719737741.0000000002B8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1949858876.0000000030D9C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: M4FGq0ceDE8wA.exe, 00000006.00000002.3781821445.00000000007DF000.00000002.00000001.01000000.0000000A.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000000.1719055686.00000000007DF000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 4x nop then jmp 04C11507h	0_2_04C11499
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 4x nop then jmp 04C11507h	0_2_04C114A8
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 4x nop then jmp 04C11E41h	0_2_04C11C28
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 4x nop then jmp 04C11E41h	0_2_04C11C38
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 4x nop then jmp 04C13F5Fh	0_2_04C13D51
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 4x nop then jmp 05B85B88h	3_2_05B85AD0
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 4x nop then jmp 05B85B88h	3_2_05B85ACA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.5:49710 -> 172.67.196.46:80
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.64.1:80 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.64.1:80 -> 192.168.2.5:49719
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.64.1:80 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.64.1:80 -> 192.168.2.5:49718

Performs DNS queries to domains with low reputation

Source:	DNS query: www.zestypath.xyz
Source:	DNS query: www.maticon.xyz
Source:	DNS query: www.swrvnuep.xyz
Source:	DNS query: www.ezchem.xyz

Source: Joe Sandbox View	IP Address: 15.197.225.128 15.197.225.128
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View

ASN Name: TISP-ASTISPLIMITEDHK TISP-ASTISPLIMITEDHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /gc3h/?WNRPiZgX=rAW+7LAZl+JLZOC2A/uvcxrzgBFGX38GUkHQN47XXP+ZPm65gtvIWj/ASN6KYlc43Z9W0iU0+DwnTfFKTjGnjL3OiOCVgaG4ND/dy/vQUxbrqaN5GJElTOaDpQ+NVVlN7w==&HBLh=8HwL20FP-l HTTP/1.1Host: www.meredithamon.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /iope/?WNRPiZgX=+UQFabvMsX5T9JJ3E6zrE6OVRNGwmk5vwvNB606BIfBu5MW2/pNerDaIEtWPZbpy9gKZuK4YeM5zeppvFLE6hBQnf2wFVVjXsyVnCupc42siGBXBjrKBbvC59DvkXSs6fg==&HBLh=8HwL20FP-l HTTP/1.1Host: www.worrr17.homesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gc3h/?HBLh=8HwL20FP-l&WNRPiZgX=rAW+7LAZl+JLZOC2A/uvcxrzgBFGX38GUkHQN47XXP+ZPm65gtvIWj/ASN6KYlc43Z9W0iU0+DwnTfFKTjGnjL3OiOCVgaG4ND/dy/vQUxbrqaN5GJElTOaDpQ+NVVlN7w== HTTP/1.1Host: www.meredithamon.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dar9/?HBLh=8HwL20FP-l&WNRPiZgX=NQQrtFluSHmoFkqEmGFEkTa8UZ/WlvNRX0KmoTfKicqtyBuVBK0WxzruGJ1hfKt8D6UlETbeYOfYIXEjxUh2prwuiwknzBiH08JmsQmzLOA9ebZ8OC9dKM8JEzgpl0YnQA== HTTP/1.1Host: www.zestypath.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /i1n4/?WNRPiZgX=W6mLOr83Vj3q9XDwpcXxkxScmlo5KgTeNW67Urdorz7UzmE5AO5ZqFUUeyazr6WM/YNKT928IyrWVjzVy9o4jXjtVfusQgIyK2SxsFDogi74tQjSZ1Wxh8Mh7UgU4R7WOA==&HBLh=8HwL20FP-l HTTP/1.1Host: www.gamewarriors.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /h88o/?WNRPiZgX=b+w7Vw7R7VBgiPGIbHBAMN4+Eh6/whAKHuJG+AcPZICVIVSnqwgN+h3ru+dRLSYVK2GTPvyW+1IVAUFtzST/8R29EFIzPpHFcWhBJysq4lOwxy3MtnxVQlIjD6J8rMmt+w==&HBLh=8HwL20FP-l HTTP/1.1Host: www.ku188.todayAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /z7hp/?WNRPiZgX=7pia7VgRB5HJEX70qKR71m8U7w3Bn5ZsZJwItP/VzX6mAto7UIgAASxl9TMIIpSOSj4RzwRZQJrVoZHZJsuQiTJH2kxr9D9aUDnsC+EnwnpL9Q4AtvP/psm0MlprbcFYVw==&HBLh=8HwL20FP-l HTTP/1.1Host: www.uqcdnvgr.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /d8ro/?HBLh=8HwL20FP-l&WNRPiZgX=DggQ+ALkAKa0R3AfCku97zg7L7wmRyNrgOklg7cypTJjab4kb2SiHXfMCg/Udx9kMebirUyHJuWnOvX1BxGDcwn/h6bTBijFf1aVw8LDEkc5IQAso0z+3z+XpJwUNJOR7Q== HTTP/1.1Host: www.loginjablay123.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /g2kt/?WNRPiZgX=HZSqqSsyI6GiYAy5ejH4YIF0vKC7mvhcxqnpzNtWRDpCiqCVCQescUrzb4JPgdoSBV74G7ar3NzTrQIKelWL540kctI+POspk7NelAwN02cuMrJMNV1tU/5UxyHdvg3Knw==&HBLh=8HwL20FP-l HTTP/1.1Host: www.gdlsolarenergy.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4uc2/?HBLh=8HwL20FP-l&WNRPiZgX=AgSc6Ec+/KeOkur4DsbW7Yj5qtr2V8EXLWM/gfV0ZXPPfLUH/bkD96iWvhGDYhTTGC26JHpqqHCDI/qkZ1liii5+Zp/DAJTkkkDAnE5jOnKVJe1kpwgb5sCPVtEYsfvA1w== HTTP/1.1Host: www.swrvnuep.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xucl/?WNRPiZgX=uKAINBCXIUD2Z2q7XeiiTAz9fus56g/zSdsYPLeAm8cPvwV+8LayrDR1q3NxSjzkbb+boO6T/i7pMDBh1zkJ4FWQjN105xYVzWU4hnghFp7oYe0Qn4+pzSF6CR2YxCr2Qg==&HBLh=8HwL20FP-l HTTP/1.1Host: www.ezchem.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /n9if/?WNRPiZgX=5G0TrtyQr6OCjFRvRGS/F7iEEJWbsG9Qzl9+CIOEWkNBmxFKIvBbIs9Gfbay3av1GFRKFvCy9KZ4DU596JNlCvy0UrmzBfPEsJWADK9UBo2oWmvoI5KuMqR87UsabA44LA==&HBLh=8HwL20FP-l HTTP/1.1Host: www.cumlouder.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gc3h/?WNRPiZgX=rAW+7LAZl+JLZOC2A/uvcxrzgBFGX38GUkHQN47XXP+ZPm65gtvIWj/ASN6KYlc43Z9W0iU0+DwnTfFKTjGnjL3OiOCVgaG4ND/dy/vQUxbrqaN5GJElTOaDpQ+NVVlN7w==&HBLh=8HwL20FP-l HTTP/1.1Host: www.meredithamon.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.meredithamon.shop
Source: global traffic	DNS traffic detected: DNS query: www.worrr17.homes
Source: global traffic	DNS traffic detected: DNS query: www.x56uasf728r.shop
Source: global traffic	DNS traffic detected: DNS query: www.zestypath.xyz
Source: global traffic	DNS traffic detected: DNS query: www.gamewarriors.live
Source: global traffic	DNS traffic detected: DNS query: www.ku188.today
Source: global traffic	DNS traffic detected: DNS query: www.uqcdnvgr.biz
Source: global traffic	DNS traffic detected: DNS query: www.chrisjones.tech
Source: global traffic	DNS traffic detected: DNS query: www.maticon.xyz
Source: global traffic	DNS traffic detected: DNS query: www.loginjablay123.live
Source: global traffic	DNS traffic detected: DNS query: www.gdlsolarenergy.store
Source: global traffic	DNS traffic detected: DNS query: www.swrvnuep.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ezchem.xyz
Source: global traffic	DNS traffic detected: DNS query: www.allinoneavenue.shop
Source: global traffic	DNS traffic detected: DNS query: www.cumlouder.com

Source: unknown

HTTP traffic detected: POST /iope/ HTTP/1.1Host: www.worrr17.homesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brOrigin: http://www.worrr17.homesReferer: http://www.worrr17.homes/iope/Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 209Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; HTC_Desire_820 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36Data Raw: 57 4e 52 50 69 5a 67 58 3d 7a 57 34 6c 5a 76 48 72 76 6d 30 77 67 4f 6c 51 58 72 36 69 42 4c 71 54 49 6f 6d 67 68 32 64 59 35 76 6c 57 7a 57 43 5a 49 6f 64 74 33 74 53 4d 75 6f 5a 59 72 77 79 67 45 59 62 2f 59 71 52 50 76 44 2f 35 6e 38 38 34 63 63 30 32 48 72 6c 47 42 4c 46 74 69 41 35 58 63 6a 56 4e 4b 78 75 37 2b 6c 46 64 4c 50 63 79 68 56 42 63 47 43 6a 6e 6e 49 6d 55 66 50 61 71 68 79 79 43 61 54 42 69 42 4b 4d 2f 6f 4a 4a 39 75 45 6a 5a 38 51 6f 71 63 75 6f 64 49 33 58 2b 48 37 4e 67 44 79 63 38 72 54 52 34 6f 7a 39 49 77 4e 50 30 66 53 61 52 6c 6d 68 59 57 36 73 6d 45 2b 71 70 76 56 45 6a 74 56 74 57 36 79 41 3d Data Ascii: WNRPiZgX=zW4lZvHrvm0wgOlQXr6iBLqTIomgh2dY5vlWzWCZIodt3tSMuoZYrwygEYb/YqRPvD/5n884cc02HrlGBLFtiA5XcjVNKxu7+lFdLPcyhVBcGCjnnImUfPaqhyyCaTBiBKM/oJJ9uEjZ8QoqcuodI3X+H7NgDyc8rTR4oz9IwNP0fSaRlmhYW6smE+qpvVEjtVtW6yA=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Tue, 15 Apr 2025 16:43:58 GMTContent-Length: 0Connection: closeWAFRule: 5
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Tue, 15 Apr 2025 16:44:36 GMTContent-Length: 0Connection: closeWAFRule: 5
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:44:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:44:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:44:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:44:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:04 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://gamewarriors.live/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qg5RsYAajOsgLV87S5c6V9zgX4jKH6GAmt%2BxNULDgB61qu4GwR%2F0mbEx39IkXcAHNrFEBvj0SMl8MCsFMr5qBlk4m6Hzg6NJvynkGAkh8hiM8sfP%2FMpIyed6MkeamTUtFpPf1jDB5%2FI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ce9445ea7ae3f-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=126505&min_rtt=126505&rtt_var=63252&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=761&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 63 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 58 ff 53 db 3a 12 ff 19 fe 0a 45 9d 09 56 2b 3b 4e 02 01 1c 4c a7 8f d2 9b 77 d3 1e 6f 4a 3b 37 37 84 eb 28 f2 da 51 eb 48 7e 92 9c c0 a5 f9 df 6f 64 87 c4 84 94 76 ee 1d bf 60 ed 7e b4 5a ed 17 ed 6e ce 5a 6f af 2e 3e fd eb 8f 4b 34 b1 d3 fc 7c ff cc fd 43 39 93 59 8c 41 fa 9f af b1 a3 01 4b ce f7 11 42 e8 6c 0a 96 21 3e 61 da 80 8d f1 e7 4f ef fc 13 dc 64 49 36 85 18 cf 04 cc 0b a5 2d 46 5c 49 0b d2 c6 78 2e 12 3b 89 13 98 09 0e 7e b5 a0 48 48 61 05 cb 7d c3 59 0e 71 37 08 9f 8a 3a d0 6a ac ac 39 58 0b 3a 98 b2 3b 5f 4c 59 06 7e a1 c1 1d 14 e5 4c 67 70 80 3a e7 fb 7b 67 c6 de e7 70 2e a6 59 24 8c 77 63 c4 7f c0 c4 98 95 56 61 24 6e 29 aa 29 ff ae 49 d4 d1 08 5a 54 b2 99 90 be 90 56 0b 69 04 f7 1d 2c 42 fd 30 0c 8b 3b d4 3d aa fe 2d cf 3a b5 f4 fd bd b3 5c c8 6f 48 43 1e 1f 24 d2 38 45 52 b0 7c 72 80 26 1a d2 f8 a0 d3 c9 d8 14 e6 4c 6b a1 b4 09 72 31 ab d5 3b 33 5c 8b c2 22 7b 5f 40 8c 2d dc d9 ce 57 36 63 35 15 9f ef 77 5e a2 b3 d6 cd c5 db 37 9f de dc a0 97 9d fd b9 90 89 9a 07 5f e6 Data Ascii: 8c3XS:EV+;NLwoJ;77(QH~odv`~ZnZo.>K4\|C9YAKBl!>aOdI6-F\Ix.;~HHa}Yq7:j9X:;_LY~Lgp:{gp.Y$wcVa$n))IZTVi,B0;=-:\oHC$8ER\|r&Lkr1;3\"{_@-W6c5w^7_
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://gamewarriors.live/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DEJGQMiDEstZT7Tflpj4WFt6xM0sb3HBr2HPo8fsgN5CFL2Y8TwExxz4%2BTMMSIFfLtrXH6Z0mG2SN6C0z9O4G1re1PTLj%2Fpb6Yk%2FntTGaBtjmthJtfdbo1H%2FyYbjWih2mMr5tKPODfw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ce955bf3aed14-LHRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=194837&min_rtt=194837&rtt_var=97418&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=781&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://gamewarriors.live/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o2LT6MrYR%2BIskXRVkT6vAi%2FLaS3GXSLe4DF9IveYuoMpgy91Ummve8aoU2%2BFSkqDfCga0tdvot9CJDJWQ0NVk12Y9JMHNfPbIl5peCbIIjpfx6S8ZZqVPj2W2JPUuGiH7CQGqj4dJBQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ce9662fde0d74-MIAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=123215&min_rtt=123215&rtt_var=61607&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=941&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 37 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 59 7b 73 db 38 92 ff 3b fe 14 30 53 2b 93 13 90 02 1f 7a 51 66 a6 66 93 cc d5 5e cd 5c b6 26 49 5d 5d d9 be 14 44 36 29 24 24 c8 05 40 49 3e 8d be fb 15 48 3d 68 49 96 b3 b7 97 8a 65 b2 f1 43 77 a3 5f e8 96 6f af df 7f 7c f7 f9 bf fe fe 01 cd 55 91 bf bd ba d5 bf 50 4e 79 16 19 c0 ed 2f 9f 0c 4d 03 9a bc bd 42 08 a1 db 02 14 45 f1 9c 0a 09 2a 32 be 7c fe d5 1e 1b dd 25 4e 0b 88 8c 05 83 65 55 0a 65 a0 b8 e4 0a b8 8a 8c 25 4b d4 3c 4a 60 c1 62 b0 9b 17 8c 18 67 8a d1 dc 96 31 cd 21 72 1d 72 ca ea 46 94 b3 52 c9 9b 3d a3 9b 82 ae 6c 56 d0 0c ec 4a 80 16 14 e6 54 64 70 83 fa 6f af 5e dd 4a f5 98 c3 5b 56 64 21 93 e6 9d 64 ff 03 32 32 68 ad 4a 03 b1 07 8c 5a ca 7f b7 24 ac 69 16 5a 37 bc 29 e3 36 e3 4a 30 2e 59 6c 6b 58 88 7c 42 48 b5 42 ee a0 f9 b5 b9 ed b7 dc af 5e dd e6 8c 7f 47 02 f2 e8 26 e1 52 2b 92 82 8a e7 37 68 2e 20 8d 6e fa fd 8c 16 b0 a4 42 b0 52 48 27 67 8b 56 bd 5b 19 0b 56 29 a4 1e 2b 88 0c 05 2b d5 ff 46 17 b4 a5 1a 6f af fa 3f a1 db eb bb 77 ef 7f f9 fc cb 1d fa a9 7f b5 64 3c 29 Data Ascii: b7cY{s8;0S+zQff^\&I]]D6)$$@I>H=hIeCw_o\|UPNy/MBE*2\|%NeUe%K<J`bg1!rrFR=lVJTdpo^J[Vd!d22hJZ$iZ7)6J0.YlkX\|BHB^G&R+7h. nBRH'gV[V)++Fo?wd<)
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:45:20 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 16:46:01 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 16:46:04 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 16:46:06 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 16:46:09 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:46:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R3NEQGZxWV%2BDbUJOiX8CIro06FroxhiWkRDcSaBlXd00eudk28aKS6goBwMMVztukmhdNUCL0RV1hjmrhM4a1SPyP8BzaY0dk4N9jDcqsuzqVAEW4V149sFBR7UnjNJ1pO5u"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ceb54ec09454c-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106209&min_rtt=106209&rtt_var=53104&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 1a 53 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 b7 ee e0 18 33 ec e2 2d 10 ca 57 88 f2 89 d4 15 f6 91 e6 e5 9e 39 64 4e 1a ad fa 5e 58 a5 51 be eb c5 9d 74 81 c3 e0 c2 5d aa a6 6d 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 e2 75 26 80 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@S364)1Tk1hu]eCu3-W9dN^XQt]m"``2D.#3N-@)8S&30WZu&+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:46:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1JA4Gk2oK1xtcnCIuu2kzYIzYXJ2luMDEv1hvZjUFjWeDmrHonsLpxELW5d1KiUJHc8ALBYBJrmI07Z84BRIMfCpGDluwXJvL%2F%2BVH8iWwNLOvOTDBpethJ05tBvuE18%2Bg6HK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ceb657eb0b036-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106463&min_rtt=106463&rtt_var=53231&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 1a 53 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 b7 ee e0 18 33 ec e2 2d 10 ca 57 88 f2 89 d4 15 f6 91 e6 e5 9e 39 64 4e 1a ad fa 5e 58 a5 51 be eb c5 9d 74 81 c3 e0 c2 5d aa a6 6d 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 e2 75 26 80 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@S364)1Tk1hu]eCu3-W9dN^XQt]m"``2D.#3N-@)8S&30WZu&+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:46:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tyHrTr%2B47zKkJZvPKcczE07tu7XYbwswRGwwKf8nv89EEEogQtAuHJEwjf11N8OdQWpaJ95K8T2Lua%2BPHQWKgzDCtmuVSN6a4FeVYrZSb5Sc7XS1DOZu%2FZqA3qPwGXqNJCfP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ceb75faa0aff5-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=107864&min_rtt=107864&rtt_var=53932&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=926&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 1a 53 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 b7 ee e0 18 33 ec e2 2d 10 ca 57 88 f2 89 d4 15 f6 91 e6 e5 9e 39 64 4e 1a ad fa 5e 58 a5 51 be eb c5 9d 74 81 c3 e0 c2 5d aa a6 6d 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 e2 75 26 80 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@S364)1Tk1hu]eCu3-W9dN^XQt]m"``2D.#3N-@)8S&30WZu&+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 16:46:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HmT%2BAWCoO3%2FCIfVn9l6%2Bn%2FowFsGV35fKi5eC40JjrmvXG4CT1Q39MMeJqA4LNoIsABJF3TZ2AlgTrVS6L9myeqgfIEdYHEe4we2ZZqfrf6BgpSu4MBQpmVEs0rU2chtpAvLl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930ceb8678cd53c3-ATLalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106307&min_rtt=106307&rtt_var=53153&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=489&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.22.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Tue, 15 Apr 2025 16:47:23 GMTContent-Length: 0Connection: closeWAFRule: 5

Source: timeout.exe, 00000007.00000002.3784153763.000000000617E000.00000004.10000000.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3783473391.000000000374E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://gamewarriors.live/i1n4/?WNRPiZgX=W6mLOr83Vj3q9XDwpcXxkxScmlo5KgTeNW67Urdorz7UzmE5AO5ZqFUUeyaz
Source: SHIPPING DOC.exe, 00000000.00000002.1313826317.0000000002521000.00000004.00000800.00020000.00000000.sdmp, IsFixedSize.exe, 00000003.00000002.1505175223.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: M4FGq0ceDE8wA.exe, 00000008.00000002.3785705010.0000000005020000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cumlouder.com
Source: M4FGq0ceDE8wA.exe, 00000008.00000002.3785705010.0000000005020000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.cumlouder.com/n9if/
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: timeout.exe, 00000007.00000002.3781616571.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: timeout.exe, 00000007.00000002.3781616571.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: timeout.exe, 00000007.00000002.3781616571.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: timeout.exe, 00000007.00000002.3781616571.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: timeout.exe, 00000007.00000002.3781616571.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: timeout.exe, 00000007.00000002.3781616571.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: timeout.exe, 00000007.00000003.1830653377.000000000827A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: SHIPPING DOC.exe, 00000000.00000002.1313826317.0000000002521000.00000004.00000800.00020000.00000000.sdmp, SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp, IsFixedSize.exe, 00000003.00000002.1505175223.0000000002711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: timeout.exe, 00000007.00000002.3784153763.0000000007132000.00000004.10000000.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3783473391.0000000004702000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cumlouder.com/n9if/?WNRPiZgX=5G0TrtyQr6OCjFRvRGS/F7iEEJWbsG9Qzl9
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: timeout.exe, 00000007.00000002.3784153763.0000000006AEA000.00000004.10000000.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3783473391.00000000040BA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.gdlsolarenergy.store/g2kt/?WNRPiZgX=HZSqqSsyI6GiYAy5ejH4YIF0vKC7mvhcxqnpzNtWRDpCiqCVCQes
Source: timeout.exe, 00000007.00000002.3786582469.0000000008298000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.InstallUtil.exe.560000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.InstallUtil.exe.560000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3783220621.0000000004D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1644020841.0000000000560000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3781158766.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3783010348.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3783163752.00000000028C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785705010.0000000004FC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1645167113.0000000000AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1648529171.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0058CB43 NtClose,	1_2_0058CB43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32B60 NtClose,LdrInitializeThunk,	1_2_00C32B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00C32C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00C32DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C335C0 NtCreateMutant,LdrInitializeThunk,	1_2_00C335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C34340 NtSetContextThread,	1_2_00C34340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C34650 NtSuspendThread,	1_2_00C34650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32AD0 NtReadFile,	1_2_00C32AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32AF0 NtWriteFile,	1_2_00C32AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32AB0 NtWaitForSingleObject,	1_2_00C32AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32BE0 NtQueryValueKey,	1_2_00C32BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32BF0 NtAllocateVirtualMemory,	1_2_00C32BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32B80 NtQueryInformationFile,	1_2_00C32B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32BA0 NtEnumerateValueKey,	1_2_00C32BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32CC0 NtQueryVirtualMemory,	1_2_00C32CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32CF0 NtOpenProcess,	1_2_00C32CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32CA0 NtQueryInformationToken,	1_2_00C32CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32C60 NtCreateKey,	1_2_00C32C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32C00 NtQueryInformationProcess,	1_2_00C32C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32DD0 NtDelayExecution,	1_2_00C32DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32DB0 NtEnumerateKey,	1_2_00C32DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32D00 NtSetInformationFile,	1_2_00C32D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32D10 NtMapViewOfSection,	1_2_00C32D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32D30 NtUnmapViewOfSection,	1_2_00C32D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32EE0 NtQueueApcThread,	1_2_00C32EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32E80 NtReadVirtualMemory,	1_2_00C32E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32EA0 NtAdjustPrivilegesToken,	1_2_00C32EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32E30 NtWriteVirtualMemory,	1_2_00C32E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32FE0 NtCreateFile,	1_2_00C32FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32F90 NtProtectVirtualMemory,	1_2_00C32F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32FA0 NtQuerySection,	1_2_00C32FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32FB0 NtResumeThread,	1_2_00C32FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32F60 NtCreateProcessEx,	1_2_00C32F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C32F30 NtCreateSection,	1_2_00C32F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C33090 NtSetValueKey,	1_2_00C33090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C33010 NtOpenDirectoryObject,	1_2_00C33010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C339B0 NtGetContextThread,	1_2_00C339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C33D70 NtOpenThread,	1_2_00C33D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00C33D10 NtOpenProcessToken,	1_2_00C33D10
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 3_2_05B8A890 NtResumeThread,	3_2_05B8A890
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 3_2_05B87878 NtProtectVirtualMemory,	3_2_05B87878
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 3_2_05B8A88A NtResumeThread,	3_2_05B8A88A
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 3_2_05B87872 NtProtectVirtualMemory,	3_2_05B87872

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00F3EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00C6EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00C47E54 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00F17E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00C7F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00C35130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00BEB970 appears 280 times

Source: SHIPPING DOC.exe, 00000000.00000002.1338006862.0000000004D20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBtiaqflsiq.dll" vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe, 00000000.00000002.1331586975.0000000003749000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe, 00000000.00000002.1313826317.00000000024B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe, 00000000.00000002.1313146530.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe, 00000000.00000002.1342276541.0000000005340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe, 00000000.00000002.1339575048.0000000005000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe, 00000000.00000002.1331586975.00000000034B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs SHIPPING DOC.exe
Source: SHIPPING DOC.exe	Binary or memory string: OriginalFilenamepressido cryptttttttt.exeL vs SHIPPING DOC.exe

Source: SHIPPING DOC.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IsFixedSize.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: unknown	Process created: C:\Users\user\Desktop\SHIPPING DOC.exe "C:\Users\user\Desktop\SHIPPING DOC.exe"
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IsFixedSize.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\IsFixedSize.exe "C:\Users\user\AppData\Roaming\IsFixedSize.exe"
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Process created: C:\Windows\SysWOW64\timeout.exe "C:\Windows\SysWOW64\timeout.exe"
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\IsFixedSize.exe "C:\Users\user\AppData\Roaming\IsFixedSize.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Process created: C:\Windows\SysWOW64\timeout.exe "C:\Windows\SysWOW64\timeout.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: SHIPPING DOC.exe, GroupedVisitor.cs	.Net Code: TraverseVirtualVisitor System.Reflection.Assembly.Load(byte[])
Source: IsFixedSize.exe.0.dr, GroupedVisitor.cs	.Net Code: TraverseVirtualVisitor System.Reflection.Assembly.Load(byte[])
Source: 0.2.SHIPPING DOC.exe.5000000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.SHIPPING DOC.exe.5000000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.SHIPPING DOC.exe.5000000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.SHIPPING DOC.exe.5000000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.SHIPPING DOC.exe.5000000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SHIPPING DOC.exe.383f7d0.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.SHIPPING DOC.exe.388f7f0.4.raw.unpack, GroupedVisitor.cs	.Net Code: TraverseVirtualVisitor System.Reflection.Assembly.Load(byte[])
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.SHIPPING DOC.exe.34b5570.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 0.2.SHIPPING DOC.exe.363b818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SHIPPING DOC.exe.5220000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SHIPPING DOC.exe.5220000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1313826317.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1313826317.00000000024B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1331586975.0000000003553000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1341143677.0000000005220000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1505175223.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPPING DOC.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IsFixedSize.exe PID: 6344, type: MEMORYSTR

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 0_2_04BE9E25 push esp; ret	0_2_04BE9E26
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 0_2_04BE7151 push es; ret	0_2_04BE7157
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 0_2_04C19532 push edx; iretd	0_2_04C19533
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 0_2_04C119D0 pushad ; iretd	0_2_04C119D1
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 0_2_04C112C8 pushad ; retf	0_2_04C112C9
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Code function: 0_2_04C11308 pushfd ; retf	0_2_04C11309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_0056A951 push 2C25873Ah; retf	1_2_0056A958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_005769F6 push ebp; retf	1_2_005769F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00563190 push eax; ret	1_2_00563192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00574BF3 push esi; ret	1_2_00574C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00561BAF push 62E1543Dh; iretd	1_2_00561BBB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00585493 push eax; ret	1_2_005854AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00577503 push ecx; iretd	1_2_00577526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00577501 push ecx; iretd	1_2_00577526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_005776CE push eax; iretd	1_2_005776CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00578685 push ss; ret	1_2_00578698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 1_2_00BF09AD push ecx; mov dword ptr [esp], ecx	1_2_00BF09B6
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Code function: 3_2_05B8BDB1 push 7005B73Dh; iretd	3_2_05B8BDBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00F0C9D7 push edi; ret	5_2_00F0C9D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00EC09AD push ecx; mov dword ptr [esp], ecx	5_2_00EC09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00F29C98 push dword ptr [ebx]; ret	5_2_00F29CAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00F17E99 push ecx; ret	5_2_00F17EAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_00E91FEC push eax; iretd	5_2_00E91FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 5_2_0082E8E6 push es; iretd	5_2_0082E8EC

Source: SHIPPING DOC.exe	Static PE information: section name: .text entropy: 7.978460989446434
Source: IsFixedSize.exe.0.dr	Static PE information: section name: .text entropy: 7.978460989446434

Source: 0.2.SHIPPING DOC.exe.4d20000.5.raw.unpack, bkfiNVf3GDeVGMDgTKW.cs	High entropy of concatenated method names: 'zgwfhFKwym', 'NCCfygQCSE', 'GtMfJy1vkH', 'RQ2fpmwSTG', 'qWBfvtNvsV', 'WtbfleWHWm', 'JZTfKsm09P', 'dGyfd5sIky', 'm1jfGLLRuq', 'kgAfBYgl4N'
Source: 0.2.SHIPPING DOC.exe.4d20000.5.raw.unpack, DotAIHRJTfqn2BU97do.cs	High entropy of concatenated method names: 'KsFRpEoUb1', 'EFKR1o6Byk', 'bOFRvL24Nn', 'QY3RWJvG7U', 'iwIRlqTGPK', 'MdnRxcqaMh', 'O97gAIuvkFnHqDpXf0g', 'DsYVWyuW7ZkMEME7mDw'

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7AD324
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7AD7E4
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7AD944
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7AD504
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7AD544
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7AD1E4
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7B0154
Source: C:\Windows\SysWOW64\timeout.exe	API/Special instruction interceptor: Address: 7FF84F7ADA44

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Memory allocated: A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Memory allocated: 24B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Memory allocated: 44B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 1024			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Window / User API: threadDelayed 8949			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API coverage: 0.7 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	API coverage: 0.3 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 3140	Thread sleep count: 1024 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3140	Thread sleep time: -2048000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3140	Thread sleep count: 8949 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 3140	Thread sleep time: -17898000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe TID: 1752	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe TID: 1752	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe TID: 1752	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe TID: 1752	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe TID: 1752	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\timeout.exe	Last function: Thread delayed

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SHIPPING DOC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SHIPPING DOC.exe

Source: -30G7vG.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: -30G7vG.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: -30G7vG.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: IsFixedSize.exe, 00000003.00000002.1505175223.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: -30G7vG.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: -30G7vG.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: -30G7vG.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: -30G7vG.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: -30G7vG.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: timeout.exe, 00000007.00000002.3781616571.0000000003295000.00000004.00000020.00020000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3782361470.0000000000BE9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1951169457.000001AA30D5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -30G7vG.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: -30G7vG.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: -30G7vG.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: -30G7vG.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: -30G7vG.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: -30G7vG.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: -30G7vG.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: IsFixedSize.exe, 00000003.00000002.1505175223.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: -30G7vG.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: -30G7vG.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: -30G7vG.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: -30G7vG.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtQuerySystemInformation: Direct from: 0x772748CC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtQueryVolumeInformationFile: Direct from: 0x77272F2C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtOpenSection: Direct from: 0x77272E0C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtClose: Direct from: 0x77272B6C
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtReadVirtualMemory: Direct from: 0x77272E8C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtCreateKey: Direct from: 0x77272C6C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtSetInformationThread: Direct from: 0x77272B4C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtQueryAttributesFile: Direct from: 0x77272E6C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtAllocateVirtualMemory: Direct from: 0x772748EC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtQueryInformationToken: Direct from: 0x77272CAC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtTerminateThread: Direct from: 0x77272FCC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtOpenKeyEx: Direct from: 0x77272B9C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtDeviceIoControlFile: Direct from: 0x77272AEC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtAllocateVirtualMemory: Direct from: 0x77272BEC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtProtectVirtualMemory: Direct from: 0x77267B2E	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtCreateFile: Direct from: 0x77272FEC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtOpenFile: Direct from: 0x77272DCC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtWriteVirtualMemory: Direct from: 0x77272E3C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtMapViewOfSection: Direct from: 0x77272D1C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtResumeThread: Direct from: 0x772736AC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtProtectVirtualMemory: Direct from: 0x77272F9C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtSetInformationProcess: Direct from: 0x77272C5C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtNotifyChangeKey: Direct from: 0x77273C2C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtCreateMutant: Direct from: 0x772735CC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtSetInformationThread: Direct from: 0x772663F9	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtQueryInformationProcess: Direct from: 0x77272C26	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtResumeThread: Direct from: 0x77272FBC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtCreateUserProcess: Direct from: 0x7727371C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtWriteVirtualMemory: Direct from: 0x7727490C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtAllocateVirtualMemory: Direct from: 0x77273C9C	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtAllocateVirtualMemory: Direct from: 0x77272BFC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtReadFile: Direct from: 0x77272ADC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtQuerySystemInformation: Direct from: 0x77272DFC	Jump to behavior
Source: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe	NtDelayExecution: Direct from: 0x77272DDC	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: NULL target: C:\Windows\SysWOW64\timeout.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: NULL target: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: NULL target: C:\Program Files (x86)\enkiNGNhhfdTWUbALJeNXnmdRTAcRvTaVGhgERHnAkOiuHE\M4FGq0ceDE8wA.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 801000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 78D008	Jump to behavior

Source: M4FGq0ceDE8wA.exe, 00000006.00000002.3782569701.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000006.00000000.1567092791.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3782732800.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: M4FGq0ceDE8wA.exe, 00000006.00000002.3782569701.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000006.00000000.1567092791.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3782732800.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: M4FGq0ceDE8wA.exe, 00000006.00000002.3782569701.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000006.00000000.1567092791.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3782732800.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: M4FGq0ceDE8wA.exe, 00000006.00000002.3782569701.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000006.00000000.1567092791.0000000001220000.00000002.00000001.00040000.00000000.sdmp, M4FGq0ceDE8wA.exe, 00000008.00000002.3782732800.0000000001150000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Queries volume information: C:\Users\user\Desktop\SHIPPING DOC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SHIPPING DOC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Queries volume information: C:\Users\user\AppData\Roaming\IsFixedSize.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IsFixedSize.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	1 Scheduled Task/Job	111 Scripting	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	113 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	512 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	4 Obfuscated Files or Information	NTDS	3 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Registry Run Keys / Startup Folder	12 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	512 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement