Windows Analysis Report
NF_Payment_Ref_FAN930276.exe

Overview

General Information

Sample name:	NF_Payment_Ref_FAN930276.exe
Analysis ID:	1546519
MD5:	7c86cd8c446e881a00e02c3c9cb629a7
SHA1:	6f52b3667ce3c56576b80a9748ff283dd7bffecc
SHA256:	0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Creation with Colorcpl

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: NF_Payment_Ref_FAN930276.exe	ReversingLabs: Detection: 60%
Source: NF_Payment_Ref_FAN930276.exe	Virustotal: Detection: 50%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: NF_Payment_Ref_FAN930276.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264575035.0000000001628000.00000004.00000020.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487148956.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264575035.0000000001628000.00000004.00000020.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487148956.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fRbU.pdb source: NF_Payment_Ref_FAN930276.exe
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xIrbjTuvDXL.exe, 00000005.00000000.2188295112.000000000078E000.00000002.00000001.01000000.0000000C.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4486573572.000000000078E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2265868500.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2268395563.0000000005087000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: NF_Payment_Ref_FAN930276.exe, NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264826942.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000003.2265868500.0000000004ED2000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2268395563.0000000005087000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.0000000005230000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4488021632.00000000053CE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: fRbU.pdbSHA256b9c source: NF_Payment_Ref_FAN930276.exe

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_0305C3B0 FindFirstFileW,FindNextFileW,FindClose,

7_2_0305C3B0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then xor eax, eax		7_2_03049DC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_055804E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49791 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49881 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49896 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49927 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49959 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49975 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49989 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49993 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 8.210.3.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50026 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50001 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50032 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50030 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50021 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49997 -> 162.0.231.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50009 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50037 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50034 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50031 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50017 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49912 -> 141.193.213.10:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50005 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50025 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50022 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50013 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50033 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 38.88.82.56:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 199.59.243.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50029 -> 178.79.184.196:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 103.71.154.12:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50036 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50035 -> 103.191.208.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 162.0.215.244:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 3.33.130.190:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 141.193.213.10 141.193.213.10

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DV-PRIMARY-ASN1US DV-PRIMARY-ASN1US
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49901

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /up8i/?nl=FonQAt5G6G0h5a/+Am3eqIyjBFdIhrbRfG5nxPFgUs1csnhs+lBXewxt89Cj5Voixu7jLVxWB2hHsNPmnpQd8jl3rIdXyfOz7R8oVB6YJtxbdf5wDUy9RxP636EXq/xHTA==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ladylawher.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /9g6s/?nl=l/X+t9hb8CWGjOR1O2ZzXFDzhtuUnyzAQ4EIxPlc4MjqsNc2fQ5FEV3oB4t5s/ThvfRNUBaEClSQ3k3rscZvHeg0TpQiQ+GxS8ts4a8QVaH5DaPjZQFNvIogjfSTI3KXDA==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.meanttobebroken.orgUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.jexiz.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3lre/?nl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.prediksipreman.fyiUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /855d/?nl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.givora.siteUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /jx6k/?nl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.2925588.comUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /6o8s/?dbL=d8WX_v0PGVHXAtK&nl=xHDOnX+lWlIEr4hpJa7vJ+Ai0eztjiZ58G8B7DId8TM/qnePyNRX8+3i62aVr9vdoGnKMYHj9baJVFQ0pmQfJSNjzKPDt8hcfoZjjjTuXP86Dx4dRnWR0YG+vtOimu0PrA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.wrl-llc.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /l5ty/?nl=q+OYZAje5TGGPxrh2f4udvzeWAEqGa5tlfgg+KmPc/5JdZ3+06LBf09NB5PeZCRMfA3Rwmt3pN3KnHXg/BNAYr426YnMJAy4Y/PCGFK03Rpxpi13xz0yDihesG1rii3hcQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.7fh27o.vipUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /7n9v/?dbL=d8WX_v0PGVHXAtK&nl=5Ps3YXPo0Vj4JhRGre7eusiYM6VqaJdXpTrzI5rt8FAfia/wVGxKw+cKGzuZcepElfg31D2wj7kRRQ+omDm5eEZM56pgjuD4M6hDNIlUQpNxKD0Ll6OMyYftw5tyQwWC0A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rebel.tiendaUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /izfe/?nl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.ila.beautyUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /lk0h/?dbL=d8WX_v0PGVHXAtK&nl=6gjDnw5yzGoGzEh3mjJB1T6RyTIMcIq1/sFM8kPHd8kBOmP5HGhCeqzML2uvlXpT0wvdsm4ji4CabuXPMFeElEmTDOsUVTaZy7krB/rdHBCDX+Ht0YGWoHEVrkeyh8Ng2A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.college-help.infoUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /17h7/?nl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.owinvip.netUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /x3by/?nl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.gucciqueen.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /3p0l/?dbL=d8WX_v0PGVHXAtK&nl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.timizoasisey.shopUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2
Source: global traffic	HTTP traffic detected: GET /f01d/?nl=BGh1WRbt41ta6S2FBwbFkSvU00HbY3eh/tMOUMfhmAze8NROyFh0EV68tSphjf8OeMOb/ck28qXApfwtDELR0J5SPWkS+xOxljfz11yABU5EX0aP/5qC9r+4s36BWCggxQ==&dbL=d8WX_v0PGVHXAtK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.roopiedutech.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2

Source: global traffic	DNS traffic detected: DNS query: www.ladylawher.org
Source: global traffic	DNS traffic detected: DNS query: www.meanttobebroken.org
Source: global traffic	DNS traffic detected: DNS query: www.jexiz.shop
Source: global traffic	DNS traffic detected: DNS query: www.prediksipreman.fyi
Source: global traffic	DNS traffic detected: DNS query: www.givora.site
Source: global traffic	DNS traffic detected: DNS query: www.2925588.com
Source: global traffic	DNS traffic detected: DNS query: www.wrl-llc.net
Source: global traffic	DNS traffic detected: DNS query: www.7fh27o.vip
Source: global traffic	DNS traffic detected: DNS query: www.rebel.tienda
Source: global traffic	DNS traffic detected: DNS query: www.ila.beauty
Source: global traffic	DNS traffic detected: DNS query: www.college-help.info
Source: global traffic	DNS traffic detected: DNS query: www.owinvip.net
Source: global traffic	DNS traffic detected: DNS query: www.gucciqueen.shop
Source: global traffic	DNS traffic detected: DNS query: www.xtelify.tech
Source: global traffic	DNS traffic detected: DNS query: www.timizoasisey.shop
Source: global traffic	DNS traffic detected: DNS query: www.roopiedutech.online

Source: unknown

HTTP traffic detected: POST /9g6s/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 203Cache-Control: no-cacheConnection: closeHost: www.meanttobebroken.orgOrigin: http://www.meanttobebroken.orgReferer: http://www.meanttobebroken.org/9g6s/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 IceDragon/26.0.0.2Data Raw: 6e 6c 3d 6f 39 2f 65 75 4a 74 44 6f 41 32 50 33 38 78 61 56 58 70 54 4d 32 43 77 6b 59 4c 68 72 58 76 6f 55 4f 45 7a 71 65 42 4c 34 4e 36 4f 68 36 67 4c 65 6b 77 71 61 46 4b 41 66 59 67 70 36 38 47 72 75 39 64 73 63 7a 79 58 4f 55 36 35 70 6c 6a 55 69 76 67 4b 4d 6f 34 73 51 6f 39 2f 4d 39 32 36 5a 73 42 71 32 4a 78 67 65 50 43 6e 49 4b 43 71 63 44 4e 35 6b 70 4e 6d 6a 4b 37 30 63 48 4c 46 63 32 61 65 72 2f 48 43 31 4d 4a 75 61 42 52 51 37 34 58 70 39 55 45 4f 68 37 4e 59 37 4e 36 57 62 58 6d 74 73 76 65 4e 39 54 46 6a 53 46 7a 41 57 2f 6b 44 4f 34 37 4a 4e 47 6b 5a 4e 34 51 2b 75 72 67 76 4d 36 45 3d Data Ascii: nl=o9/euJtDoA2P38xaVXpTM2CwkYLhrXvoUOEzqeBL4N6Oh6gLekwqaFKAfYgp68Gru9dsczyXOU65pljUivgKMo4sQo9/M926ZsBq2JxgePCnIKCqcDN5kpNmjK70cHLFc2aer/HC1MJuaBRQ74Xp9UEOh7NY7N6WbXmtsveN9TFjSFzAW/kDO47JNGkZN4Q+urgvM6E=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:45:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db88d1c1d203168-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:45:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db88d2c1b422d3e-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:45:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-Encodingx-powered-by: WP EngineExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://meanttobebroken.org/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8db88d3c1b2e2cd5-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 36 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 3c db 72 db 38 96 cf f6 57 c0 4c 8d 2d 4e 78 d7 c5 b6 24 3a dd 49 a7 a7 b2 db e9 f4 76 9c 9a da 8a 53 2e 88 84 28 d8 24 c1 06 20 cb 1a b5 5e f6 2f f6 69 7f 71 3f 61 eb 00 94 44 c9 94 ac d8 9e dd da 54 b7 6d 02 e7 8e 73 0e 6e 3c ec 1f c5 2c 92 d3 82 a0 91 cc d2 8b c3 3e fc 42 29 ce 93 d0 20 b9 fd e5 b3 01 6d 04 c7 17 87 07 fd 8c 48 8c a2 11 e6 82 c8 d0 f8 72 f9 b3 7d 66 2c db 73 9c 91 d0 b8 a3 64 52 30 2e 0d 14 b1 5c 92 5c 86 c6 84 c6 72 14 c6 e4 8e 46 c4 56 0f 16 a2 39 95 14 a7 b6 88 70 4a 42 5f 51 49 69 7e 8b 38 49 43 a3 e0 6c 48 53 62 a0 11 27 c3 d0 18 49 59 88 ae eb 26 59 91 38 8c 27 ee fd 30 77 fd 4d 24 21 a7 29 11 23 42 e4 26 de 58 10 07 54 bc a5 d2 c9 89 74 59 cc 4e 87 f4 c6 89 84 30 2e 0e d7 88 e0 a2 48 89 2d d9 38 1a d9 34 62 b9 81 04 fd 07 11 a1 e1 9f 79 f7 fe 99 57 25 dd 75 dd 8c e0 5c 4a 36 20 03 ce 6e 49 ae 84 9b 14 76 a9 ba 2b 47 24 23 c2 c5 64 90 49 39 70 87 f8 0e 68 ba 9b 4c 9c 22 4f 36 94 d1 bc 41 e8 d0 a0 19 4e 88 0b 30 0b 61 9a c1 7d 33 78 11 51 ca df b6 a2 f8 dd 72 f8 9d 7b bf f3 a2 72 28 8a 35 72 64 38 a7 43 22 e4 8b 30 13 54 12 67 42 06 4b a2 9b bc c4 6d 39 f8 2f c1 0c 0f 31 a7 76 41 f3 9c c4 b6 c4 03 47 dc 25 10 1d 29 e3 a1 f1 aa 3d 18 e0 b8 bd 19 45 99 00 1f a1 11 96 94 e5 f6 25 4d c9 3b 80 af 04 d5 ab e1 30 6a 79 f1 26 a2 12 c2 8e 1e 02 c3 3f e5 ec 07 fd 23 db 46 7f 63 2c 49 09 ba c4 09 fa 88 73 9c 10 8e 6c fb e2 10 21 84 fa 22 e2 b4 90 17 8d e1 38 8f 80 7f 63 62 c5 96 b0 52 8b 9a b3 c9 d7 f4 5b 08 3f fe fc f3 eb b7 1e fc e1 14 63 31 6a cc 4e 12 99 39 42 62 2e 4f ba 8a 4c 4e 26 e8 27 2c 49 c3 74 12 22 2f 69 46 1a a6 45 ee 48 2e bb 0a f6 46 9c cc cd de 1d e6 68 18 c6 00 f2 3e 25 19 c9 a5 78 3b bd c4 c9 af 38 23 0d 61 7e f5 be 59 8a da 4d 18 3b 11 27 58 92 12 ac 21 4c 2b 4e c3 f4 28 3c 89 b1 c4 bf e0 29 e1 27 6f 4e 8e d3 f0 e4 75 da 3d 39 e9 dd 38 58 4c f3 28 94 7c 4c 7a 37 8e e0 51 a8 28 9d 2c b2 c2 64 32 71 12 65 06 89 93 4c 1b c1 89 58 e6 6a e9 de d0 38 3c 79 4d 5f c7 69 6f e8 14 98 93 5c fe ca 62 e2 d0 5c 10 2e df 92 21 e3 a4 71 63 0d cd 9e 22 3b 37 1b 13 9a c7 6c 62 c5 2c 1a 83 84 d6 89 36 e4 89 55 91 d0 3a f9 db e5 47 fb e3 bf fe db e9 d9 df 4f Data Ascii: 16ef<r8WL-Nx$:IvS.($ ^/iq?aDTmsn<,>B) mHr}f,sdR0.\\rFV9pJB_QIi~8IClHSb'IY&Y8'0wM$!)#B&XTtYN0.H-84byW%u\J6 nIv+G
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 01 Nov 2024 02:46:20 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 01 Nov 2024 02:46:22 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Fri, 01 Nov 2024 02:46:25 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 05 44 6f f7 ec ea 86 24 40 42 12 08 10 0e c7 09 dd 25 74 45 77 d8 f0 03 f9 35 fc 64 2e d1 dd d3 34 d3 7d 66 d6 e1 1f ae f9 d1 a8 2e 59 59 99 5f 66 d6 64 d6 6f bf fd f6 f8 4f ec 92 59 1b 0a 37 08 aa 24 fe f6 db e3 f3 9f 01 68 8f 81 6b 3a df 7e bb fc 4c dc ca 04 33 aa fc de 3d d6 61 f3 74 c7 64 69 e5 a6 d5 7d 75 ca dd bb 81 fd fc f5 74 57 b9 5d 05 f7 24 fe 32 b0 03 b3 28 dd ea a9 ae bc 7b f2 ee 53 3a a6 1d b8 f7 fd fa 22 8b af 08 a5 d9 bd dd 0f 7d ba 50 29 4c 3f 31 ff 91 15 5c 97 87 85 5b 5e 2d 41 de 51 4f cd c4 7d ba 6b 42 b7 cd b3 a2 ba 9a d6 86 4e 15 3c 39 6e 13 da ee fd e5 e3 cb 20 4c c3 2a 34 e3 fb d2 36 63 f7 09 fd fa 9d 54 15 56 b1 fb 8d 40 88 81 9c 55 83 69 56 a7 ce 23 fc dc f9 2c ca b2 3a c5 ee a0 97 db 8b b8 ec b2 7c e1 a3 17 b5 95 39 a7 c1 df 2f 53 fb cf be 79 40 3a f7 9e 99 84 f1 e9 61 40 15 60 db 2f 03 c1 8d 1b b7 0a 6d f3 cb a0 34 d3 f2 be 74 8b d0 fb cb 8f cb ca f0 ec 3e 0c 50 22 ef de 0f c6 61 ea de 07 6e e8 07 15 18 fe 4a 60 e4 70 8c 12 d8 e4 fd 2c cb b4 23 bf e8 cf 00 54 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e2 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 47 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 db 7d ed f1 67 02 89 dc ee f4 cc e4 7d ec 7a 40 4a 66 5d 65 ef 37 7b 19 2e 9e a5 f8 e3 f8 db d9 07 28 72 ad 81 b7 93 7e 05 88 cc b3 b4 74 ef c3 d4 cb 6e 0e fa 2a 57 e6 d2 de f6 be 5a 5e 56 66 55 97 40 3b 8e 7b b3 f8 82 9a 67 f5 0f 11 e4 5f fe 68 75 e1 9a 65 96 7e be 1e 1b 5e af ef 21 f9 99 0a ae 38 bb c8 d4 ae 2e e7 fa f2 5d b3 e0 bc fd 5e f7 bd a3 b8 d9 f0 f5 b4 c8 a5 7d c8 6f 8f a5 1e 18 c0 f0 3e 10 d7 15 5a 0b 37 77 4d a0 33 e0 46 9e 7f be 91 eb d9 bf 9a f9 ba 2b 36 c1 29 82 7a 3f ed 75 6c 7a 69 6f 63 57 a7 bc e5 c8 fc e4 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f a6 14 a6 6f a6 3c c1 3f 01 da b5 3e 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f 87 ed e5 75 85 25 74 74 3d 78 25 89 77 f4 6f c5 d0 ab fb de 71 ed ac 30 7b fd 3d 0c 80 4b 71 8b de 09 bd df e8 55 e2 c0 1f d1 cc 95 36 3e dd e7 21 c8 1a b7 b8 c2 d7 7b 36 1e bc cc ae cb cf 87 4d e0 67 9a 5b cb 79 65 02 a3 46 c4 64 f4 c6 e0 15 13 9f a3 f8 d5 af 7d a4 a8 5f 10 63 1d df e8 e6 bb a5 85 e9 c5 67 7f e0 f3 e2 b0 ac ee 2f 61 a5 07 7c ea 0e b2 ba 2a 43 e0 10 fa 8f 37 f6 7b 45 be 72 77 e3 8c bf c3 eb aa ff ed b4 80 a7 38 bc 61 cb 8b b3 de be 7a cf f8 7e 87 8b a6 cd 38 f4 81 92 6d 70 43 70 8b b7 f1 37 92 5f 6f ec e6 05 f4 1f ed 74 09 b8 20 46 7d e6 c3 7a 47 70 1f 26 a6 7f ab c6 ef 87 fa d4 f7 5e 96 f6 b7 1c 10 a0 6e cf d7 c7 dc f6 25 3e 5a 59 ec bc 9d a2 97 e3 f5 29 7f 94 41 9b 15 ce bd 05 30 12 81 18 d5 ff b9 37 e3 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Fri, 01 Nov 2024 02:46:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 36 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:46:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:47 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:52 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 01 Nov 2024 02:46:55 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:47:55 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:47:57 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:00 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:03 GMTServer: ApacheLast-Modified: Wed, 30 Oct 2024 18:34:18 GMTETag: "49d-625b5f32466a6"Accept-Ranges: bytesContent-Length: 1181Content-Type: text/htmlConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 77 68 69 74 65 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 7b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 32 35 30 70 78 3b 0d 0a 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 35 70 78 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 62 6c 61 63 6b 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 20 62 6f 74 74 6f 6d 2c 20 20 72 67 62 61 28 31 33 35 2c 31 33 35 2c 31 33 35 2c 31 29 20 30 25 2c 72 67 62 61 28 30 2c 30 2c 30 2c 31 29 20 31 30 30 25 29 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 3a 61 66 74 65 72 20 7b 0d 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 22 22 3b 0d 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 31 38 70 78 3b 0d 0a 20 20 20 20 6c 65 66 74 3a 20 31 30 32 70 78 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 20 73 6f 6c 69 64 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 20 31 38 70 78 20 32 31 70 78 20 30 3b 0d 0a 20 20 20 20 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 62 6c 61 63 6b 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 30 3b 0d 0a 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0d 0a 7d 0d 0a 2e 73 70 65 61 63 68 62 75 62 62 6c 65 20 73 70 61 6e 20 7b 0d 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 3a 37 32 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 34 70 78 20 34 70 78 20 32 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 33 29 3b 0d 0a 7d 0d 0a 2e 6d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 3a 32 34 70 78 20 61 72 69 61 6c 3b 0d 0a 20 20 20 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:22 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:27 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:29 GMTServer: Apache/2.4.62 (Debian)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 36 32 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 75 63 63 69 71 75 65 65 6e 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.62 (Debian) Server at www.gucciqueen.shop Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:44 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQP044c%2FYz2go57gcWAkmUIcMsticY8ar5xze29XJ4Q9Yq11UqIQ8QXfkUYdeI0Nz9S2iBvxBQaMtgr4134pKtiO7sDzKn0UJKyZbd7oNb6WEhhrIBofk46u6JhqIcWINjRKuVDeeCg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db8914a1fe9477c-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1087&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=729&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 65 62 0d 0a 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: febTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8HAzgZ%2FNkfoeXbUcL5Hj3M51E%2BbY%2BFZ7a5ahNuU3KAN%2BxMs0Y3cezIw51amdmQIhjMO8xRcjXO4QNV%2BB0uB%2FhQxqpOiLsh9bgcbxLhZPHWQasH74UeO%2B4O7gc%2FMGz9k7rUmjc%2FpAxnc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db89159f9bf2e17-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2150&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=749&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ukfpwmFHHCV2Giuk3DJsF1h6rgSqUPWY051ZiplgxZayO3f6%2BiBLMkn6t2MKyFXq837Eiu%2Fmt6mnYHcXkrHn%2BHFMCIUo53xX6xxTmSYFhGPMS0BkZ8dDo24p5AZZhrRgwskgASKe4ys%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db8916a1eb946c6-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1221&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1766&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 01 Nov 2024 02:48:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A3fX%2BGH3n4MSr74VKwm2XQPIucNfP6TVqclRNKNeoOOQNhYiwjOxH9vHPdAuHI4sbw7CubedeoHdflp%2BqJrSqOkUt0TvtesoTlPqddN%2BZPohESC6lB2jl84AdiFdgjcHsMmiyuJiOKk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8db8917a18e46b2e-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1150&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=471&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0

Source: colorcpl.exe, 00000007.00000002.4488704963.00000000061AA000.00000004.10000000.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003B2A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: colorcpl.exe, 00000007.00000002.4488704963.0000000005E86000.00000004.10000000.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003806000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://meanttobebroken.org/9g6s/?nl=l/X
Source: xIrbjTuvDXL.exe, 00000008.00000002.4490185532.0000000005739000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.roopiedutech.online
Source: xIrbjTuvDXL.exe, 00000008.00000002.4490185532.0000000005739000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.roopiedutech.online/f01d/
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: colorcpl.exe, 00000007.00000003.2445410123.00000000085D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: colorcpl.exe, 00000007.00000002.4490954229.0000000008698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: colorcpl.exe, 00000007.00000002.4488704963.0000000006984000.00000004.10000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4490814883.0000000008310000.00000004.00000800.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000004304000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: xIrbjTuvDXL.exe, 00000008.00000002.4488131798.0000000003998000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.jexiz.shop/li8d/?nl=sm

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.NF_Payment_Ref_FAN930276.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2264308195.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4487793740.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2290607286.0000000004E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4487721916.0000000002AA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486586817.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4486891698.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2266187962.0000000001E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NF_Payment_Ref_FAN930276.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0042C433 NtClose,	4_2_0042C433
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040A9E3 NtDelayExecution,	4_2_0040A9E3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02B60 NtClose,LdrInitializeThunk,	4_2_01B02B60
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01B02DF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01B02C70
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B035C0 NtCreateMutant,LdrInitializeThunk,	4_2_01B035C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B04340 NtSetContextThread,	4_2_01B04340
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B04650 NtSuspendThread,	4_2_01B04650
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02BA0 NtEnumerateValueKey,	4_2_01B02BA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02B80 NtQueryInformationFile,	4_2_01B02B80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02BF0 NtAllocateVirtualMemory,	4_2_01B02BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02BE0 NtQueryValueKey,	4_2_01B02BE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02AB0 NtWaitForSingleObject,	4_2_01B02AB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02AF0 NtWriteFile,	4_2_01B02AF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02AD0 NtReadFile,	4_2_01B02AD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02DB0 NtEnumerateKey,	4_2_01B02DB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02DD0 NtDelayExecution,	4_2_01B02DD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02D30 NtUnmapViewOfSection,	4_2_01B02D30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02D10 NtMapViewOfSection,	4_2_01B02D10
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02D00 NtSetInformationFile,	4_2_01B02D00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02CA0 NtQueryInformationToken,	4_2_01B02CA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02CF0 NtOpenProcess,	4_2_01B02CF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02CC0 NtQueryVirtualMemory,	4_2_01B02CC0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02C00 NtQueryInformationProcess,	4_2_01B02C00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02C60 NtCreateKey,	4_2_01B02C60
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02FB0 NtResumeThread,	4_2_01B02FB0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02FA0 NtQuerySection,	4_2_01B02FA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02F90 NtProtectVirtualMemory,	4_2_01B02F90
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02FE0 NtCreateFile,	4_2_01B02FE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02F30 NtCreateSection,	4_2_01B02F30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02F60 NtCreateProcessEx,	4_2_01B02F60
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02EA0 NtAdjustPrivilegesToken,	4_2_01B02EA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02E80 NtReadVirtualMemory,	4_2_01B02E80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02EE0 NtQueueApcThread,	4_2_01B02EE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B02E30 NtWriteVirtualMemory,	4_2_01B02E30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03090 NtSetValueKey,	4_2_01B03090
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03010 NtOpenDirectoryObject,	4_2_01B03010
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B039B0 NtGetContextThread,	4_2_01B039B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03D10 NtOpenProcessToken,	4_2_01B03D10
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B03D70 NtOpenThread,	4_2_01B03D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4650 NtSuspendThread,LdrInitializeThunk,	7_2_052A4650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4340 NtSetContextThread,LdrInitializeThunk,	7_2_052A4340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_052A2D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_052A2D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_052A2DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_052A2DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2C60 NtCreateKey,LdrInitializeThunk,	7_2_052A2C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_052A2C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_052A2CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F30 NtCreateSection,LdrInitializeThunk,	7_2_052A2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2FB0 NtResumeThread,LdrInitializeThunk,	7_2_052A2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2FE0 NtCreateFile,LdrInitializeThunk,	7_2_052A2FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_052A2E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_052A2EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2B60 NtClose,LdrInitializeThunk,	7_2_052A2B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_052A2BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_052A2BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_052A2BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2AF0 NtWriteFile,LdrInitializeThunk,	7_2_052A2AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2AD0 NtReadFile,LdrInitializeThunk,	7_2_052A2AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A35C0 NtCreateMutant,LdrInitializeThunk,	7_2_052A35C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A39B0 NtGetContextThread,LdrInitializeThunk,	7_2_052A39B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2D00 NtSetInformationFile,	7_2_052A2D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2DB0 NtEnumerateKey,	7_2_052A2DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2C00 NtQueryInformationProcess,	7_2_052A2C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2CF0 NtOpenProcess,	7_2_052A2CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2CC0 NtQueryVirtualMemory,	7_2_052A2CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F60 NtCreateProcessEx,	7_2_052A2F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2FA0 NtQuerySection,	7_2_052A2FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F90 NtProtectVirtualMemory,	7_2_052A2F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2E30 NtWriteVirtualMemory,	7_2_052A2E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2EA0 NtAdjustPrivilegesToken,	7_2_052A2EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2B80 NtQueryInformationFile,	7_2_052A2B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2AB0 NtWaitForSingleObject,	7_2_052A2AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3010 NtOpenDirectoryObject,	7_2_052A3010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3090 NtSetValueKey,	7_2_052A3090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3D10 NtOpenProcessToken,	7_2_052A3D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A3D70 NtOpenThread,	7_2_052A3D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03068EC0 NtCreateFile,	7_2_03068EC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03069320 NtAllocateVirtualMemory,	7_2_03069320
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03069120 NtDeleteFile,	7_2_03069120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_030691C0 NtClose,	7_2_030691C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03069030 NtReadFile,	7_2_03069030

Detected potential crypto function

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 0_2_04831C48	0_2_04831C48
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 0_2_04CED344	0_2_04CED344
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_004183D3	4_2_004183D3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00401110	4_2_00401110
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040E13B	4_2_0040E13B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0042EAD3	4_2_0042EAD3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00402370	4_2_00402370
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040FCC3	4_2_0040FCC3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00416613	4_2_00416613
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040FEE3	4_2_0040FEE3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040DF63	4_2_0040DF63
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00402710	4_2_00402710
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00402FD0	4_2_00402FD0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B901AA	4_2_01B901AA
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B841A2	4_2_01B841A2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B881CC	4_2_01B881CC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0100	4_2_01AC0100
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6A118	4_2_01B6A118
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B58158	4_2_01B58158
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B62000	4_2_01B62000
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADE3F0	4_2_01ADE3F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B903E6	4_2_01B903E6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8A352	4_2_01B8A352
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B502C0	4_2_01B502C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70274	4_2_01B70274
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B90591	4_2_01B90591
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0535	4_2_01AD0535
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7E4F6	4_2_01B7E4F6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B74420	4_2_01B74420
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B82446	4_2_01B82446
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACC7C0	4_2_01ACC7C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0770	4_2_01AD0770
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF4750	4_2_01AF4750
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEC6E0	4_2_01AEC6E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD29A0	4_2_01AD29A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B9A9A6	4_2_01B9A9A6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE6962	4_2_01AE6962
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AB68B8	4_2_01AB68B8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AFE8F0	4_2_01AFE8F0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD2840	4_2_01AD2840
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADA840	4_2_01ADA840
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B86BD7	4_2_01B86BD7
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8AB40	4_2_01B8AB40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACEA80	4_2_01ACEA80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE8DBF	4_2_01AE8DBF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ACADE0	4_2_01ACADE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6CD1F	4_2_01B6CD1F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADAD00	4_2_01ADAD00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B70CB5	4_2_01B70CB5
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC0CF2	4_2_01AC0CF2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0C00	4_2_01AD0C00
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B4EFA0	4_2_01B4EFA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADCFE0	4_2_01ADCFE0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC2FC8	4_2_01AC2FC8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B72F30	4_2_01B72F30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B12F28	4_2_01B12F28
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AF0F30	4_2_01AF0F30
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B44F40	4_2_01B44F40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8CE93	4_2_01B8CE93
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AE2E90	4_2_01AE2E90
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8EEDB	4_2_01B8EEDB
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8EE26	4_2_01B8EE26
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD0E59	4_2_01AD0E59
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ADB1B0	4_2_01ADB1B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B9B16B	4_2_01B9B16B
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABF172	4_2_01ABF172
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0516C	4_2_01B0516C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B870E9	4_2_01B870E9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8F0E0	4_2_01B8F0E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD70C0	4_2_01AD70C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7F0CC	4_2_01B7F0CC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B1739A	4_2_01B1739A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8132D	4_2_01B8132D
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01ABD34C	4_2_01ABD34C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD52A0	4_2_01AD52A0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B712ED	4_2_01B712ED
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEB2C0	4_2_01AEB2C0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6D5B0	4_2_01B6D5B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B995C3	4_2_01B995C3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B87571	4_2_01B87571
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8F43F	4_2_01B8F43F
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC1460	4_2_01AC1460
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8F7B0	4_2_01B8F7B0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B816CC	4_2_01B816CC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B15630	4_2_01B15630
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B65910	4_2_01B65910
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD9950	4_2_01AD9950
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEB950	4_2_01AEB950
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD38E0	4_2_01AD38E0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B3D800	4_2_01B3D800
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEFB80	4_2_01AEFB80
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B45BF0	4_2_01B45BF0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B0DBF9	4_2_01B0DBF9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FB76	4_2_01B8FB76
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B15AA0	4_2_01B15AA0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B71AA3	4_2_01B71AA3
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B6DAAC	4_2_01B6DAAC
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B7DAC6	4_2_01B7DAC6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B43A6C	4_2_01B43A6C
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FA49	4_2_01B8FA49
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B87A46	4_2_01B87A46
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AEFDC0	4_2_01AEFDC0
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B87D73	4_2_01B87D73
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B81D5A	4_2_01B81D5A
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD3D40	4_2_01AD3D40
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FCF2	4_2_01B8FCF2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B49C32	4_2_01B49C32
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FFB1	4_2_01B8FFB1
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD1F92	4_2_01AD1F92
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A93FD2	4_2_01A93FD2
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A93FD5	4_2_01A93FD5
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01B8FF09	4_2_01B8FF09
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AD9EB0	4_2_01AD9EB0
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBCAB9	5_2_02CBCAB9
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBC8E1	5_2_02CBC8E1
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBE861	5_2_02CBE861
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBE641	5_2_02CBE641
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC4F91	5_2_02CC4F91
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CDD451	5_2_02CDD451
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270535	7_2_05270535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05330591	7_2_05330591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05314420	7_2_05314420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05322446	7_2_05322446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0531E4F6	7_2_0531E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270770	7_2_05270770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05294750	7_2_05294750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526C7C0	7_2_0526C7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528C6E0	7_2_0528C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05260100	7_2_05260100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530A118	7_2_0530A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052F8158	7_2_052F8158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053241A2	7_2_053241A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053301AA	7_2_053301AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053281CC	7_2_053281CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05302000	7_2_05302000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532A352	7_2_0532A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053303E6	7_2_053303E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527E3F0	7_2_0527E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05310274	7_2_05310274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052F02C0	7_2_052F02C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527AD00	7_2_0527AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530CD1F	7_2_0530CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05288DBF	7_2_05288DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526ADE0	7_2_0526ADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270C00	7_2_05270C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05310CB5	7_2_05310CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05260CF2	7_2_05260CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05312F30	7_2_05312F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B2F28	7_2_052B2F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05290F30	7_2_05290F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E4F40	7_2_052E4F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052EEFA0	7_2_052EEFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527CFE0	7_2_0527CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05262FC8	7_2_05262FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532EE26	7_2_0532EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05270E59	7_2_05270E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532CE93	7_2_0532CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05282E90	7_2_05282E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532EEDB	7_2_0532EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05286962	7_2_05286962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052729A0	7_2_052729A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0533A9A6	7_2_0533A9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05272840	7_2_05272840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527A840	7_2_0527A840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052568B8	7_2_052568B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529E8F0	7_2_0529E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532AB40	7_2_0532AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05326BD7	7_2_05326BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526EA80	7_2_0526EA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05327571	7_2_05327571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530D5B0	7_2_0530D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053395C3	7_2_053395C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532F43F	7_2_0532F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05261460	7_2_05261460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532F7B0	7_2_0532F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B5630	7_2_052B5630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053216CC	7_2_053216CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A516C	7_2_052A516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0525F172	7_2_0525F172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0533B16B	7_2_0533B16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527B1B0	7_2_0527B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532F0E0	7_2_0532F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053270E9	7_2_053270E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052770C0	7_2_052770C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0531F0CC	7_2_0531F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532132D	7_2_0532132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0525D34C	7_2_0525D34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B739A	7_2_052B739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052752A0	7_2_052752A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_053112ED	7_2_053112ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528B2C0	7_2_0528B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05327D73	7_2_05327D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05273D40	7_2_05273D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05321D5A	7_2_05321D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528FDC0	7_2_0528FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E9C32	7_2_052E9C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FCF2	7_2_0532FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FF09	7_2_0532FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FFB1	7_2_0532FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05271F92	7_2_05271F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233FD2	7_2_05233FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233FD5	7_2_05233FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279EB0	7_2_05279EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05305910	7_2_05305910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279950	7_2_05279950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528B950	7_2_0528B950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052DD800	7_2_052DD800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052738E0	7_2_052738E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FB76	7_2_0532FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0528FB80	7_2_0528FB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052ADBF9	7_2_052ADBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E5BF0	7_2_052E5BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052E3A6C	7_2_052E3A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05327A46	7_2_05327A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0532FA49	7_2_0532FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B5AA0	7_2_052B5AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05311AA3	7_2_05311AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0530DAAC	7_2_0530DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0531DAC6	7_2_0531DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03051B10	7_2_03051B10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304CA50	7_2_0304CA50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304AEC8	7_2_0304AEC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304CC70	7_2_0304CC70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0304ACF0	7_2_0304ACF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_030533A0	7_2_030533A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03055160	7_2_03055160
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0306B860	7_2_0306B860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558E75C	7_2_0558E75C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558E3C6	7_2_0558E3C6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558E2A4	7_2_0558E2A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0558D828	7_2_0558D828

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B17E54 appears 111 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B3EA12 appears 86 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01ABB970 appears 280 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B05130 appears 58 times
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: String function: 01B4F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052DEA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052B7E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0525B970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052A5130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 052EF290 appears 105 times

Sample file is different than original file name gathered from version info

Source: NF_Payment_Ref_FAN930276.exe, 00000000.00000002.2094998231.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe, 00000000.00000002.2107185373.000000000B360000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264575035.0000000001628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe, 00000004.00000002.2264826942.0000000001BBD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs NF_Payment_Ref_FAN930276.exe
Source: NF_Payment_Ref_FAN930276.exe	Binary or memory string: OriginalFilenamefRbU.exe: vs NF_Payment_Ref_FAN930276.exe

Uses 32bit PE files

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: NF_Payment_Ref_FAN930276.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Sli4DW9alcwqplWEds.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Sli4DW9alcwqplWEds.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.AddAccessRule
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Sli4DW9alcwqplWEds.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.SetAccessControl
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@16/12

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NF_Payment_Ref_FAN930276.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process created: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe "C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe"	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: NF_Payment_Ref_FAN930276.exe, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	.Net Code: qKyVfTuEOb System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.5230000.3.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.3820b90.0.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	.Net Code: qKyVfTuEOb System.Reflection.Assembly.Load(byte[])
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	.Net Code: qKyVfTuEOb System.Reflection.Assembly.Load(byte[])
Source: 7.2.colorcpl.exe.590cd14.2.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 8.2.xIrbjTuvDXL.exe.328cd14.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 8.0.xIrbjTuvDXL.exe.328cd14.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent
Source: 9.2.firefox.exe.3397cd14.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00406155 push ss; retf	4_2_00406160
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00403270 push eax; ret	4_2_00403272
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040227F pushad ; retf	4_2_00402280
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_0040BB30 push eax; ret	4_2_0040BB31
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00404DCD push ebx; iretd	4_2_00404DD8
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_004066BD push edx; iretd	4_2_004066BF
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00413F7E pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_00413FC5 pushad ; retf	4_2_00414025
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A9225F pushad ; ret	4_2_01A927F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A927FA pushad ; ret	4_2_01A927F9
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01AC09AD push ecx; mov dword ptr [esp], ecx	4_2_01AC09B6
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A9283D push eax; iretd	4_2_01A92858
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Code function: 4_2_01A91200 push eax; iretd	4_2_01A91369
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC42CB push 899D5642h; ret	5_2_02CC42D0
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CB4AD3 push ss; retf	5_2_02CB4ADE
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC28FC pushad ; retf	5_2_02CC29A3
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CB503B push edx; iretd	5_2_02CB503D
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC2943 pushad ; retf	5_2_02CC29A3
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3E40 push esi; ret	5_2_02CC3E65
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3E0D push esi; ret	5_2_02CC3E65
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CB374B push ebx; iretd	5_2_02CB3756
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CBA4AE push eax; ret	5_2_02CBA4AF
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3DE6 push esi; ret	5_2_02CC3E65
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	Code function: 5_2_02CC3DFB push esi; ret	5_2_02CC3E65
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052327FA pushad ; ret	7_2_052327F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523225F pushad ; ret	7_2_052327F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052609AD push ecx; mov dword ptr [esp], ecx	7_2_052609B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523283D push eax; iretd	7_2_05232858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05231368 push eax; iretd	7_2_05231369
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0305220A push esi; ret	7_2_03052274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0305221C push esi; ret	7_2_03052274

Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, sueo5UdIx8bBgI6PCF.cs	High entropy of concatenated method names: 'GFTwaZigPV', 'C4cwpsXlBc', 'Q6AwNWEGMW', 'Sm6whAHkT6', 'p4uwyvyoFQ', 'tOTwmaDo1o', 'rqFwkfYmbY', 'G09wjqk8bC', 'L7ywvCdadn', 'aKjwYxJd0L'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Sli4DW9alcwqplWEds.cs	High entropy of concatenated method names: 'UVQNuyxNjI', 'wPuN1qgXTO', 'cdCNeDQJQC', 'XuvNS7KTCB', 'Bd6NdUXhTq', 'RMANXoTRwJ', 'W65NbLWHMs', 'r7NN8yMcnw', 'hDiNRJQJxJ', 'Hn0NLkNKO3'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, eXBqexgXnhhTHnt4KX3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLhquFB5T1', 'uwTq16FqRx', 'C6xqeituaK', 'pQyqSeArIh', 'gM8qdy2cFa', 'kAnqXLYA09', 'IXvqbE26lT'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, I9sXMhjL9pxDQdeilY.cs	High entropy of concatenated method names: 'cuD9GM1YrR', 'bGZ9cFf7Rj', 'Cme92IxCON', 'fHh9CCVbm5', 'i5R9uEBnCK', 'OC993udlMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, wnukAYgggxIiSaIyoK4.cs	High entropy of concatenated method names: 'ToString', 'CNXqwT8t0v', 'oxLqVaW9BW', 'KoSqaX5OMw', 'fT8qpJLoA3', 'xI1qNkKd0N', 'ReOqhlfIgP', 'nnMqyS9iB9', 'AvQSUe0AHYrOQLyI2D1', 'u5wVRp0XSn3tZSaGZ9M'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Jmn7TDkTQyO5p2V4pF.cs	High entropy of concatenated method names: 'I9vTYg6tha', 'FVSTUp1RFM', 'ToString', 'GpXTpUqCQE', 'j6STNBLk2w', 'cuAThgeprx', 'KA7TykTL1r', 'qN2TmtWhIZ', 'iCXTkaghJk', 'K9GTjG9EsL'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, TYweWABd4gnA6BiO6U.cs	High entropy of concatenated method names: 'laH5Km8Owc', 'HUS5wSHuvN', 'RHl5VtUuhQ', 'Qlo5pk98BF', 'GBi5NjnHEn', 'g4S5ytHJ2a', 'NgY5mK2DYx', 'feQ9bNlbvp', 'B2I98Hdc7Y', 'JQk9RDxgJZ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, uBsWR1whKavSGYEwL9.cs	High entropy of concatenated method names: 'fgTKk0gpJ8', 'QZuKjHlvt7', 'C5jKYYrajn', 'BFVKUc86pP', 'geEKDbG7FW', 'YJCKlohSvD', 'jp9LLxXZQ6CyGQcXf1', 'hpjsrk2dRXBbcFstqo', 'v4pKKsg7RM', 'ni3KwDoNC1'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, TrwYxKFrGt1NX10rm7.cs	High entropy of concatenated method names: 'LLCPFYxF12', 'ba4Ps6E117', 'xHlPGDOiLR', 'S9DPc9pjH9', 'jxaPC1wDBC', 'jn1P3PmVS0', 'zNePguQTef', 't4TPBur7QC', 'k3rPxY23dc', 'b5xPIE3LEc'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, pLjukBgffZRmJjBJSJV.cs	High entropy of concatenated method names: 'MNX5JgPL8H', 'tdD50oWUlY', 't5v5fHJNhi', 'eGa5rwZfP3', 'cp85ooibxX', 'A9k5OMnfeh', 'dUb5EM6wfc', 'vZv5F2sX5w', 'SR55soR9Dx', 'XVN5ZRcwdB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, hxCJeMU4eehAikm1DM.cs	High entropy of concatenated method names: 'c18T8Fp8a1', 'H24TLViI8U', 'U8k9MYN3K2', 'os99KskAlM', 'QwgTIYlFjO', 'P6DTn4EWy0', 'N6QTAMgngj', 'GErTuwOTFq', 'rksT1ZN2aI', 'JBpTeaxeNQ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, kn5CeNcnQ21Ob3V9bn.cs	High entropy of concatenated method names: 'Dispose', 'MxNKRYpotl', 'RRK4crH536', 'AKOQQcAwGb', 'twLKLZgDKa', 'GZyKzUFYAN', 'ProcessDialogKey', 'S7R4MgSkx3', 'tcc4KFg4Rd', 'KYP449exNb'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, Djnu7ArL3JPPZ5TZFW.cs	High entropy of concatenated method names: 'sjaDx6tudr', 'TcaDnCqWsy', 'ixTDuB4yED', 'jUuD1R71OV', 'RntDccpvBb', 'ALID2BpZtC', 'eG2DCtK9IP', 'A5UD3KaFtc', 'TbIDWIYJwd', 'NhUDgRwBtn'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, fDB32RxexiDY4YPFvf.cs	High entropy of concatenated method names: 'z0NmaUluQ6', 'QhHmNqL8H4', 'FOpmy02dMe', 'R8qmkjJbkl', 'My5mjIH28E', 'iWRyd6DtfD', 'sqcyXV6ifd', 'mSPybcnqyp', 'WxPy8FqUDy', 'gjCyRxOssV'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, OlTiSOAJNSJSWNWDAr.cs	High entropy of concatenated method names: 'ToString', 'l0ElIhksOd', 'nfglcmiWVy', 'fAZl27XPAH', 'JSnlCKeiNT', 'uVel3kKT9x', 'B32lW52drB', 'VXqlgnbgKZ', 'HtVlB4kTAn', 'p6GlHCWe6m'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, aOPj9RJ6D3mMysj82S.cs	High entropy of concatenated method names: 'rh8yohiCYq', 'wWpyEl9ADq', 'wjvh2mOLuj', 'htGhCnViLy', 'XpIh3tT2Yb', 'u1uhWv8B8M', 'uhEhgbLjdg', 'tMwhBGetYr', 'HvxhHMwfiX', 'cwghxvCcn5'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, dE7ePfsB4iKPS7munM.cs	High entropy of concatenated method names: 'wwKf5iwhU', 'C9MrSnwkH', 'JCQO2C6xg', 'KFhEQX1bJ', 'jsvsKRREJ', 'e0XZM5UOC', 'bqrpkOqdA9NPOyu0Zx', 'OxwajmE31Dc0CogEoP', 'GDS9g4Pbl', 'RMWqXC6cG'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, EFMsT9GY7t3Gmy7OvK.cs	High entropy of concatenated method names: 'iOakphwhpV', 'yTfkhryS9l', 'HH4kmqirj3', 'abWmL4HM0S', 'xubmz3KlR3', 'YGkkMWRqLt', 'zrskKms92t', 'Vjxk4VUA76', 'L2Ukw7JG4T', 'RcvkVews7a'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, bUcSe8D1xH3PFuCDlv.cs	High entropy of concatenated method names: 'ChYhrCXmEg', 'DjlhO3nTfh', 'SGQhFZ64NV', 'HiZhsiIbcD', 'NEDhDvFFTd', 'aGuhlID65S', 'JR3hTW3Dm4', 'Qr3h9yGUAL', 'aLwh5JRsol', 'wE1hqEUQQv'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, clPqp4phOdkKvqr3gS.cs	High entropy of concatenated method names: 'MUo9pyLo1s', 'KKd9Nncf2N', 'CIa9hnTjDQ', 'V079yI7iKB', 'gfs9mPOgub', 'fiy9k2y9Lv', 'EId9jyEQBt', 'Y1K9vJ8rD3', 'eZh9YrcL5V', 'WeP9UC8oLB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.42cc5f0.1.raw.unpack, VKBmrI3WAxwWAfZXaC.cs	High entropy of concatenated method names: 'eVAkJ0lQ73', 'J01k0goAkg', 'CgUkfOQKF3', 'WSIkrXRRbv', 'I6gkoEmlJd', 'k3NkOVvJbO', 'jB7kEl2j7c', 'Fw5kF4RBxv', 'lMkksOeJuJ', 'wt8kZpLZmD'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, sueo5UdIx8bBgI6PCF.cs	High entropy of concatenated method names: 'GFTwaZigPV', 'C4cwpsXlBc', 'Q6AwNWEGMW', 'Sm6whAHkT6', 'p4uwyvyoFQ', 'tOTwmaDo1o', 'rqFwkfYmbY', 'G09wjqk8bC', 'L7ywvCdadn', 'aKjwYxJd0L'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Sli4DW9alcwqplWEds.cs	High entropy of concatenated method names: 'UVQNuyxNjI', 'wPuN1qgXTO', 'cdCNeDQJQC', 'XuvNS7KTCB', 'Bd6NdUXhTq', 'RMANXoTRwJ', 'W65NbLWHMs', 'r7NN8yMcnw', 'hDiNRJQJxJ', 'Hn0NLkNKO3'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, eXBqexgXnhhTHnt4KX3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLhquFB5T1', 'uwTq16FqRx', 'C6xqeituaK', 'pQyqSeArIh', 'gM8qdy2cFa', 'kAnqXLYA09', 'IXvqbE26lT'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, I9sXMhjL9pxDQdeilY.cs	High entropy of concatenated method names: 'cuD9GM1YrR', 'bGZ9cFf7Rj', 'Cme92IxCON', 'fHh9CCVbm5', 'i5R9uEBnCK', 'OC993udlMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, wnukAYgggxIiSaIyoK4.cs	High entropy of concatenated method names: 'ToString', 'CNXqwT8t0v', 'oxLqVaW9BW', 'KoSqaX5OMw', 'fT8qpJLoA3', 'xI1qNkKd0N', 'ReOqhlfIgP', 'nnMqyS9iB9', 'AvQSUe0AHYrOQLyI2D1', 'u5wVRp0XSn3tZSaGZ9M'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Jmn7TDkTQyO5p2V4pF.cs	High entropy of concatenated method names: 'I9vTYg6tha', 'FVSTUp1RFM', 'ToString', 'GpXTpUqCQE', 'j6STNBLk2w', 'cuAThgeprx', 'KA7TykTL1r', 'qN2TmtWhIZ', 'iCXTkaghJk', 'K9GTjG9EsL'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, TYweWABd4gnA6BiO6U.cs	High entropy of concatenated method names: 'laH5Km8Owc', 'HUS5wSHuvN', 'RHl5VtUuhQ', 'Qlo5pk98BF', 'GBi5NjnHEn', 'g4S5ytHJ2a', 'NgY5mK2DYx', 'feQ9bNlbvp', 'B2I98Hdc7Y', 'JQk9RDxgJZ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, uBsWR1whKavSGYEwL9.cs	High entropy of concatenated method names: 'fgTKk0gpJ8', 'QZuKjHlvt7', 'C5jKYYrajn', 'BFVKUc86pP', 'geEKDbG7FW', 'YJCKlohSvD', 'jp9LLxXZQ6CyGQcXf1', 'hpjsrk2dRXBbcFstqo', 'v4pKKsg7RM', 'ni3KwDoNC1'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, TrwYxKFrGt1NX10rm7.cs	High entropy of concatenated method names: 'LLCPFYxF12', 'ba4Ps6E117', 'xHlPGDOiLR', 'S9DPc9pjH9', 'jxaPC1wDBC', 'jn1P3PmVS0', 'zNePguQTef', 't4TPBur7QC', 'k3rPxY23dc', 'b5xPIE3LEc'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, pLjukBgffZRmJjBJSJV.cs	High entropy of concatenated method names: 'MNX5JgPL8H', 'tdD50oWUlY', 't5v5fHJNhi', 'eGa5rwZfP3', 'cp85ooibxX', 'A9k5OMnfeh', 'dUb5EM6wfc', 'vZv5F2sX5w', 'SR55soR9Dx', 'XVN5ZRcwdB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, hxCJeMU4eehAikm1DM.cs	High entropy of concatenated method names: 'c18T8Fp8a1', 'H24TLViI8U', 'U8k9MYN3K2', 'os99KskAlM', 'QwgTIYlFjO', 'P6DTn4EWy0', 'N6QTAMgngj', 'GErTuwOTFq', 'rksT1ZN2aI', 'JBpTeaxeNQ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, kn5CeNcnQ21Ob3V9bn.cs	High entropy of concatenated method names: 'Dispose', 'MxNKRYpotl', 'RRK4crH536', 'AKOQQcAwGb', 'twLKLZgDKa', 'GZyKzUFYAN', 'ProcessDialogKey', 'S7R4MgSkx3', 'tcc4KFg4Rd', 'KYP449exNb'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, Djnu7ArL3JPPZ5TZFW.cs	High entropy of concatenated method names: 'sjaDx6tudr', 'TcaDnCqWsy', 'ixTDuB4yED', 'jUuD1R71OV', 'RntDccpvBb', 'ALID2BpZtC', 'eG2DCtK9IP', 'A5UD3KaFtc', 'TbIDWIYJwd', 'NhUDgRwBtn'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, fDB32RxexiDY4YPFvf.cs	High entropy of concatenated method names: 'z0NmaUluQ6', 'QhHmNqL8H4', 'FOpmy02dMe', 'R8qmkjJbkl', 'My5mjIH28E', 'iWRyd6DtfD', 'sqcyXV6ifd', 'mSPybcnqyp', 'WxPy8FqUDy', 'gjCyRxOssV'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, OlTiSOAJNSJSWNWDAr.cs	High entropy of concatenated method names: 'ToString', 'l0ElIhksOd', 'nfglcmiWVy', 'fAZl27XPAH', 'JSnlCKeiNT', 'uVel3kKT9x', 'B32lW52drB', 'VXqlgnbgKZ', 'HtVlB4kTAn', 'p6GlHCWe6m'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, aOPj9RJ6D3mMysj82S.cs	High entropy of concatenated method names: 'rh8yohiCYq', 'wWpyEl9ADq', 'wjvh2mOLuj', 'htGhCnViLy', 'XpIh3tT2Yb', 'u1uhWv8B8M', 'uhEhgbLjdg', 'tMwhBGetYr', 'HvxhHMwfiX', 'cwghxvCcn5'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, dE7ePfsB4iKPS7munM.cs	High entropy of concatenated method names: 'wwKf5iwhU', 'C9MrSnwkH', 'JCQO2C6xg', 'KFhEQX1bJ', 'jsvsKRREJ', 'e0XZM5UOC', 'bqrpkOqdA9NPOyu0Zx', 'OxwajmE31Dc0CogEoP', 'GDS9g4Pbl', 'RMWqXC6cG'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, EFMsT9GY7t3Gmy7OvK.cs	High entropy of concatenated method names: 'iOakphwhpV', 'yTfkhryS9l', 'HH4kmqirj3', 'abWmL4HM0S', 'xubmz3KlR3', 'YGkkMWRqLt', 'zrskKms92t', 'Vjxk4VUA76', 'L2Ukw7JG4T', 'RcvkVews7a'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, bUcSe8D1xH3PFuCDlv.cs	High entropy of concatenated method names: 'ChYhrCXmEg', 'DjlhO3nTfh', 'SGQhFZ64NV', 'HiZhsiIbcD', 'NEDhDvFFTd', 'aGuhlID65S', 'JR3hTW3Dm4', 'Qr3h9yGUAL', 'aLwh5JRsol', 'wE1hqEUQQv'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, clPqp4phOdkKvqr3gS.cs	High entropy of concatenated method names: 'MUo9pyLo1s', 'KKd9Nncf2N', 'CIa9hnTjDQ', 'V079yI7iKB', 'gfs9mPOgub', 'fiy9k2y9Lv', 'EId9jyEQBt', 'Y1K9vJ8rD3', 'eZh9YrcL5V', 'WeP9UC8oLB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.b360000.4.raw.unpack, VKBmrI3WAxwWAfZXaC.cs	High entropy of concatenated method names: 'eVAkJ0lQ73', 'J01k0goAkg', 'CgUkfOQKF3', 'WSIkrXRRbv', 'I6gkoEmlJd', 'k3NkOVvJbO', 'jB7kEl2j7c', 'Fw5kF4RBxv', 'lMkksOeJuJ', 'wt8kZpLZmD'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, sueo5UdIx8bBgI6PCF.cs	High entropy of concatenated method names: 'GFTwaZigPV', 'C4cwpsXlBc', 'Q6AwNWEGMW', 'Sm6whAHkT6', 'p4uwyvyoFQ', 'tOTwmaDo1o', 'rqFwkfYmbY', 'G09wjqk8bC', 'L7ywvCdadn', 'aKjwYxJd0L'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Sli4DW9alcwqplWEds.cs	High entropy of concatenated method names: 'UVQNuyxNjI', 'wPuN1qgXTO', 'cdCNeDQJQC', 'XuvNS7KTCB', 'Bd6NdUXhTq', 'RMANXoTRwJ', 'W65NbLWHMs', 'r7NN8yMcnw', 'hDiNRJQJxJ', 'Hn0NLkNKO3'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, eXBqexgXnhhTHnt4KX3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LLhquFB5T1', 'uwTq16FqRx', 'C6xqeituaK', 'pQyqSeArIh', 'gM8qdy2cFa', 'kAnqXLYA09', 'IXvqbE26lT'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, I9sXMhjL9pxDQdeilY.cs	High entropy of concatenated method names: 'cuD9GM1YrR', 'bGZ9cFf7Rj', 'Cme92IxCON', 'fHh9CCVbm5', 'i5R9uEBnCK', 'OC993udlMm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, wnukAYgggxIiSaIyoK4.cs	High entropy of concatenated method names: 'ToString', 'CNXqwT8t0v', 'oxLqVaW9BW', 'KoSqaX5OMw', 'fT8qpJLoA3', 'xI1qNkKd0N', 'ReOqhlfIgP', 'nnMqyS9iB9', 'AvQSUe0AHYrOQLyI2D1', 'u5wVRp0XSn3tZSaGZ9M'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Jmn7TDkTQyO5p2V4pF.cs	High entropy of concatenated method names: 'I9vTYg6tha', 'FVSTUp1RFM', 'ToString', 'GpXTpUqCQE', 'j6STNBLk2w', 'cuAThgeprx', 'KA7TykTL1r', 'qN2TmtWhIZ', 'iCXTkaghJk', 'K9GTjG9EsL'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, TYweWABd4gnA6BiO6U.cs	High entropy of concatenated method names: 'laH5Km8Owc', 'HUS5wSHuvN', 'RHl5VtUuhQ', 'Qlo5pk98BF', 'GBi5NjnHEn', 'g4S5ytHJ2a', 'NgY5mK2DYx', 'feQ9bNlbvp', 'B2I98Hdc7Y', 'JQk9RDxgJZ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, uBsWR1whKavSGYEwL9.cs	High entropy of concatenated method names: 'fgTKk0gpJ8', 'QZuKjHlvt7', 'C5jKYYrajn', 'BFVKUc86pP', 'geEKDbG7FW', 'YJCKlohSvD', 'jp9LLxXZQ6CyGQcXf1', 'hpjsrk2dRXBbcFstqo', 'v4pKKsg7RM', 'ni3KwDoNC1'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, TrwYxKFrGt1NX10rm7.cs	High entropy of concatenated method names: 'LLCPFYxF12', 'ba4Ps6E117', 'xHlPGDOiLR', 'S9DPc9pjH9', 'jxaPC1wDBC', 'jn1P3PmVS0', 'zNePguQTef', 't4TPBur7QC', 'k3rPxY23dc', 'b5xPIE3LEc'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, pLjukBgffZRmJjBJSJV.cs	High entropy of concatenated method names: 'MNX5JgPL8H', 'tdD50oWUlY', 't5v5fHJNhi', 'eGa5rwZfP3', 'cp85ooibxX', 'A9k5OMnfeh', 'dUb5EM6wfc', 'vZv5F2sX5w', 'SR55soR9Dx', 'XVN5ZRcwdB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, hxCJeMU4eehAikm1DM.cs	High entropy of concatenated method names: 'c18T8Fp8a1', 'H24TLViI8U', 'U8k9MYN3K2', 'os99KskAlM', 'QwgTIYlFjO', 'P6DTn4EWy0', 'N6QTAMgngj', 'GErTuwOTFq', 'rksT1ZN2aI', 'JBpTeaxeNQ'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, kn5CeNcnQ21Ob3V9bn.cs	High entropy of concatenated method names: 'Dispose', 'MxNKRYpotl', 'RRK4crH536', 'AKOQQcAwGb', 'twLKLZgDKa', 'GZyKzUFYAN', 'ProcessDialogKey', 'S7R4MgSkx3', 'tcc4KFg4Rd', 'KYP449exNb'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, Djnu7ArL3JPPZ5TZFW.cs	High entropy of concatenated method names: 'sjaDx6tudr', 'TcaDnCqWsy', 'ixTDuB4yED', 'jUuD1R71OV', 'RntDccpvBb', 'ALID2BpZtC', 'eG2DCtK9IP', 'A5UD3KaFtc', 'TbIDWIYJwd', 'NhUDgRwBtn'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, fDB32RxexiDY4YPFvf.cs	High entropy of concatenated method names: 'z0NmaUluQ6', 'QhHmNqL8H4', 'FOpmy02dMe', 'R8qmkjJbkl', 'My5mjIH28E', 'iWRyd6DtfD', 'sqcyXV6ifd', 'mSPybcnqyp', 'WxPy8FqUDy', 'gjCyRxOssV'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, OlTiSOAJNSJSWNWDAr.cs	High entropy of concatenated method names: 'ToString', 'l0ElIhksOd', 'nfglcmiWVy', 'fAZl27XPAH', 'JSnlCKeiNT', 'uVel3kKT9x', 'B32lW52drB', 'VXqlgnbgKZ', 'HtVlB4kTAn', 'p6GlHCWe6m'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, aOPj9RJ6D3mMysj82S.cs	High entropy of concatenated method names: 'rh8yohiCYq', 'wWpyEl9ADq', 'wjvh2mOLuj', 'htGhCnViLy', 'XpIh3tT2Yb', 'u1uhWv8B8M', 'uhEhgbLjdg', 'tMwhBGetYr', 'HvxhHMwfiX', 'cwghxvCcn5'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, dE7ePfsB4iKPS7munM.cs	High entropy of concatenated method names: 'wwKf5iwhU', 'C9MrSnwkH', 'JCQO2C6xg', 'KFhEQX1bJ', 'jsvsKRREJ', 'e0XZM5UOC', 'bqrpkOqdA9NPOyu0Zx', 'OxwajmE31Dc0CogEoP', 'GDS9g4Pbl', 'RMWqXC6cG'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, EFMsT9GY7t3Gmy7OvK.cs	High entropy of concatenated method names: 'iOakphwhpV', 'yTfkhryS9l', 'HH4kmqirj3', 'abWmL4HM0S', 'xubmz3KlR3', 'YGkkMWRqLt', 'zrskKms92t', 'Vjxk4VUA76', 'L2Ukw7JG4T', 'RcvkVews7a'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, bUcSe8D1xH3PFuCDlv.cs	High entropy of concatenated method names: 'ChYhrCXmEg', 'DjlhO3nTfh', 'SGQhFZ64NV', 'HiZhsiIbcD', 'NEDhDvFFTd', 'aGuhlID65S', 'JR3hTW3Dm4', 'Qr3h9yGUAL', 'aLwh5JRsol', 'wE1hqEUQQv'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, clPqp4phOdkKvqr3gS.cs	High entropy of concatenated method names: 'MUo9pyLo1s', 'KKd9Nncf2N', 'CIa9hnTjDQ', 'V079yI7iKB', 'gfs9mPOgub', 'fiy9k2y9Lv', 'EId9jyEQBt', 'Y1K9vJ8rD3', 'eZh9YrcL5V', 'WeP9UC8oLB'
Source: 0.2.NF_Payment_Ref_FAN930276.exe.4354410.2.raw.unpack, VKBmrI3WAxwWAfZXaC.cs	High entropy of concatenated method names: 'eVAkJ0lQ73', 'J01k0goAkg', 'CgUkfOQKF3', 'WSIkrXRRbv', 'I6gkoEmlJd', 'k3NkOVvJbO', 'jB7kEl2j7c', 'Fw5kF4RBxv', 'lMkksOeJuJ', 'wt8kZpLZmD'

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 2780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 2800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 4800000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 8920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 9920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: 9B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: AB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: B3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Memory allocated: C3F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 5640			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 4332			Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep count: 5640 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep time: -11280000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep count: 4332 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 2072	Thread sleep time: -8664000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep time: -61500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe TID: 572	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Ea64OHKq.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Ea64OHKq.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: colorcpl.exe, 00000007.00000002.4486968651.00000000037DD000.00000004.00000020.00020000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000002.4487294188.000000000124F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2559413379.0000029EB392C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Ea64OHKq.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Ea64OHKq.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Ea64OHKq.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Ea64OHKq.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Ea64OHKq.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Ea64OHKq.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Ea64OHKq.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Ea64OHKq.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Ea64OHKq.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Ea64OHKq.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtTerminateThread: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: NULL target: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files (x86)\eROVoFobOWKuBHetsTIgsKlDQIveGpUTdpiHQSbYAGLQaaUshtCAvQAnzb\xIrbjTuvDXL.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: xIrbjTuvDXL.exe, 00000005.00000000.2188557060.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000005.00000002.4487293076.0000000001321000.00000002.00000001.00040000.00000000.sdmp, xIrbjTuvDXL.exe, 00000008.00000000.2337317767.0000000001891000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NF_Payment_Ref_FAN930276.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
141.193.213.10	www.meanttobebroken.org	United States	396845	DV-PRIMARY-ASN1US	true
162.0.215.244	prediksipreman.fyi	Canada	35893	ACPCA	true
13.248.169.48	www.ila.beauty	United States	16509	AMAZON-02US	true
162.0.231.203	www.givora.site	Canada	22612	NAMECHEAP-NETUS	true
38.88.82.56	www.college-help.info	United States	174	COGENT-174US	true
178.79.184.196	gucciqueen.shop	United Kingdom	63949	LINODE-APLinodeLLCUS	true
188.114.96.3	www.timizoasisey.shop	European Union	13335	CLOUDFLARENETUS	true
103.191.208.137	roopiedutech.online	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
103.71.154.12	www.2925588.com	Hong Kong	132325	LEMON-AS-APLEMONTELECOMMUNICATIONSLIMITEDHK	true
199.59.243.227	www.rebel.tienda	United States	395082	BODIS-NJUS	true
3.33.130.190	7fh27o.vip	United States	8987	AMAZONEXPANSIONGB	true
8.210.3.99	jexiz.shop	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Windows Analysis Report NF_Payment_Ref_FAN930276.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
NF_Payment_Ref_FAN930276.exe

Malware Threat Intel
Provided by

Name	Malicious	Reputation
http://www.gucciqueen.shop/x3by/?nl=Gq0m/cYr7UOoL/rfxlXcWcb0PFgu3v+6IQg5KkZ1GbFCfXnP9OdFnXsg+153ZunkN9E3pnQymCUHBFpvF3MPrj7bwNIl4rM9hQX9D40sB8Q0fvNSVLrWgvNkuIucpqHerw==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.givora.site/855d/?nl=2B0ERzH0P28lwthSCfczi4+l4RSaGiycEDtAIyO4xBEaITWb1iLHHs/q7NYM0I/g8MkSYcfxzku7nIYL4eoS8eZDgAyht6z65PzZnN779aUYRwuiIRWQuovW44/rxTRHXQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.college-help.info/lk0h/	true	unknown
http://www.roopiedutech.online/f01d/	true	unknown
http://www.prediksipreman.fyi/3lre/?nl=/6Vdp+1Y21llHWrnJFgTkMelxgdakbST517P2ezUMEZQpYm2I4KB95g+5G1ZwATxC5oRicPrlKz7UaUXu7WnWVF0YU8xlLcjqFiWcTqSDyUhRRfYLZXOVM1ZwNUIzk+NCQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.7fh27o.vip/l5ty/	true	unknown
http://www.jexiz.shop/li8d/?nl=sm+xvlFNJ8Jn1MAvBLHfFbmpWDRmMBXnhYuDtN4QDuuoOIQ72IBR7vtXSrP0imT8uQD+i024Jy05gJvrsmbroocsQ5/sNLlweHoyZNleSM2rCzfY5hv0qSgJrhCITOEEHg==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.owinvip.net/17h7/	true	unknown
http://www.givora.site/855d/	true	unknown
http://www.2925588.com/jx6k/	true	unknown
http://www.owinvip.net/17h7/?nl=+i5q+uzPXmftyZtNZWFr8MC7YoCmvyBt3jjX/X3oRNPJ70eO25N0w4zqWgP4747OpVXsIhnZv7nMmjeXISBtoaIRC/e00OgY88L+a0UDDIyF3kq1BSJhp/lI21Ai+QA6UQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.2925588.com/jx6k/?nl=beqWGJ7SP2hkLKuH8Xmdr/HDPWeS3cMOlVU3zrC7D+GWWG+2bEVKgJQW/9jqYGl3wiT++u8kPbwe1lvFRaGrQmwW5G4wa8+lbGyMUfdWvdM0+8z00F7HMhpKv8gPeACQcQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.ila.beauty/izfe/?nl=ZqR1VSau/njxt8ya9FYdrisRnPwESR8PWK+oFQcVqsUu7dENmwaUoGLSs5vyS4FhQGGlB6r8hHtwTYfK8h1233SUSY5+fAIxnLEAPxNpmpufjlKG3bng8CVsKsGNybcU1g==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.meanttobebroken.org/9g6s/	true	unknown
http://www.prediksipreman.fyi/3lre/	true	unknown
http://www.timizoasisey.shop/3p0l/?dbL=d8WX_v0PGVHXAtK&nl=4Jzo6X1Gluc/SF20pEVAyAZrEiE76xvvY+EfZYFlmMajnWRT/uq2dkdTzHDiVdaw3QhDvVFcv5rBuyftUViEMVRHp90uGCn944ajrH63wHv4zzWs5+CZDXB+Ld7sX0D68A==	true	unknown
http://www.timizoasisey.shop/3p0l/	true	unknown
http://www.roopiedutech.online/f01d/?nl=BGh1WRbt41ta6S2FBwbFkSvU00HbY3eh/tMOUMfhmAze8NROyFh0EV68tSphjf8OeMOb/ck28qXApfwtDELR0J5SPWkS+xOxljfz11yABU5EX0aP/5qC9r+4s36BWCggxQ==&dbL=d8WX_v0PGVHXAtK	true	unknown
http://www.jexiz.shop/li8d/	true	unknown
http://www.wrl-llc.net/6o8s/	true	unknown
http://www.rebel.tienda/7n9v/	true	unknown
http://www.gucciqueen.shop/x3by/	true	unknown
http://www.ila.beauty/izfe/	true	unknown

ID:	1546519
Product:	CloudBasic
Start time:	03:44:07
Start date:	01.11.2024
Sample:	NF_Payment_Ref_FAN930276.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7c86cd8c446e881a00e02c3c9cb629a7
SHA1:	6f52b3667ce3c56576b80a9748ff283dd7bffecc
SHA256:	0bc8eae9fe2dc6af83e1b798f9a6b5ef27117c5b8462664a944fca34a4e1e464
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NF_Payment_Ref_FAN930276.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\Ea64OHKq	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA