informe bancario y motivo del pago rechazado.xla
This report is generated from a file or URL submitted to this webservice on March 1st 2024 14:36:37 (UTC)
Guest System: Windows 10 64 bit, Professional, 10.0 (build 16299),
Report generated by
Falcon Sandbox v11.0.8 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 4 domains and 5 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
GETs files from a webserver
- details
-
"GET /7c9d1c HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: shtu.be
Connection: Keep-Alive" Response ==> HTTP/1.1 301 Moved Permanently
Date: Fri
01 Mar 2024 14:40:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
location: https://shtu.be/7c9d1c
cache-control: no-store
no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hgArg0xF6TFsCd1lcXfoc4q0%2BRs5q3OGc16Eh%2FO%2FpDM8uWAFTVK%2Bq72l95JgmRFBunLyCZmd9LN90ocoxYI%2BGyl15YAdEb4ettJ7oiyPVA06pb1wMotpbGTy"}]
"group":"cf-nel"
"max_age":604800}
NEL: {"success_fraction":0
"report_to":"cf-nel"
"max_age":604800}
Server: cloudflare
CF-RAY: 85d9e68c891a7e2a-SJC
alt-svc: h3=":443"; ma=86400 with response body ==>61320D0A3C68746D6C3E0A3C686561643E3C7469746C653E333031204D6F766564205065726D616E656E746C793C2F7469746C653E3C2F686561643E0A3C626F....... - source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
GETs files from a webserver
-
Unusual Characteristics
-
Possible document exploit detected
- details
- Document is downloading files although no macro is present
- source
- Indicator Combinations
- relevance
- 10/10
- ATT&CK ID
- T1203 (Show technique in the MITRE ATT&CK™ matrix)
-
Possible document exploit detected
-
Suspicious Indicators 5
-
Cryptographic Related
-
Contains ability to decrypt/decode data
- details
-
file/memory contains long string with (Indicator: "fromcharcode"; File: "f_1_.txt")
file/memory contains long string with (Indicator: "fromcharcode"; File: "js_1_.js")
file/memory contains long string with (Indicator: "fromcharcode"; File: "jquery.min_1_.js") - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1140 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to decrypt/decode data
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 104.21.69.44 on port 80 is sent without HTTP header
TCP traffic to 104.21.69.44 on port 443 is sent without HTTP header
TCP traffic to 151.101.1.229 on port 443 is sent without HTTP header
TCP traffic to 172.217.12.130 on port 443 is sent without HTTP header
TCP traffic to 142.250.188.226 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses a browser-related user-agent without launching browser
- details
- Found user-agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 44
-
Anti-Detection/Stealthyness
-
Found virtual disk drive like strings
- details
-
Found string - function DL(a){switch(a){case "true":return!0;case "false":return!1;case "null":return null;case "undefined":break;default:try{var b=a.match(/^(?:'(.*)'|"(.*)")$/);if(b)return b[1]||b[2]||"";if(/^[-+]?\d*(\.\d+)?$/.test(a)){var c=parseFloat(a);return c===c?c:void 0}}catch(d){}}};function EL(a){U.call(this);this.win=a;this.i=0;this.g=new r.Map}z(EL,U);function FL(a){a.win.document.visibilityState?GL(a,a.win.document,"visibilitychange",function(b){"hidden"===a.win.document.visibilityState&&HL(a,b);"visible"===a.win.document.visibilityState&&(a.i=0)}):"onpagehide"in a.win?(GL(a,a.win,"pagehide",function(b){HL(a,b)}),GL(a,a.win,"pageshow",function(){a.i=0})):GL(a,a.win,"beforeunload",function(b){HL(a,b)})}; Source: "f_1_.txt"), Found string - bS.exec(rc[fa])||cS.exec(rc[fa]);if(hd){var Jc=hd[1]||0;if(Jc==Md){var Cf=hd[2];break b}Jc<gd&&(gd=Jc,Nd=hd[2])}}Cf=Nd}var Kc=Cf;Be&&Kc&&-1!=Kc.search(/^\d+\.\d+$/)?(Aa.vid=Kc,Aa.from_cookie=!0):Kc!=Aa.vid&&(Aa.cid=Kc)}Aa.dh=cd;Aa.hid||(Aa.hid=Math.round(2147483647*Math.random()));Kd=Aa}var id=Kd;b.ga_vid=id.vid;b.ga_sid=id.sid;b.ga_hid=id.hid;b.ga_fc=id.from_cookie;b.ga_cid=id.cid;b.ga_wpids=ye.google_analytics_uacct;PS(a.pubWin,b);var Fe=d.google_ad_layout;Fe&&0<=dQ[Fe]&&(b.rplot=dQ[Fe])}; Source: "f_1_.txt"), Found string - 30,0),xe)+"~~"+Id.substring(wf,Math.min(wf+30,Id.length)),Bg=Hc.g,yf=Ka[$b],ye=$c.getBoundingClientRect(),Cg=wo(2);var zf=rk(Cg,2,xf);var ad=rk(zf,3,Ag);var Jd=rk(ad,4,Bg);var Dg=nk(Jd,5,yf);var Eg=nk(Dg,6,Math.round(ye.x));var Kd=nk(Eg,7,Math.round(ye.y)),bd=void 0,ze=void 0,cd=void 0,dd=void 0,Ic=zg.getComputedStyle($c),Ae=new uo;dd=rk(Ae,1,Ic.fontFamily);var Fg=zV(Ic.color);cd=Vj(dd,7,Fg);var Aa=zV(Ic.backgroundColor);ze=Vj(cd,8,Aa);var Be=Ic.fontSize.match(/^(\d+(\.\d+)?)px$/);bd=nk(ze,4,Be?Math.round(Number(Be[1])):; Source: "f_1_.txt"), Found string - else{for(var c=[],d=0;d<a.length;d++){var e=a.charCodeAt(d);128>e?c.push(e):2048>e?c.push(192|e>>6,128|e&63):55296>e||57344<=e?c.push(224|e>>12,128|e>>6&63,128|e&63):(e=65536+((e&1023)<<10|a.charCodeAt(++d)&1023),c.push(240|e>>18,128|e>>12&63,128|e>>6&63,128|e&63))}b=new Uint8Array(c)}return b},Ih=/[0-9`~!@#$%^&*()_\-+=:;<>,.?|/\\[\]]/g,Lh=/^\S+@\S+\.\S+$/,Jh=/^\+\d{10,15}$/,Eh=/[.~]/g,Qh=/^[0-9A-Za-z_-]{43}$/,Nh=/^[0-9A-Fa-f]{64}$/,Rh={},Sh=(Rh.email="em",Rh.phone_number="pn",Rh.first_name="fn",; Source: "js_1_.js"), Found string - function Dn(a){switch(a){case "true":return!0;case "false":return!1;case "null":return null;case "undefined":break;default:try{var b=a.match(/^(?:'(.*)'|"(.*)")$/);if(b)return b[1]||b[2]||"";if(/^[-+]?\d*(\.\d+)?$/.test(a)){var c=parseFloat(a);return c===c?c:void 0}}catch(d){}}};function En(a){if(a.google_ad_client)return String(a.google_ad_client);var b
c
d
e
f;if(null!=(e=null!=(d=null==(b=Y(a).head_tag_slot_vars)?void 0:b.google_ad_client)?d:null==(c=a.document.querySelector(".adsbygoogle[data-ad-client]"))?void 0:c.getAttribute("data-ad-client")))b=e;else{b:{b=a.document.getElementsByTagName("script");a=a.navigator&&a.navigator.userAgent||"";a=RegExp("appbankapppuzdradb|daumapps|fban|fbios|fbav|fb_iab|gsa/|messengerforios|naver|niftyappmobile|nonavigation|pinterest|twitter|ucbrowser|yjnewsapp|youtube",; Source: "f_1_.txt") - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1564 (Show technique in the MITRE ATT&CK™ matrix)
-
Renames files
- details
- "EXCEL.EXE" renamed original file"%TEMP%\CVR5239.tmp" to "%TEMP%\CVR5239.tmp.cvr"
- source
- API Call
- relevance
- 1/10
- ATT&CK ID
- T1036 (Show technique in the MITRE ATT&CK™ matrix)
-
Found virtual disk drive like strings
-
Cryptographic Related
-
HTTP requests contain Base64 strings
- details
-
Contains base64 string in header "Encoding" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "gzip" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "MSIE" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "NET4" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "InfoPath" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "Host" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "shtu" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "beConnection" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive"
Contains base64 string in header "Keep" in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-Alive" - source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Shows ability to deobfuscate/decode files or information
- details
- The analysis shows use of encryption and can be used to decode file or information. Matched sigs: HTTP requests contain Base64 strings
- source
- Indicator Combinations
- relevance
- 1/10
- ATT&CK ID
- T1140 (Show technique in the MITRE ATT&CK™ matrix)
-
Shows ability to obfuscate file or information
- details
-
The analysis contains indicators for cyrpto or data obfuscation(base64/decrypt) which can hide information. Matched sigs: Contains CRYPTO related strings
Matched sigs: Contains ability to decrypt/decode data
Matched sigs: Decrypted SSL network traffic
Matched sigs: HTTP requests contain Base64 strings - source
- Indicator Combinations
- relevance
- 1/10
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
HTTP requests contain Base64 strings
-
Environment Awareness
-
Calls an API typically used to retrieve account information for specified SID
- details
- "EXCEL.EXE" called "LookupAccountSidW" with param Name SYSTEM (UID: 00000000-00003692)
- source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1033 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used to retrieve account information for specified SID
-
General
-
Contacts domains
- details
- "shtu.be"
- source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts server
- details
-
"104.21.69.44:80"
"104.21.69.44:443"
"151.101.1.229:443"
"172.217.12.130:443"
"142.250.188.226:443" - source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros
- details
-
File "ThisWorkbook.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/ThisWorkbook") has code: ""
File "Sheet1.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet1") has code: ""
File "Sheet2.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet2") has code: ""
File "Sheet3.cls" (Streampath: "_VBA_PROJECT_CUR/VBA/Sheet3") has code: "" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\BaseNamedObjects\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\SM0:3692:120:WilError_01"
"http://shtu.be/"
"SM0:3692:120:WilError_01"
"Local\ZonesCacheCounterMutex"
"Local\SM0:3692:304:WilStaging_02"
"KYIMEShareCachedData.MutexObject.%OSUSER%"
"x64_10MU_ACB10_S-1-5-5-0-206193"
"Local\ZonesLockedCacheCounterMutex"
"InternetExplorerDOMStoreQuota"
"KYTransactionServer.MutexObject.%OSUSER%"
"x64_10MU_ACBPIDS_S-1-5-5-0-206193"
"\Sessions\1\BaseNamedObjects\x64_10MU_ACBPIDS_S-1-5-5-0-206193"
"\Sessions\1\BaseNamedObjects\x64_10MU_ACB10_S-1-5-5-0-206193"
"\Sessions\1\BaseNamedObjects\Local\SM0:3692:304:WilStaging_02"
"\Sessions\1\BaseNamedObjects\SM0:3692:120:WilError_01"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\SM0:3692:120:WilError_01"
"\BaseNamedObjects\MTX_MSO_Formal1_S-1-5-21-735145574-3570218355-1207367261-1001"
"\BaseNamedObjects\MTX_MSO_AdHoc1_S-1-5-21-735145574-3570218355-1207367261-1001"
"\Sessions\1\BaseNamedObjects\InternetExplorerDOMStoreQuota"
"\Sessions\1\BaseNamedObjects\http://shtu.be/"
"\Sessions\1\BaseNamedObjects\KYIMEShareCachedData.MutexObject.%OSUSER%"
"\Sessions\1\BaseNamedObjects\KYTransactionServer.MutexObject.%OSUSER%" - source
- Created Mutant
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "bootstrap@5.1.3"
Pattern match: "bootstrap-icons@1.8.1"
Pattern match: "ekko-lightbox@5.3.0"
Pattern match: "bootstrap-select@1.14.0"
Pattern match: "pretty-checkbox@3.0"
Pattern match: "jquery@3.6.0"
Pattern match: "jquery-validation@1.19.1"
Pattern match: "dayjs@1.9.3"
Pattern match: "lazysizes@5.2.2" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a reference to a known community page
- details
-
Found string ".bi-twitter::before { content: "\f5ef"; }" (Indicator: "twitter"; File: "bootstrap-icons_1_.css")
Found string ".bi-youtube::before { content: "\f62b"; }" (Indicator: "youtube"; File: "bootstrap-icons_1_.css")
Found string ".bi-paypal::before { content: "\f662"; }" (Indicator: "paypal"; File: "bootstrap-icons_1_.css")
file/memory contains long string with (Indicator: "twitter"; File: "f_1_.txt")
Found string ""__ccd_em_video":{"listen_data_layer":{"accessType":"specific","allowedEvents":["gtm.video"]},"access_template_storage":{},"detect_youtube_activity_events":{"allowFixMissingJavaScriptApi":false}}" (Indicator: "youtube"; File: "js_1_.js")
file/memory contains long string with (Indicator: "youtube"; File: "js_1_.js")
file/memory contains long string with (Indicator: "facebook.com"; File: "js_1_.js")
Found string "return b}vD.D="internal.enableAutoEventOnTimer";var vc=da(["data-gtm-yt-inspected-"]),wD=["www.youtube.com","www.youtube-nocookie.com"],xD,yD=!1;" (Indicator: "youtube"; File: "js_1_.js")
Found string "* Copyright 2011-2021 Twitter, Inc." (Indicator: "twitter"; File: "bootstrap.min_1_.css")
Found string "<meta name="twitter:card" content="summary"></meta>" (Indicator: "twitter"; File: "7c9d1c_1_.htm") - source
- File/Memory
- relevance
- 2/10
-
Loads modules at runtime
- details
-
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-SYNCH-L1-2-0" at base 334f0000
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-FIBERS-L1-1-1" at base 334f0000
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-LOCALIZATION-L1-2-1" at base 334f0000
"EXCEL.EXE" loaded module "KERNEL32" at base 345c0000
"EXCEL.EXE" loaded module "%WINDIR%\TEMP\VXOLE64.DLL" at base 226f0000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\MSO.DLL" at base 13610000
"EXCEL.EXE" loaded module "MSO.DLL" at base 13610000
"EXCEL.EXE" loaded module "COMCTL32.DLL" at base 24320000
"EXCEL.EXE" loaded module "KERNEL32.DLL" at base 345c0000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\CULTURES\OFFICE.ODF" at base 5100000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\UXTHEME.DLL" at base 31a80000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\1033\MSOINTL.DLL" at base 5c60000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\MSORES.DLL" at base 5ed0000
"EXCEL.EXE" loaded module "IMM32.DLL" at base 36c10000
"EXCEL.EXE" loaded module "DWMAPI.DLL" at base 31cf0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\MSIMTF.DLL" at base 17d60000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\RICHED20.DLL" at base 17190000
"EXCEL.EXE" loaded module "GDIPLUS.DLL" at base 12cf0000
"EXCEL.EXE" loaded module "%WINDIR%\WINSXS\AMD64_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.1.16299.248_NONE_46B9C4E9EDF1CFA5\GDIPLUS.DLL" at base 12cf0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\MSCOREE.DLL" at base 23d10000
"EXCEL.EXE" loaded module "ADVAPI32.DLL" at base 36af0000
"EXCEL.EXE" loaded module "%WINDIR%\MICROSOFT.NET\FRAMEWORK64\V4.0.30319\MSCOREEI.DLL" at base 170e0000
"EXCEL.EXE" loaded module "SHLWAPI.DLL" at base 34930000
"EXCEL.EXE" loaded module "API-MS-WIN-APPMODEL-RUNTIME-L1-1-2.DLL" at base 334b0000
"EXCEL.EXE" loaded module "VERSION.DLL" at base 2e6b0000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICESOFTWAREPROTECTIONPLATFORM\OSPPC.DLL" at base 75c80000
"EXCEL.EXE" loaded module "RPCRT4.DLL" at base 34990000
"EXCEL.EXE" loaded module "UXTHEME.DLL" at base 31a80000
"EXCEL.EXE" loaded module "COMCTL32" at base 24320000
"EXCEL.EXE" loaded module "POWRPROF.DLL" at base 33460000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\MSCTF.DLL" at base 36870000
"EXCEL.EXE" loaded module "WTSAPI32.DLL" at base 2e550000
"EXCEL.EXE" loaded module "NTDLL.DLL" at base 370f0000
"EXCEL.EXE" loaded module "SHELL32.DLL" at base 34ca0000
"EXCEL.EXE" loaded module "OLEAUT32.DLL" at base 34ab0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\PROPSYS.DLL" at base 2da60000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\URLMON.DLL" at base 28f20000
"EXCEL.EXE" loaded module "USER32.DLL" at base 36280000
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-URL-L1-1-0.DLL" at base 334f0000
"EXCEL.EXE" loaded module "SSPICLI.DLL" at base 33370000
"EXCEL.EXE" loaded module "MSISO.DLL" at base 2a960000
"EXCEL.EXE" loaded module "MPR.DLL" at base 2e6c0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\VERSION.DLL" at base 2e6b0000
"EXCEL.EXE" loaded module "%ALLUSERSPROFILE%\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.12.17007.18022-0\MPOAV.DLL" at base 23b40000
"EXCEL.EXE" loaded module "%ALLUSERSPROFILE%\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.12.17007.18022-0\MPCLIENT.DLL" at base 15390000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\KERNEL32.DLL" at base 345c0000
"EXCEL.EXE" loaded module "USERENV.DLL" at base 33340000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\ADVAPI32.DLL" at base 36af0000
"EXCEL.EXE" loaded module "GDI32.DLL" at base 36c40000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\DATAEXCHANGE.DLL" at base 1f5d0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\MSXML6.DLL" at base 27030000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\DWMAPI.DLL" at base 31cf0000
"EXCEL.EXE" loaded module "%ALLUSERSPROFILE%\MICROSOFT\WINDOWS DEFENDER\PLATFORM\4.12.17007.18022-0\MPCLIENT.DLL" at base 26220000
"EXCEL.EXE" loaded module "PHONEINFO.DLL" at base 0
"EXCEL.EXE" loaded module "ONDEMANDCONNROUTEHELPER.DLL" at base 17a10000
"EXCEL.EXE" loaded module "WINHTTP.DLL" at base 2d980000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\ONDEMANDCONNROUTEHELPER.DLL" at base 17a10000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\MSWSOCK.DLL" at base 32c70000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\RASADHLP.DLL" at base 2bb50000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\FWPUCLNT.DLL" at base 2d1b0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\WS2_32" at base 34b80000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\SCHANNEL.DLL" at base 327c0000
"EXCEL.EXE" loaded module "MSKEYPROTECT.DLL" at base 27910000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\WINTRUST.DLL" at base a500000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\RSAENH.DLL" at base 32880000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\BCRYPTPRIMITIVES.DLL" at base 341a0000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\NCRYPTSSLP.DLL" at base 278b0000
"EXCEL.EXE" loaded module "WS2_32.DLL" at base 34b80000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\MSHTML.DLL" at base 9300000
"EXCEL.EXE" loaded module "URLMON.DLL" at base 28f20000
"EXCEL.EXE" loaded module "WLDP.DLL" at base 32470000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\WINDOWS.STORAGE.DLL" at base 337b0000
"EXCEL.EXE" loaded module "SRPAPI.DLL" at base 17e00000
"EXCEL.EXE" loaded module "CSCAPI.DLL" at base 26ce0000
"EXCEL.EXE" loaded module "EXT-MS-WIN-RTCORE-NTUSER-WINDOW-EXT-L1-1-0.DLL" at base 36280000
"EXCEL.EXE" loaded module "EXT-MS-WIN-RTCORE-NTUSER-INTEGRATION-L1-1-0.DLL" at base 36280000
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-COM-L1-1-0.DLL" at base 36560000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\OLE32.DLL" at base 36410000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\JSCRIPT9.DLL" at base 13180000
"EXCEL.EXE" loaded module "JSCRIPT9.DLL" at base 13180000
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-WINRT-L1-1-0.DLL" at base 36560000
"EXCEL.EXE" loaded module "API-MS-WIN-CORE-WINRT-STRING-L1-1-0.DLL" at base 36560000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\COMBASE.DLL" at base 36560000
"EXCEL.EXE" loaded module "%WINDIR%\SYSTEM32\IEFRAME.DLL" at base 86b0000
"EXCEL.EXE" loaded module "SECUR32.DLL" at base 2e450000
"EXCEL.EXE" loaded module "MLANG.DLL" at base 17e30000
"EXCEL.EXE" loaded module "PROPSYS.DLL" at base 2da60000
"EXCEL.EXE" loaded module "API-MS-WIN-DOWNLEVEL-SHLWAPI-L2-1-0.DLL" at base 34880000
"EXCEL.EXE" loaded module "WININET.DLL" at base 23f70000
"EXCEL.EXE" loaded module "API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0.DLL" at base 36560000
"EXCEL.EXE" loaded module "EXT-MS-WIN-CORE-RESOURCEPOLICY-L1-1-0.DLL" at base 31e00000
"EXCEL.EXE" loaded module "D3D10WARP.DLL" at base 2eb70000
"EXCEL.EXE" loaded module "IEFRAME.DLL" at base 86b0000
"EXCEL.EXE" loaded module "OLE32.DLL" at base 36410000
"EXCEL.EXE" loaded module "%PROGRAMFILES%\MICROSOFT OFFICE\OFFICE14\MSOSTYLE.DLL" at base 2a870000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\MSPTLS.DLL" at base 261d0000
"EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\OFFICE14\USP10.DLL" at base 75bb0000 - source
- API Call
- relevance
- 1/10
- ATT&CK ID
- T1129 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads rich edit control libraries
- details
- "EXCEL.EXE" loaded module "\Program Files\Common Files\microsoft shared\OFFICE14\RICHED20.DLL" at 17190000
- source
- Loaded Module
- ATT&CK ID
- T1129 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature (DIE)
- details
-
"informe bancario y motivo del pago rechazado.xla" was detected as "Microsoft Compound" and name: "Archive"
"informe bancario y motivo del pago rechazado.xla" was detected as "Microsoft Compound" and name: "Data" - source
- Static Parser
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries DNS server
- details
-
"cdn.jsdelivr.net"
"googleads.g.doubleclick.net"
"pagead2.googlesyndication.com"
"shtu.be" - source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1071.004 (Show technique in the MITRE ATT&CK™ matrix)
-
References JavaScript(s)
- details
-
file/memory contains long string with (Indicator: "text/javascript"; File: "js_1_.js")
file/memory contains long string with (Indicator: "text/javascript"; File: "f_1_.txt")
file/memory contains long string with (Indicator: "text/javascript"; File: "SSL") - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1059.007 (Show technique in the MITRE ATT&CK™ matrix)
-
References Windows filepaths for DLLs (possible dropped files)
- details
-
Observed system executable string:"%WINDIR%\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.248_none_46b9c4e9edf1cfa5\GdiPlus.dll" [Source: 00000000-00003692-00000C25-53623714]
Observed system executable string:"%WINDIR%\system32\mscoree.dll" [Source: 00000000-00003692-00000C25-53733948]
Observed system executable string:"%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll" [Source: 00000000-00003692-00000C25-54317021]
Observed system executable string:"%WINDIR%\system32\version.dll" [Source: 00000000-00003692-00000C25-67989338]
Observed system executable string:"%WINDIR%\system32\kernel32.dll" [Source: 00000000-00003692-00000C25-68778765]
Observed system executable string:"%WINDIR%\system32\advapi32.dll" [Source: 00000000-00003692-00000C25-69027281]
Observed system executable string:"%WINDIR%\system32\ADVAPI32.DLL" [Source: 00000000-00003692-00000C25-75099566]
Observed system executable string:"%WINDIR%\system32\KERNEL32.DLL" [Source: 00000000-00003692-00000C25-75420591] - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
-
Installation/Persistence
-
Creates/edits LNK file (Windows shortcut)
- details
-
"EXCEL.EXE" writes to LNK file "%APPDATA%\Microsoft\Office\Recent\informebancarioymotivodelpagorechazado.xla.LNK"
"EXCEL.EXE" writes to LNK file "%APPDATA%\Microsoft\Office\Recent\informebancarioymotivodelpagorechazado.xla.LNK" - source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1547.009 (Show technique in the MITRE ATT&CK™ matrix)
-
Dropped files
- details
-
"f_1_.txt" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"js_1_.js" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"bootstrap.min_1_.css" has type "UTF-8 Unicode text with very long lines"- [targetUID: 00000000-00003692]
"jquery.min_1_.js" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"bootstrap-icons_1_.css" has type "ASCII text"- [targetUID: 00000000-00003692]
"bootstrap.bundle.min_1_.js" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"bootstrap-colors_1_.css" has type "ASCII text with very long lines with CRLF line terminators"- [targetUID: 00000000-00003692]
"bootstrap-colors-themes_1_.css" has type "ASCII text with very long lines with no line terminators"- [targetUID: 00000000-00003692]
"jquery.validate.min_1_.js" has type "UTF-8 Unicode text with very long lines"- [targetUID: 00000000-00003692]
"jxbbs2022.06.06_1_.css" has type "ASCII text with very long lines with no line terminators"- [targetUID: 00000000-00003692]
"pretty-checkbox.min_1_.css" has type "ASCII text with very long lines with CRLF line terminators"- [targetUID: 00000000-00003692]
"vspacing.min_1_.css" has type "ASCII text with very long lines with no line terminators"- [targetUID: 00000000-00003692]
"bootstrap-select.min_1_.css" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"zrt_lookup_nohtml_1_.htm" has type "HTML document ASCII text with very long lines"- [targetUID: 00000000-00003692]
"lazysizes.min_1_.js" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"ekko-lightbox.min_1_.css" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"dayjs.min_1_.js" has type "ASCII text with very long lines"- [targetUID: 00000000-00003692]
"7c9d1c_1_.htm" has type "HTML document UTF-8 Unicode text"- [targetUID: 00000000-00003692]
"informebancarioymotivodelpagorechazado.xla.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Fri Mar 1 14:39:23 2024 mtime=Fri Mar 1 14:39:23 2024 atime=Fri Mar 1 14:39:34 2024 length=30720 window=hide"- Location: [%APPDATA%\Microsoft\Office\Recent\informebancarioymotivodelpagorechazado.xla.LNK]- [targetUID: 00000000-00003692]
"index.dat" has type "Generic INItialization configuration [misc]\015"- Location: [%APPDATA%\Microsoft\Office\Recent\index.dat]- [targetUID: 00000000-00003692]
"shtu_1_.xml" has type "ASCII text with no line terminators"- [targetUID: 00000000-00003692] - source
- Binary File
- relevance
- 3/10
- ATT&CK ID
- T1105 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops XML files
- details
- "shtu_1_.xml" has type "ASCII text with no line terminators"
- source
- Binary File
- relevance
- 1/10
- ATT&CK ID
- T1105 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens a handle to the specified process
- details
-
"EXCEL.EXE" opens a process "%PROGRAMFILES%\Microsoft Office\Office14\EXCEL.EXE" (UID: 00000000-00003692)
"EXCEL.EXE" opens a process "C:\Windows\explorer.exe" (UID: 00000000-00003692) - source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens registry keys
- details
-
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\DEVICECLASSES\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\DEVICECLASSES\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\PROPERTIES"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{815EAD30-0000-0000-0000-501F00000000}\"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{CF69D5AC-242F-11EB-9BFF-806E6F6E6963}\"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{815EAD30-0000-0000-0000-100000000000}\"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKLM\SOFTWARE\MICROSOFT\IDENTITYSTORE\PROVIDERS\{B16898C6-A148-4967-9171-64D755DA8520}\LOADPARAMETERS"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AAD\PACKAGE"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\DEFAULTS\PROVIDER\MICROSOFT ENHANCED RSA AND AES CRYPTOGRAPHIC PROVIDER"; Key: ""; Value: "")
"EXCEL.EXE" (Access type: "OPEN"; Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: ""; Value: "") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries registry keys
- details
-
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{815EAD30-0000-0000-0000-501F00000000}"; Key: "DATA"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{815EAD30-0000-0000-0000-501F00000000}"; Key: "GENERATION"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{CF69D5AC-242F-11EB-9BFF-806E6F6E6963}"; Key: "DATA"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{CF69D5AC-242F-11EB-9BFF-806E6F6E6963}"; Key: "GENERATION"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{815EAD30-0000-0000-0000-100000000000}"; Key: "DATA"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{815EAD30-0000-0000-0000-100000000000}"; Key: "GENERATION"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\IDENTITYSTORE\PROVIDERS\{B16898C6-A148-4967-9171-64D755DA8520}\LOADPARAMETERS"; Key: "LOGINURI"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\DEFAULTS\PROVIDER\MICROSOFT ENHANCED RSA AND AES CRYPTOGRAPHIC PROVIDER"; Key: "TYPE"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\DEFAULTS\PROVIDER\MICROSOFT ENHANCED RSA AND AES CRYPTOGRAPHIC PROVIDER"; Key: "IMAGE PATH"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "SAFETY WARNING LEVEL"; Value: "") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files
- details
-
"EXCEL.EXE" trying to touch file "C:\Windows\System32\apphelp.dll"
"EXCEL.EXE" trying to touch file "%PROGRAMFILES%\Microsoft Office\Office14\EXCEL.EXE"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\ntdll.dll"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\kernel32.dll"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\KernelBase.dll"
"EXCEL.EXE" trying to touch file "C:\Windows\apppatch\sysmain.sdb"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\AcGenral.dll"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\sspicli.dll"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\userenv.dll"
"EXCEL.EXE" trying to touch file "C:\Windows\System32\mpr.dll" - source
- API Call
- relevance
- 1/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes log files
- details
-
"EXCEL.EXE" writes a file "%APPDATA%\Microsoft\Office\Recent\index.dat"
"EXCEL.EXE" writes a file "%APPDATA%\Microsoft\Office\Recent\index.dat" - source
- API Call
- relevance
- 1/10
- ATT&CK ID
- T1074.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates/edits LNK file (Windows shortcut)
-
Network Related
-
Calls an API typically used to create a HTTP or FTP session
- details
-
"EXCEL.EXE" called "InternetConnectW" to server "cdn.jsdelivr.net" on port 443 (UID: 00000000-00003692)
"EXCEL.EXE" called "InternetConnectW" to server "shtu.be" on port 443 (UID: 00000000-00003692)
"EXCEL.EXE" called "InternetConnectW" to server "pagead2.googlesyndication.com" on port 443 (UID: 00000000-00003692)
"EXCEL.EXE" called "InternetConnectW" to server "www.googletagmanager.com" on port 443 (UID: 00000000-00003692)
"EXCEL.EXE" called "InternetConnectW" to server "googleads.g.doubleclick.net" on port 443 (UID: 00000000-00003692)
"EXCEL.EXE" called "InternetConnectW" to server "www.google-analytics.com" on port 443 (UID: 00000000-00003692) - source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used to create a new HTTP request
- details
-
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/bootstrap-icons@1.8.1/font/bootstrap-icons.css" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/ekko-lightbox@5.3.0/dist/ekko-lightbox.min.css" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/bootstrap-select@1.14.0-beta3/dist/css/bootstrap-select.min.css" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/pretty-checkbox@3.0/dist/pretty-checkbox.min.css" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /static/jxbbs2022.06.06.css" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /static/vspacing.min.css" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /static/bootstrap-colors.css" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /static/bootstrap-colors-themes.css" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /pagead/js/adsbygoogle.js" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/jquery@3.6.0/dist/jquery.min.js" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/jquery-validation@1.19.1/dist/jquery.validate.min.js" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/dayjs@1.9.3/dayjs.min.js" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /npm/lazysizes@5.2.2/lazysizes.min.js" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /gtag/js?id=G-6FQTKVJCYW" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /pagead/managed/js/adsense/m202402260101/show_ads_impl.js?bust=31081466" - (UID: 00000000-00003692), "EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /pagead/html/r20240228/r20190131/zrt_lookup_nohtml.html" - (UID: 00000000-00003692)
"EXCEL.EXE" called "HttpOpenRequestW" with parameter HTTP method:"GET" object: /g/collect?v=2&tid=G-6FQTKVJCYW>m=45je42s0v892032111za220&_p=1709304019358&gcd=13l3l3l3l1&npa=0&dma=0&cid=335445623.1709304020&u" - (UID: 00000000-00003692) - source
- API Call
- relevance
- 3/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Communicates with HTTP webserver (GET/POST requests)
- details
- Found http requests in header "GET /7c9d1c"
- source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Communicates with HTTPS webserver (GET/POST requests)
- details
-
Found requests in header "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: shtu.be"; in File: "SSL")
Found requests in header "GET /ppfor/ffww/7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: shtu.beCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"; in File: "SSL")
Found requests in header "GET /static/jxbbs2022.06.06.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"; in File: "SSL")
Found requests in header "GET /static/bootstrap-colors.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"; in File: "SSL")
Found requests in header "GET /static/vspacing.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"; in File: "SSL")
Found requests in header "GET /static/bootstrap-colors-themes.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"; in File: "SSL")
Found requests in header "GET /npm/bootstrap@5.1.3/dist/css/bootstrap.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/ekko-lightbox@5.3.0/dist/ekko-lightbox.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/pretty-checkbox@3.0/dist/pretty-checkbox.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/jquery-validation@1.19.1/dist/jquery.validate.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/bootstrap-icons@1.8.1/font/bootstrap-icons.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/bootstrap-select@1.14.0-beta3/dist/css/bootstrap-select.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/dayjs@1.9.3/dayjs.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/lazysizes@5.2.2/lazysizes.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /npm/jquery@3.6.0/dist/jquery.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /pagead/js/adsbygoogle.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pagead2.googlesyndication.comConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /pagead/managed/js/adsense/m202402260101/show_ads_impl.js?bust=31081466 HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pagead2.googlesyndication.comConnection: Keep-Alive"; in File: "SSL")
Found requests in header "GET /pagead/html/r20240228/r20190131/zrt_lookup_nohtml.html HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: googleads.g.doubleclick.netConnection: Keep-Alive"; in File: "SSL") - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Decrypted SSL network traffic
- details
-
"GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: shtu.be"
"GET /ppfor/ffww/7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: shtu.beCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"
"7ff��X͒���S ��HV3�V��r��W��d%+�*������cC�XVU.��*�s�'|�ٗ$�����[�0?�p��Ve�3ht�h4�ќ������=}�f6ӽ�{ Ady =G¦{�,AtF�y�M�=ӽ��V����O��?|�^<;�5���$�Ȼ�r�43�JZ�6�ϔ�N`X������н������������o����_�[��-�߬io��������-���P�s˕\Y��Y�c������~�>UYN,�t���a,�k��\i�a]rfg�����q�-'JD�0#�<+�v쏆�0��1�D�!23���'�FRQ��"P�}���p�b./!�$�1%9�\N暨]rkAQ�Y��YFt�M'�cner�rж�<�Zt$�G�Q��-�� ���$Y.�������{ǖy��%Ć[���"�[�p�%�3�H���\�P�!cKf`=4Ӑ��E��熁��K��̳ V��I~r���~���5f=�g\��y���ucN�4'���DI{u����..<��X]�����^��ĻW��i@�'���G8K���a[�ݹ����kKLg@/�KV�2q���%��`~�f<�����)���r���֛A�Pڼw@lg��vܠ)b�b%��yqZ�|�2#�1��D��)(2��5�K%�C�E�$lU�3���F��J�-dS����\C��$H��[��x9�Z慱<)q��Z�-Е�KMJ���!ɉ�E��I��o���o��&O'�5$!(!ؕ �]��Ӊɉ���q9��$ ?��]�b�b�g�0�.�5��6�_����#%�5�,�h�$��e���CZwm�D��CDs��A`qّ;sĆa�yV�mыk8�4����m��Zlv�9S���ۓs�Nk�I0��Ba����ȫ���Vb*�1b�f�d|�u������n\��*<�W�Ju��a�r��ͣ�ȅӘW�X�]r�h�2���fL\�.Q���{�S!��.��;�4=un���A�k���즮�6SP.:�8�5a�1X�b�*57q`�GաZ�n�7�s���m�7�}������C�"(��*%�U�4-qW6�4��� ѱw��}��.��)%EF�u]�I���T�T�)%㔸[�OU��sf�f���EK�9ݛpiZ}.�.N.;�\��(���@��WwQJp^��p}�{'Gw��P6���p����{ag&Q:#6�HႻ�&�u+�5�\I��>�\��7����(BK.�Z�]�_�?�i�煙�_�w�=D6�����YCm�h��T�n��*��␑.S�-bJǩ!�,����i��ˣ6��F�7��uYQ��dڈ��q�^*��=��o�P|M�h�4���~�i�j��4^8�v���4�CԜ�>{��k�M(�6'l����X̥Kvu��e�*�:�Y|��5�te�s��?���-=(�����V#��;utZs�@��Su[�?�(�1�rU�u�$�h��Ag�\ef�%$s�<o��j� �DO���@����$э�����^�.O��;m?SS�N�J����xAgU�vmݡn(hf�F��6��n���)a������)p�7B���/���c���.�Л��eS-I3"I����%i07�9�>�w>���o~����~�|���z���)A�K̚T��=��BR�����^�X��CtZd ���C5SonzC$a����xo5E�Lx��^����xo����W�֊��ՊZ��~ٹ)�~�cv�W2~�����w����evX��_fl�.���|���W��`����[��d�X9)_�L�M���G��5q��[ms��|WW�N����˴?:�����V�ҽ:�+�A� I�����_���z�N������b�ZnS�z�u�����p\CR�;����?���@["
"HTTP/1.1 301 Moved PermanentlyDate: Fri, 01 Mar 2024 14:40:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-alivelocation: /ppfor/ffww/7c9d1cset-cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; Path=/; Expires=Mon, 11 Mar 2024 14:40:12 GMT; Max-Age=864000; HttpOnlyset-cookie: lan=en; Path=/; Expires=Mon, 11 Mar 2024 14:40:12 GMT; Max-Age=864000; HttpOnlyexpires: Fri, 01 Mar 2024 14:40:12 GMTCache-Control: max-age=0Cache-Control: no-storeCache-Control: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FT%2FrSyTUdcMJbrguXtg2W2fQeeUG1A%2F2sSmy1BeiePMymZdh%2Blp3URoy92E0hq4MUFG3%2BrakFeVojiGsAvMecwlrdf%2BZ4m0PQjPoJbgablus8mLDRFqvr6s0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 85d9e69a580b6809-SJCalt-svc: h3=":443"; ma=86400"
"35<a href="/ppfor/ffww/7c9d1c">Moved Permanently</a>."
"HTTP/1.1 200 OKDate: Fri, 01 Mar 2024 14:40:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveset-cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; Path=/; Expires=Mon, 11 Mar 2024 14:40:12 GMT; Max-Age=864000; HttpOnlyset-cookie: lan=en; Path=/; Expires=Mon, 11 Mar 2024 14:40:12 GMT; Max-Age=864000; HttpOnlyexpires: Fri, 01 Mar 2024 14:40:12 GMTCache-Control: max-age=0Cache-Control: no-storeCache-Control: no-cacheCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=h5B5%2B34NOugN8hyli6apKrB9ilaOIQ6Lb%2FMesYrdjbz9TGiNKJHY5AeS6Z9R1zlAy3d51lvTa0XA7AZrWoHG1IFQ212df7sBZcz7Zi3uGu49oCWLhWBqcf1E"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 85d9e69e1f746809-SJCContent-Encoding: gzipalt-svc: h3=":443"; ma=86400"
"GET /static/jxbbs2022.06.06.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"
"GET /static/bootstrap-colors.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"
"GET /static/vspacing.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"
"GET /static/bootstrap-colors-themes.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: shtu.beConnection: Keep-AliveCookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en"
"HTTP/1.1 200 OKDate: Fri, 01 Mar 2024 14:40:15 GMTContent-Type: text/css; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCache-Control: public, max-age=2592000Cf-Bgj: minifyCf-Polished: origSize=52931expires: Sat, 30 Mar 2024 17:08:35 GMTlast-modified: Sat, 02 Apr 2022 10:20:16 GMTsurrogate-control: public, max-age=2592000vary: Accept-EncodingCF-Cache-Status: HITAge: 77500Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4zfUjXv4c7rWlT0E2pyBWDmlv9lziKTsTS6iu8WFA6s3WgzfpbXujRT60ccac6aYC5oR%2BWv3gtU7v5L0hUsfiy3aeji2JI0SkhpoXD8%2BzhZeMwsO6cYun%2Bg1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 85d9e6af28346809-SJCContent-Encoding: gzipalt-svc: h3=":443"; ma=86400"
"120e���ێ�6��[��@n���n⍳k}����lԱ���0��?ă4#Όfh����9���٬.�s{�Ϗ�z߮>���������_~���������_~�i>������U������z��������iw�ϫ�ϛ���O}Ko{�~y�}��t>���Ţ��[�>v�o�/���Wv�o۷ejM��_������>ա{˥�Mh�����$������o����b���g��ݾ}J�Q�-��֝����|>�>���-@����G�E?���'r��Ͻ�r�\�I�Q��������x��⍅���͏;����,�����y�Q�{�7���[{�Q��������랇p-��SkT����߭���{7c���`�7�No6��\�~�}\'�M�������Mj�?��e���,�����7w�z8>dn��i�Z;�����K�����Ǘj>o����˗�7�c�ЛXڼz�9j/7�7��}�;�)���7��w��o�翛��7ụ�f������>�����|Y}[_~MY������M����|ٹKo.<ђ5Jj�u���z�0�Lr�uiЪ�2ѯNd�-�ŋ�Nl��N{�f�o��Ur�*1������]��C�>��ۿ�g��ѷ\7�������}��������>���w�����v��*5ڇ<T�2x;��_{������q�m��L��������^�ͮ���s]���fTy0UcKjS#\�������pr���S{Y�ޛ�ŝZ���u]���|r�ӆ��T�>��f��<�x���s6ʪ�o2�F�#�/9}Y�\�̩0k:3O+y���vc�=�����+��>�ޜϤd;f�$�����ٴ�^���ݻ�.�>���=�w�+����Gw���������ئ=7� ��t<�$�:��y��f~h�WӆO.8�`�ܥ���̨r� v&7qG�')�Z���ˊ�]�a/G�L�����%���;\Vt�/�F=��}��������pe�oO��ʁ��Y�M����:��u�L�H�M�������'?zH�'�$��m��zD9�P�Z��?������DAj���2L@_q� 4���rB���Ы�.d�]CS�7$�4Ds���f��������#��n� _&(A���J�5�wm60�m��K��z��L�k�y�!_���>�3��(SF�T��'����vp;���[��mB�(KDO�\�w����d���� �:�C�X��?q��Dq�ŋ�Nq@>��6�|���Ǚ�� ��h{��?c�E ���#�>@y�+d�f���#q���^'3���F�9�U�ʈh��QwBx<mȫ����0x[6a#4�K�5�5��sȠ(���S? `��[Z��-H�@ơq��짆ݕ߃t��QvM���ρ?����$��6��oϾ(�����h��M�F(0� %�(�*c@�l�䂣�Y�Z ��jrc/&�5P(t�ɸ���%n��/��`&���jp�Mr�����%֨�[tb_`10hpb�#\���S>�r`�lV�4G�f����>mݳSp�"Fo����j2�ɏR��4�+�|[<�<�QN!ԸV%�O8C�+w�z0QП�5���W�!��|Ơ�P�13�j��r�ДB��"ќ4�g���3@��r��棛4ȗJ�t9<�{����]��u[���r�^r?S�@��`^�p�@�Cp(>�O��L,#ʔ�%+v�4��#�����[��mB�(KDO�\�w���_�]c�Fz�0��c��m��~A�Z�(��#��Dͺ�8ӕ�ް�a�>�g,�hd�A�G�Q��C�X!�7=�hIC-F��8Y��0��F���VFB~��£i�^���Бyoʦ������9dQ�^̩�RĿ)����W ��8CO�S����A�}�(�&IE�����un��V��g_�R@�nv_4G�&t#�o�W`�1 [6|r���偬d-�I5����(��k�eE�.���#^F�L�/I��zK�patXA��$���7�ž�b`���`G�2ɷ�|V���٬�i�&��?�Kc|ںg��$E�&�v���d�=�L�h�W��xXyD=��B�q�J�p��W��`��?5�k�&��8C����A9�xcf��x2审)���E�9i�vM3�g���qw���G7h�/� �rx%�ͻ6��T�%_���~��е����/���P|�ڍ�XF�)#xK*V�hpaGnq;�~7���ۄ�Q������� Y�_�$�����a���Z5�MM��(�xQ�)�G:퉟u9��|Wb(z�f@�]���Т��q�e� �G�#�b���h�Q �$��K�d%��r&�G�*[p�9SD�h�k"�#g%ޔ`##4�K7J)5��ʢ(0��f����o�4y��94���Rî0�Z��$���\E�e�:7�*���@�c�ڀ��4�{�/&?�#7B���)q�V��=�Y5�R^>>�R��]>L���~c)�&ݻ��^�x}3��$U�_�*��%�aA��k���i�ˆA���$ߞ�Y�w?��0�Ѥ�@����uݳ�[p�"fo��$����'?zj�'X%�����(��XB�kU��7��r'���O�5��X�!�M�|Ơ�P�13�j��r�ДR��"ќ4p���3`��r��棛5ȗJ�t9^�{����]���u[������=���:B���C��C�1��6ڞ��%�1~�E��1��'��~�?�ػw�9��2zfroI��Ҁ�37�aAx�����}��=hpb�#s#���ϪT?��0�Ѥ���~i��/S��!���I��.`n`���}�'�iq�(�����+N�G�c5�UI����ʝ�L��fnM�!��g2@37�1('��m�����B��54��}C�HC4'M�Ԯi��;<��>����T�e�$]����^� 1w�fcnݖꙻ䫜����!�6���P�����S�1ˈ2e�mIŊ�q.�-nG��?��-t�2g��^G/�T��?�%:���xQ���G:5����A�:� ���X�=�,�9�m%�z�j�p�9����ţWŀ��84_M/�ޕ:�m�A�96V��+�rp��Ő���}��p��K5���&��&h@�g�ѭ�b� ]J�{G��o� q��Lp��f��z|�]�]F��Α��g���#���G�v�h�v������k�P�����:\����p��0��ĩ�EZ3b��c��4�'v��ز��yㄢ�q��qW��ph�8���q���z�#���g�#�'��7nt��s�ƍ�G��7.?Jo�t��azc���m��VK�'7�����)�7>�n\~��s����{��z�J��w��-6��+?`o\�aa�dr���!{�(��cvE"b��Imi�`�a;�G8S,��+;oo�-�+;q7G�C���~�~�L��7���q��{�&~7q�����Mj����7�8�o��^��C���98���<}<��Y|����I���㕛8��Hk�#����L�qƎ��K[`�o���p<��49H$�:�`t����32����O(e��KJuX*FbDw�� W�;��n{�&/$�j2�ȉ�r���|M�VQ��F0��E�R�6�YOZ%���W��ՊR���ŏzU���M�w�N�)�{��S���`ݻd)a��b����Ku=S��Ve�������j��T���U��b���26��ާ��h�2WEl�v�")���]�rixc���_=�J9�b�ܧ����حP`�|�)s�V�:.9J>P�"�k�iEk!�&���^���YP�������/S)$���W4�;��;��"�5QoaQ����.I�� �;�UTHu����F{"fY�y��J��d�\.�����o�@�(�*F�`������л�C�B��8���+@釕39�U�bH���>w*e�|!��F���6��7�6A�(B�LQ&�t1�刔>��Ri�qK��gR�m�6��ϻ+�˨>�9��4��Q��!��^�#U��V4h7^_*�}�l3{�>R��@|U8�Gc��o���"�!_Ա�}�J�;�OlY�Ҕs'��Ν��B�$����MQ?܉r��ԥ�^�&/MAQ����I]�/M%�!��D��/MA�d<�S?R�涒f=Y-�4�wN�ݹq���ѫ�/Mu��.M���л�\���'/M�A�pi���)�KS��VE�a�=B�>w�45�ri�4�IDl��iS�7�wi��#�)�KS�t1艗����w��/M�g�8N{&��EΝf�]��ϻ+�˨>�ԝ�!��8C��/M����piʹ��Ҕn㍗�J����$r���C� p!^�|U�KS@!�M��ĩ�EZ3_�t엦�TZ��\���8���QJK", "HTTP/1.1 200 OKDate: Fri
01 Mar 2024 14:40:14 GMTContent-Type: text/css; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCache-Control: public
max-age=2592000Cf-Bgj: minifyCf-Polished: origSize=23618expires: Sun
31 Mar 2024 00:00:50 GMTlast-modified: Sat
04 Jun 2022 07:59:22 GMTsurrogate-control: public
max-age=2592000vary: Accept-EncodingCF-Cache-Status: HITAge: 52764Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VW7yBUgBwVM76d7jMRtyIjUrCiVDcr1soKtNrVZE4ytSG4gl%2FmVHsO3h98Wo3zFvg%2BxG4RUws3EijUJkns%2FqZEVh8TBEVawKr5zeKlvHlTsNkiv0xPw%2Bj7BK"}]
"group":"cf-nel"
"max_age":604800}NEL: {"success_fraction":0
"report_to":"cf-nel"
"max_age":604800}Server: cloudflareCF-RAY: 85d9e6ad5e1c6809-SJCContent-Encoding: gzipalt-svc: h3=":443"; ma=86400", "c64��\]����+T��lTH�NHt�~��E��E�*��0g��h�{e�`�ef����~���ؙq��p���g��Ÿ��#�1�c���@�@㋑���NZ��:�� zK+|-b��$�%G��Q�JΖi�.%�cT�F���9�EM@A~� �� 0PQC����>
�U����a���|���������u�d�w�n�(b����,��_8�K[J��*�PEG!)��qX�[��:��)t=��<���a�Yu���P^�����8��F!�N�Toiaoc�nh�:��c�a�g��H���Xaj�(�3�Rt�c亍bFK�ҋ��ş/�V�al,��+�->E]�.�Vy�j��X{��~��C��@�;�j8��臹�p�;�*�S����Wx��Ct�t��"�h�J��+~���'8��*����@n���/z�6i��x��y �2|�5��Q]f��f8z�$���pϕ�w�H���Y��`BYŏ�~.9�RT�M�Xޛ���V Fךz��5"���vpk��G�`zuϰ�-������C̡A��KW�Q��, yG�-�q��@b���(x�1��l������.�o�2GTr&�\QɝT�D%oR��|Q�fx��z'�[f'�LY�L,��f6�l�0�3�0o���e6�l�2W������y�eo>��e�#�9�6'&9�$��I�0�@��M ��)�1?�l�u�����p3�ܰ��-��zS���u>Su*T���Yz�ꁩB�����Q!�<NX�G���X�3�H��C�-sx�&l���NN/y�k7��bK���T��kW�Nz����qkޑ�ɬS�R���:���J�x�T�DiϠ��(���R��y<�R*T�4�gPJ�J���J�P��<�A)*Q�dz(��y��#�Bi[~J�Z�P�%�D)�l-J���P��3(���R��Y:�R*T�4KgPJ�J�f�J�P��,�A)*Q��3(�B%J�t�T�Di�4K�Qڎ��m�U(mk�Bi���,��(�l��`z�f`z�f s�f��͖�͗��JU�6-U)ۼT��S��e�(��}��y�X�����L*Xn=fo;�5dFJ�p̝f�ǝ�*ʠ��ĉ5s�_zͥ�����ط� �|�b��?��/Z`��B4�M��(�s���Q�����F���L�m��)��!1~@��^�x()�A7�@5t��@�9�h�N��"����4N�NۏcȾ5������W�%F,)B��W��%���k4�}��v<i���%�L_�+ZJ#�8�`WKn��>�]�����������4���5S�����Ns͝>��r����5c�<g��@�:��y�n?��\O�q�����'/q5����/�N�3W�Y�NCzLU�nݨLP�#���h�(����y�aqm���EA&�����t��h���!��h`9�y���I�)�nwa�b�h���ͱ�Ct�j\�n���977�(3��Y6�YˠD�&��"8���A���ʴ���)fF�5��N����� �p]�T�R�Ы�00��C):�cÛ�q�U��L�0F�.]��CT�S��7����+�JfD�{A�����u/(��9�B�}�*�m�T�JPԲR=R�{�գ���Aq��bt����q���w|�� �z�#J�L���N+X����*,�th��z��5�ĸ���}�����;�l:���[��^��c��ɺ[Q��D��+�X���נ�j>�$\����|sX�v<ظ�Z��$÷�+�cXLк��]��n���?s���F����Z��k�Zk}������`B:_�%.j��4G�Fstd{����$ѱ�C�ʃ��ٕ�]7��K�LP�@���� B��l�cC�:5{�?�:z{v�E�姁���'���V@�ig���5m��v��N���髎n�E[���7��T�X=��s�PU(sM>搌�eQ�T�`Q�?���h�A$��a�|m���">Vv�%���cȨ;�̚�]-:�QdǓ+��'�Iriϵa�+Р�Zİ��L��H�y���G�[q�k�Wp�Z}���*>xG5QF1۲"���>������h��֔�R�&lT]�I���e&$g�����3���DB)��Oԗ���s@��3~�+un$�=�-���o��F��'�&z�m0�N�ݲ�����w����q��S����G��}i����/���W��"$(#�]�������n���{���b8!�a/�&�"��[���_^���/:,b������o%���D*Җ�^R_�`V[�3��Z�Y�0����T�X��\�ս]��ѪW�4;�����I�Ŝf�ij���h�T51}*?9y�M������Z�[�;�~r��8�N�E|���5���V�)C�sp�"{Ȃ��>��9FJA1��Z��5[_��9h�X���6��`�9�����g禎p�>K5SV�l3a��p<O�G?.�d-�V��N�)��Q�$؞v�t�#���I�I�ٸ(��B��ζ��hg�h��N�D�y�k_C;��i?K;SV��3a��؎�{�"�Q��Nk��t�J�`�c|�/��>#5��I̐���<�l\��і8h�p+hh��1�p����5Lfק�?c�E��� �ҭ��ۮ��A|��Dm��.M|���ds�2��9��Ԟ�/(��hs��}���(�&�c���c�a�k�����gh�h���6k)�2m�:u�\� !�Zj��`!>SB���hs"��f�Q*�=�E_S ����K".��v17�%�C�y�����Z���+�)�Ef�0ZMMGK?R�?-2�e-5�V�pӐ*�UB�,ٞ����$%��%Y�IVھ4�[�������h���0�c�����b"T�=�C#�e�M֟�����m/sc5��m��>M��bh�.$���q���$��b�ڳ�b��k��ñ��-��mp�#��5�+!־�����YRY.r��p5#Y�n۞~Z>/GZ�K��&�4�̃�k�@#K�g'>#;II��IV{���/��h��y�%v�&�&����&N�X�����/eMj>��Yȟ���]�ow}��U#�M", "HTTP/1.1 200 OKDate: Fri
01 Mar 2024 14:40:15 GMTContent-Type: text/css; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCache-Control: public
max-age=2592000Cf-Bgj: minifyCf-Polished: origSize=38452expires: Fri
29 Mar 2024 09:28:03 GMTlast-modified: Sat
02 Apr 2022 10:20:16 GMTsurrogate-control: public
max-age=2592000vary: Accept-EncodingCF-Cache-Status: HITAge: 191532Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JZBvX%2Fb5m%2FdNLyWo7PcYv0wZyNKfZFLYHTYTInWEki%2BchOqZwkxOluojYQP8xQrf9YznEI3O6tBVGONHlQQNjUJrii0tBX7OylM6jH2ejGHAc4YiepmMNdOj"}]
"group":"cf-nel"
"max_age":604800}NEL: {"success_fraction":0
"report_to":"cf-nel"
"max_age":604800}Server: cloudflareCF-RAY: 85d9e6b24c006809-SJCContent-Encoding: gzipalt-svc: h3=":443"; ma=86400", "e61����n�:�o%@��I��I����ű���i\$�z�a��B_%��('g�c�)R��0[��i�?�����Q\������u���٭.�K�������ʲ�ݶ���[�\�YU\�u;y��l%G����t9l'O�}�2�g��e�l'O/��b���f�������f_H+����)[f�r.lOm--�?�l�;�\��#MV��0����o�n��]os9U�k/�|�e�l���Y�����R�w��;ܯͨ��z[����*���[��jԈ�k_�쬦1�˖�R��ty�jYV��L.����z>/��Gqm��v��f2�F����7�ʹ������^��n�z�^ˤ�Q=U���]�����Ko�4�F���^ƭǻ�w�T?�>jiPO���]�'��η�z��2j���۵ͨ��ڈ���\�/���&S��=(/�����e�Rǟbѻ�K�ڙ���u7�g�f�2����|�[Vg�E�tF��u��+]�I�r�zesk�Z�ٷ�fc:�b��&��ޭv��\`]_dJ���`��i��]���<k����wq���ՏN�;�~X�2���$�L��B5,7�J<c��L�ގEUߜ5�ȁ�]����I sVg���/���:7wi6�VV���V՝j+���m$��y�R���Y�(x+���+�k�O��,�?����F���\�K��.FŮ>��Fos�*�b);��J��(���hE�:��_ �Fp�ډ�Dc�O_'�@�S%�v�����D��*e���i��3����@�(-�4*)\�9BJ(^mY��i��SY���˙��չ.��/d ��f̢�q����"(��[�Y���u8�@��Qg!������Ǘ?esn�[�`_Vc�h(�V'���ew��֎��'&���?��|?\�_�j������X�V&�P�5&�M �]{[̇���N�������in�)�u�o�_��x�vͿ�M�|m���yq�?&�<W�[�;���5ci��3KF��0�K���9�!o��mQ����4V���ߎ��O���Ļ�m�s�_�TL`����r�v4�_��t����^���֗Oš�^�K�8�����+]��G�|�4z��:�W�5I|I1�!��x�K�8n���\0��k�?58�7?ۣw_%'�x�u5�Vu�?��L�l���1���=�E�$����.?�[gf��P�����Ź���C�X�fr�j���I��|��Ӱu>�ڙX���������덊�k.�LysTե��yKԏ�ǐ��4��������tz��iw���+{�"�R���TYw�����tH:1�l?M~t�<`5\]ptp� h�pEn>����H���XD;A!����X<��L@� ���KA��u�xRްk*����zWl�u�Dhq\�yV�v �Ɇ�]i����ྕ����}��:' �A�ѩs�3P�H1�NF<�P-��sd�2M��7C�!��Ѩap���Ⓙ��/�Q��m>)�!O�If�����P�\&�:ܓC������O�Vc�h�V���ZvW�����j��*s���eP�d:�d?3^H�A��-+���^�$����>�;L�@�M��H��E�P�Ǖ}�Rt�8��&qi$>�>���m�N�f�$5^��H%ݹ`]w�).�����F�?����?\]ݸT�Sp��O!���@���JN
J�Ԇ~C&(�wT���K������q�`�a�Ⴚ����I�;�������\�����:ou�߃�V����a����Vc�h�V���ZvW���x%�0^J�6���`�R&�0�P&���BOޠ�|hY9���1���x��$bH�ʈG�J��1�a@������4�S6�K����o�v*�0�%��9��J�s����S\��S���xn51�0~���q�?����'��]98�7��}��X��a�?��LP�����;��������@�%r���(�w�Gر�A�11>8����q�x�c|?��2?��<�1��@��ֲ��^���F��H)��r������7��
u��I�*�˃���E�!g���9�<�7��!�P�<*1�Pa%�n\7�xl���Kwr#��}\J����"�m�1��P_I�A/����{H��n�[���US�d���<��@�S��Ɇ�6��s Ie�H[O�[�Ft#ըd���[�1��a3TK�)9�L[�e����T����hb0���v&Ot�10�j8<��q�>)#�2[��Y���;�<o�$�[�C+D�kA���[���[ɦ�j�]��+��P2��R��͏�vC)�q�lh����!����|hY9�������>��M�p��]��X��E�P���}at��-D�&q)%>�>���m�N��f�$�^��H%ݹ`]w0�).�� ��p��1/�W�C7.�Sp��O������*9�(��R~�����Q9�;2�/%<�w23��!�臁���*'4�&Qh� ���c���c}p�����G�8~0[%��ɣ�:��/�,dS}�4+s��Q�.�T��/�2�.U����~*�8ģ6`-XON:8�ldᆰ+�x�������q�4��Cd�hRbH<Y�#@�BL�t��p�!:�>0`�m�AV]$ѹ�1�)�{V��!��"r
�P�VT$�3�&~Z���a����#*+4�����)��n��t�*j��6`�p�q��b�[x�32����=�5o��!���������!��9*#�1&l��pY-�>i�0�����h��L�D÷�M�ղ�ZuW(o+�RJ����V��J��C�B����I<V��e崓t��D�r�QG�#b��J�G�����$�0�x���G`BG����!�����6�haVN�{�s\�����u�!87��\8��VI�ܒb�p�K,e�Ra}L�CO(<��rpo���*9�(s�R~�����Q9�;2�.%>���q���~�Jv��F.�����DQ��Z>ɎMj����9}���yKĐ�n a6M�����w��ӳ�M�˥�\�K��B|%������:�N�1�O��|"��惫����'���;p��w��A:7>�('(}02G�������耓?�O�16�ć�0�6��h�a�Q����xG���DqdѹV� ���_c���. ��������:& �4�ѩs�3P�H1��NF<�P]��sd�2}��>�w3�7���).����=Bp�%������d��I����#�����?�=̮�������䋾ܳ�M���\���H�!U�����~@�R���+s�\�q��q�Z>���tp�����J�X�%�cσ�8��9�Y�A �2����1����¥���L���M:�NXu���nƠ_�d�Y��+��ҋȱ�|ZQ��ά��ir���mV*����P��S +Ʀ�P���Ӊ�5���'ۀ�̡�1ڋ�r!�19���K^����܇����24�S(��d��樌`Ƙ����mx�~���z�x-��", "HTTP/1.1 200 OKDate: Fri, 01 Mar 2024 14:40:16 GMTContent-Type: text/css; charset=utf-8Content-Length: 2007Connection: keep-aliveContent-Encoding: gziplast-modified: Sat, 02 Apr 2022 10:20:17 GMTvary: Accept-Encodingexpires: Sun, 31 Mar 2024 14:40:16 GMTCache-Control: public, max-age=2592000surrogate-control: public, max-age=2592000CF-Cache-Status: MISSAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=teF05q8y5QtYgGue%2FTgrYeE29S%2BCc0g8U9rkrKRq8LMOhkrp5R9YSZYoZfeKHTizF1wzDcSi0DeFKbTFm9cR2oELq5ClvLZQt%2BeaCxB59SYMU6FTkAFhmf%2B3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 85d9e6b23b2769a0-SJCalt-svc: h3=":443"; ma=86400", "�n��|Y�g|��_�`��^o���()�����3��=8��e�F�i4r~�3#�5�>�|�.�����������t����Ẍ��x}Y?4&�3���=�=0{{��=�{f��>0�����Gf�`���>2����G�'fO`O̞�>1����'�gf�`�̞���m�e�6�E�Yr��K�7ϼ��'�R:��i)s橳�$�
YʇyB������?nO��ty���ӇO��B� Q-T�#ЄA[�sG�����P�@��o���&X��P��@��Z�G�F��-t�#�����z�h��@P-t�#�Ħ�}�b_8�9��zw������As�b�8��6q�3;�1�pl�<��_�Ŗ��5��������~��O��.�^/�ǻ���_�.mM�eٽ^�}9?����������r��|�pYƈ��F��k�3~�-2�}��W�9�P�+����b���{��I�����H�H�Q�#�G�I���G�O��D?�~���'џH�L�Y�3�gѯ"ކC��T�Er�V�q��։q!�V��զ^�iꦱ]�~b�q�Ms>pN�i�p�m�pv�uK�SZ�N�(�6Pĸ���)�[����p�D���"��(p�D�%�I��)��(RH���H�^j�H��>�"Qz9�"���p�D�%�m��)%�pt\�0.�T������G��s�IZ9at8I#L'��a�8Im3�I�Z#NRS�$)�?.���?�r������|�8�v}��u�k�/�i�?��`\L$�����eM�t3��qً��R�Dӯތ`�\F���7#XB��h��
��$�~gK�rM��3�ev�En�ųX��q56ǂ���F�Y0w�4��P�3l��x.�4/�h����n.���*0$�q� b?��n�DP�3�aD�V����7���.@�ظ���u����e?�иŠ�Gv�<7���.@O�v�2�o��J�
�xyW�����������#+}�Nl��l[��x�0Z?���<m!�l$x�"E�9��,x�"E��s�i�F�D9�(���e��2�(�ᭌ�r�Qdm��)e�Qd��{)唣��6R$ʜ��f�77R$FA���u�����$�=�ʪ��L��������HR�14"Im��$u$��<�T��!�C��VF6��m �qx�Kb���%�b�X�5����p��&�XR-X8Vu�k,)*����5����U]�KJkǪnu�%��ŃcU�ƒ��*±ʻ]�է{�+��*���/xZ��[�g�g|O��G��Bx:9O���<u�g���5S��IU\��q�.��g:��e�����֓h�`]w��@�6�u��4�`]]���@3�;캭d��h�خ�IF��D�mw�D2�I4X�##�̢�^�n�f���e���q5�.��sM���>�����e�u�a�D�e�u��A�.����^��+0$�q�@.{U"Ս��A(��ƭ� �l@�Ը���{ Ll�VB��ō��A(������PrqDy4n4��^��i�nB�:(]�E�l�R�]���MO��;k�{t���#+}�˾P{���(]�������=�y���ȶ�7.R$ʐ��.�W/R$�>G�M�`�H�C�"{^�H�(c�"[��H�(�Ev(���"Q�E6,���"QN9��_xa#E��9�lgxs#E�`˞���e�HZ{&�u�O��r0(����';��w�HR[�G���Ij��@*/���[��0���lC1ObI,r��_,���受2�z��d�`O`�T�ĒXTR��RTX!8Vy��o���R����^bI�b��X�e/����xp��XR�XE8V}�K�����e�����ϸq�k<�"M(����S�y@y<u�g���5S��e���Eܿs.", "GET /npm/bootstrap@5.1.3/dist/css/bootstrap.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive", "GET /npm/ekko-lightbox@5.3.0/dist/ekko-lightbox.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip
deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive", "GET /npm/pretty-checkbox@3.0/dist/pretty-checkbox.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip
deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive", "GET /npm/jquery-validation@1.19.1/dist/jquery.validate.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip
deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive", "GET /npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip
deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive", "GET /npm/bootstrap-icons@1.8.1/font/bootstrap-icons.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip
deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive", "GET /npm/bootstrap-select@1.14.0-beta3/dist/css/bootstrap-select.min.css HTTP/1.1Accept: */*Referer: https://shtu.be/ppfor/ffww/7c9d1cAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip
deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.jsdelivr.netConnection: Keep-Alive" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Found domain strings related to cloud services(possible C&C communication)
- details
- file/memory contains long string with (Indicator: ".googleapis.com"; File: "f_1_.txt")
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1102 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://jqueryvalidation.org/"
Pattern match: "https://github.com/lokesh-coder/pretty-checkbox"
Pattern match: "https://developer.snapappointments.com/bootstrap-select"
Pattern match: "https://pagead2.googlesyndication.com+b,d=La(a)-b.length;if"
Pattern match: "https://www.jsdelivr.com/using-sri-with-dynamic-files.ekko-lightbox{display:-ms-flexbox!important;display:flex!important;-ms-flex-align:center;align-items:center;-ms-flex-pack:center;justify-content:center;padding-right:0!important}.ekko-lightbox-container"
Pattern match: "https://shtu.be//ppfor/ffww/7c9d1c"
Heuristic match: "shtu.be"
Heuristic match: "cdn.jsdelivr.net"
Heuristic match: "googleads.g.doubleclick.net"
Heuristic match: "pagead2.googlesyndication.com"
Pattern match: "http://googleads.g.doubleclick.net]=!0,Qg[http://pagead2.googlesyndication.com]=!0,Qg[https://googleads.g.doubleclick.net]=!0,Qg[https://pagead2.googlesyndication.com]=!0,Qg"
Pattern match: "https://tpc.googlesyndication.com/sodar/,.js"
Pattern match: "https://pagead2.googlesyndication.com/pagead/gen_204?id=+b;qg(a,function(e,f){if(e||0===e)d+=&+f+=+encodeURIComponent(+e)});kl(d,c)"
Pattern match: "https://pagead2.googlesyndication.com/pagead/js/logging_library.js"
Pattern match: "https://cdn.ampproject.org/rtv/,/amp4ads-host-v0.js"
Pattern match: "https://pagead2.googlesyndication.com/pagead/gen_204,b.join(&)"
Pattern match: "fonts.googleapis.com/css"
Pattern match: "https://pagead2.googlesyndication.com+b,d=Vm(a)-b.length;if"
Pattern match: "https://pagead2.googlesyndication.com/pagead/ping,Vo,void"
Pattern match: "http://mathiasbynens.be/"
Pattern match: "https://cse.google.com/cse.js"
Pattern match: "https://www.gstatic.com"
Pattern match: "https://www.google.com/s2/favicons?sz=64&domain_url=+encodeURIComponent(this.host)"
Pattern match: "https://www.gstatic.com/prose/protected/%{version}/iframe.html?cx=%{cxId}&host=%{host}&hl=%{lang}&lrh=%{lrh}&client=%{client}&origin=%{origin"
Pattern match: "https://pagead2.googlesyndication.com/pagead/js/err_rep.js"
Pattern match: "http://www.w3.org/2000/svg"
Pattern match: "https://fonts.googleapis.com/css2?family=Google+Symbols:opsz,wght,FILL,GRAD@20..48,100..700,0..1,-50..200/"
Pattern match: "https://www.google.com/adsense/search/async-ads.js"
Pattern match: "http://google.com,resultsPageQueryParam:q,relatedSearchTargeting:content,relatedSearchResultClickedCallback:a.Wa.bind(a),relatedSearchUseResultCallback:!0,cx:a.I};a.na&&(c.adLoadedCallback=a.Ca.bind(a))"
Pattern match: "https://www.gstatic.com===b.origin&&resize===b.data.action&&(a.g.style.height=Math.ceil(b.data.height)+1+px)"
Pattern match: "https://www.gstatic.com/adsense/autoads/icons/gpp_good_24px_grey_800.svg;E"
Pattern match: "https://www.gstatic.com/adsense/autoads/icons/arrow_left_24px_grey_800.svg;b.setAttribute(aria-label,a.l);aF(b);E"
Pattern match: "https://www.gstatic.com/adsense/autoads/icons/gpp_good_24px_grey_800.svg,d"
Pattern match: "https://www.gstatic.com/adsense/autoads/icons/gpp_good_24px_blue_600.svg,2px"
Pattern match: "http://example.com"
Pattern match: "https://fundingchoicesmessages.google.com/i/%{id"
Pattern match: "https://partner.googleadservices.com/gampad/cookie.js"
Pattern match: "https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"
Pattern match: "www.==a.substring(0,4)&&(a=a.substring(4,a.length))"
Pattern match: "https://+e+g+"
Pattern match: "http://www.w3.org/2000/svg,path"
Pattern match: "https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=';var"
Pattern match: "https://fonts.googleapis.com/css2?family=Google+Material+Icons:wght@400;500;700"
Pattern match: "https://support.google.com/adsense/answer/11188578"
Pattern match: "https://www.google.com/adsense/search/ads.js"
Pattern match: "https://pagead2.googlesyndication.com/pagead/gen_204?id=plmetrics;window.LayoutShift&&"
Pattern match: "www.google.com/adsense/search/ads.js"
Pattern match: "https://securepubads.g.doubleclick.net/static/topics/topics_frame.html"
Pattern match: "https://pagead2.googlesyndication.com/pagead/js/,/,/rum,.js"
Pattern match: "https://googleads.g.doubleclick.net/pagead/html/,/,/zrt_lookup_nohtml,.html"
Pattern match: "jquery.org/license"
Pattern match: "www.googletagmanager.com;var"
Pattern match: "https://www.google.com:/g,https://www.googlesyndication.com:/gs,https://www.googleadservices.com:/as,https://pagead2.googlesyndication.com:/gs};function"
Pattern match: "https://www.googletagmanager.com+uk,wk=void"
Pattern match: "https://www.googletagmanager.com"
Pattern match: "https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe;Jm(a,function(d,e){if(d||0===d)c+=&+e+=+encodeURIComponent(+d)});Om(c,b)},Om=function(a,b){var"
Pattern match: "www.googleadservices.com$/,nq=function(a){a||"
Pattern match: "https://+g,m=http://+g,n=1,p=C.getElementsByTagName(script),q=0;q"
Pattern match: "https://+ri.Bd,rs=qs+/gtm/static/,ss=Number('')||5,ts=Number('')||50,us=qs,vs=rs,ws=!1,xs=0,ys=Ja()"
Pattern match: "https://td.doubleclick.net};var"
Pattern match: "https://,http://,q+g"
Pattern match: "https://,http://,ri.Bd+f"
Pattern match: "https://www.facebook.com/tr/===h[gtm.elementUrl"
Pattern match: "https://www.facebook.com/tr/===m"
Pattern match: "http://,https://,javascript:,file://"
Pattern match: "www.youtube.com,www.youtube-nocookie.com],xD,yD=!1"
Pattern match: "https://www.youtube.com/iframe_api"
Pattern match: "https://www.merchant-center-analytics.goog"
Pattern match: "https://+a+.google-analytics.com/g/collect},qG=function(){var"
Pattern match: "https://stats.g.doubleclick.net/g/collect,v=2&+n.join(&)"
Pattern match: "https://www.%/ads/ga-audiences?v=1&t=sr&slf_rd=1&_r=4&.replace(%,f):void"
Pattern match: "https://cct.google/taggy/agent.js"
Pattern match: "https://+ri.Bd+/debug/bootstrap?id=+Vf.ctid+&src=+w+&cond=+u+>m=+Mn()"
Pattern match: "https://www.jsdelivr.com/using-sri-with-dynamic-files"
Pattern match: "https://github.com/snapappointments/bootstrap-select/blob/master/LICENSE"
Pattern match: "https://lokesh-coder.github.io/pretty-checkbox"
Pattern match: "https://getbootstrap.com/"
Pattern match: "https://github.com/twbs/bootstrap/blob/main/LICENSE"
Pattern match: "https://github.com/twbs/bootstrap/graphs/contributors"
Pattern match: "https://pagead2.googlesyndication.com/pagead/gen_204?id=+b;pe(a,function(e,f){if(e||0===e)d+=&+f+=+encodeURIComponent(+e)});Ie(d,c)"
Pattern match: "https://pagead2.googlesyndication.com+b,d=qf(a)-b.length;if"
Pattern match: "https://pagead2.googlesyndication.com/pagead/ping,xg,void"
Pattern match: "https://googleads.g.doubleclick.net"
Pattern match: "https://www.google.com/adsense"
Pattern match: "https://adsense.com"
Pattern match: "https://pagead2.googlesyndication.com/pagead/managed/js/adsense/,/,slotcar_library,.js"
Pattern match: "https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css"
Pattern match: "https://cdn.jsdelivr.net/npm/bootstrap-icons@1.8.1/font/bootstrap-icons.css"
Pattern match: "https://cdn.jsdelivr.net/npm/ekko-lightbox@5.3.0/dist/ekko-lightbox.min.css"
Pattern match: "https://cdn.jsdelivr.net/npm/bootstrap-select@1.14.0-beta3/dist/css/bootstrap-select.min.css"
Pattern match: "https://cdn.jsdelivr.net/npm/pretty-checkbox@3.0/dist/pretty-checkbox.min.css"
Pattern match: "https://cdn.jsdelivr.net/npm/jquery@3.6.0/dist/jquery.min.js"
Pattern match: "https://cdn.jsdelivr.net/npm/jquery-validation@1.19.1/dist/jquery.validate.min.js"
Pattern match: "https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
Pattern match: "https://cdn.jsdelivr.net/npm/dayjs@1.9.3/dayjs.min.js"
Pattern match: "https://cdn.jsdelivr.net/npm/lazysizes@5.2.2/lazysizes.min.js"
Pattern match: "https://www.googletagmanager.com/gtag/js?id=G-6FQTKVJCYW"
Heuristic match: "GET /7c9d1c HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Con"
Pattern match: "https://shtu.be/ppfor/ffww/7c9d1cAccept-Language"
Pattern match: "https://www.googleadservices.com/pagead/p3p.xml"
Pattern match: "https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1071 (Show technique in the MITRE ATT&CK™ matrix)
-
Found string related to HTTP headers
- details
- file/memory contains long string with (Indicator: "HTTP/1.1"; File: "SSL")
- source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
GETs files from a webserver (HTTPS)
- details
-
GET /7c9d1c HTTP/1.1Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: shtu.be
GET /ppfor/ffww/7c9d1c HTTP/1.1Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Connection: Keep-Alive
Host: shtu.be
Cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en
GET /static/jxbbs2022.06.06.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: shtu.be
Connection: Keep-Alive
Cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en
GET /npm/bootstrap@5.1.3/dist/css/bootstrap.min.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /npm/bootstrap-icons@1.8.1/font/bootstrap-icons.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /static/bootstrap-colors.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: shtu.be
Connection: Keep-Alive
Cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en
GET /npm/ekko-lightbox@5.3.0/dist/ekko-lightbox.min.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /npm/bootstrap-select@1.14.0-beta3/dist/css/bootstrap-select.min.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /static/vspacing.min.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: shtu.be
Connection: Keep-Alive
Cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en
GET /static/bootstrap-colors-themes.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: shtu.be
Connection: Keep-Alive
Cookie: sessionID=48a184d8-b6e9-4f7c-ba96-471d0d4bdb87; lan=en
GET /npm/pretty-checkbox@3.0/dist/pretty-checkbox.min.css HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /pagead/js/adsbygoogle.js HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pagead2.googlesyndication.com
Connection: Keep-Alive
GET /npm/jquery@3.6.0/dist/jquery.min.js HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /gtag/js?id=G-6FQTKVJCYW HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.googletagmanager.com
Connection: Keep-Alive
GET /npm/jquery-validation@1.19.1/dist/jquery.validate.min.js HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /npm/dayjs@1.9.3/dayjs.min.js HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /npm/lazysizes@5.2.2/lazysizes.min.js HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: cdn.jsdelivr.net
Connection: Keep-Alive
GET /pagead/managed/js/adsense/m202402260101/show_ads_impl.js?bust=31081466 HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: pagead2.googlesyndication.com
Connection: Keep-Alive
GET /pagead/html/r20240228/r20190131/zrt_lookup_nohtml.html HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: googleads.g.doubleclick.net
Connection: Keep-Alive
GET /g/collect?v=2&tid=G-6FQTKVJCYW>m=45je42s0v892032111za220&_p=1709304019358&gcd=13l3l3l3l1&npa=0&dma=0&cid=335445623.1709304020&ul=en-us&sr=1280x1024&pscdl=noapi&_s=1&sid=1709304019&sct=1&seg=0&dl=https%3A%2F%2Fshtu.be%2Fppfor%2Fffww%2F7c9d1c&dt=SHORTEN%20URL&en=page_view&_fv=1&_nsi=1&_ss=1&_ee=1&tfd=6580 HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.google-analytics.com
Connection: Keep-Alive
GET /g/collect?v=2&tid=G-6FQTKVJCYW>m=45je42s0v892032111za220&_p=1709304019358&gcd=13l3l3l3l1&npa=0&dma=0&cid=335445623.1709304020&ul=en-us&sr=1280x1024&pscdl=noapi&_eu=AEA&_s=2&sid=1709304019&sct=1&seg=0&dl=https%3A%2F%2Fshtu.be%2Fppfor%2Fffww%2F7c9d1c&dt=SHORTEN%20URL&en=scroll&epn.percent_scrolled=90&tfd=7206 HTTP/1.1Accept: */*
Referer: https://shtu.be/ppfor/ffww/7c9d1c
Accept-Language: en-US
UA-CPU: AMD64
Accept-Encoding: gzip
deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: www.google-analytics.com
Connection: Keep-Alive - source
- Network Traffic
- relevance
- 3/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
JA3 SSL client fingerprint
- details
- Observed JA3 fingerprint: 2b8da9e558fef05fabfa78758281c38c
- source
- Network Traffic
- relevance
- 1/10
-
Sends GET/POST requests (HTTPS)
- details
-
Found HTTPS GET request to https://shtu.be/7c9d1c
Found HTTPS GET request to https://shtu.be/ppfor/ffww/7c9d1c
Found HTTPS GET request to https://shtu.be/static/jxbbs2022.06.06.css
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/bootstrap-icons@1.8.1/font/bootstrap-icons.css
Found HTTPS GET request to https://shtu.be/static/bootstrap-colors.css
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/ekko-lightbox@5.3.0/dist/ekko-lightbox.min.css
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/bootstrap-select@1.14.0-beta3/dist/css/bootstrap-select.min.css
Found HTTPS GET request to https://shtu.be/static/vspacing.min.css
Found HTTPS GET request to https://shtu.be/static/bootstrap-colors-themes.css
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/pretty-checkbox@3.0/dist/pretty-checkbox.min.css
Found HTTPS GET request to https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/jquery@3.6.0/dist/jquery.min.js
Found HTTPS GET request to https://www.googletagmanager.com/gtag/js?id=G-6FQTKVJCYW
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/jquery-validation@1.19.1/dist/jquery.validate.min.js
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/dayjs@1.9.3/dayjs.min.js
Found HTTPS GET request to https://cdn.jsdelivr.net/npm/lazysizes@5.2.2/lazysizes.min.js
Found HTTPS GET request to https://pagead2.googlesyndication.com/pagead/managed/js/adsense/m202402260101/show_ads_impl.js?bust=31081466
Found HTTPS GET request to https://googleads.g.doubleclick.net/pagead/html/r20240228/r20190131/zrt_lookup_nohtml.html
Found HTTPS GET request to https://www.google-analytics.com/g/collect?v=2&tid=G-6FQTKVJCYW>m=45je42s0v892032111za220&_p=1709304019358&gcd=13l3l3l3l1&npa=0&dma=0&cid=335445623.1709304020&ul=en-us&sr=1280x1024&pscdl=noapi&_s=1&sid=1709304019&sct=1&seg=0&dl=https%3A%2F%2Fshtu.be%2Fppfor%2Fffww%2F7c9d1c&dt=SHORTEN%20URL&en=page_view&_fv=1&_nsi=1&_ss=1&_ee=1&tfd=6580
Found HTTPS GET request to https://www.google-analytics.com/g/collect?v=2&tid=G-6FQTKVJCYW>m=45je42s0v892032111za220&_p=1709304019358&gcd=13l3l3l3l1&npa=0&dma=0&cid=335445623.1709304020&ul=en-us&sr=1280x1024&pscdl=noapi&_eu=AEA&_s=2&sid=1709304019&sct=1&seg=0&dl=https%3A%2F%2Fshtu.be%2Fppfor%2Fffww%2F7c9d1c&dt=SHORTEN%20URL&en=scroll&epn.percent_scrolled=90&tfd=7206 - source
- Network Traffic
- relevance
- 1/10
- ATT&CK ID
- T1071.001 (Show technique in the MITRE ATT&CK™ matrix)
-
Uses HTTPS for communication
- details
-
HTTPS traffic to "104.21.69.44" on port "443"
HTTPS traffic to "151.101.1.229" on port "443"
HTTPS traffic to "172.217.12.130" on port "443"
HTTPS traffic to "142.250.188.226" on port "443" - source
- Network Traffic
- relevance
- 3/10
- ATT&CK ID
- T1573 (Show technique in the MITRE ATT&CK™ matrix)
-
Calls an API typically used to create a HTTP or FTP session
-
Spyware/Information Retrieval
-
Contains CRYPTO related strings
- details
-
file/memory contains long string with (Indicator: "base64"; File: "ekko-lightbox.min_1_.css")
file/memory contains long string with (Indicator: "base64"; File: "f_1_.txt")
file/memory contains long string with (Indicator: "base64"; File: "js_1_.js")
file/memory contains long string with (Indicator: "aes"; File: "SSL") - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1027 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains string like password/secret
- details
-
file/memory contains long string with (Indicator: "password"; File: "f_1_.txt")
file/memory contains long string with (Indicator: "password"; File: "js_1_.js") - source
- File/Memory
- relevance
- 1/10
- ATT&CK ID
- T1555 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains CRYPTO related strings
-
System Security
-
Queries services related registry keys
- details
-
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\LANMANWORKSTATION\PARAMETERS"; Key: "RPCCACHETIMEOUT"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS"; Key: "WINSOCK_REGISTRY_VERSION"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS"; Key: "AUTODIALDLL"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\CRYPT32"; Key: "DIAGLEVEL"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\CRYPT32"; Key: "DIAGMATCHANYMASK"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS"; Key: "NAMESPACE_CALLOUT"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9"; Key: "SERIAL_ACCESS_NUM"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9"; Key: "NEXT_CATALOG_ENTRY_ID"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9"; Key: "NUM_CATALOG_ENTRIES64"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES64\000000000001"; Key: "PACKEDCATALOGITEM"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES64\000000000002"; Key: "PACKEDCATALOGITEM"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES64\000000000003"; Key: "PACKEDCATALOGITEM"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES64\000000000004"; Key: "PACKEDCATALOGITEM"; Value: "")
"EXCEL.EXE" (Access type: "QUERYVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES64\000000000005"; Key: "PACKEDCATALOGITEM"; Value: "") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1007 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes registry keys
- details
-
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\SECURITY\TRUSTED DOCUMENTS"; Key: "LASTPURGETIME"; Value: "D0B2B201")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\LOCAL SETTINGS\MUICACHE\2F0\52C64B7E"; Key: "LANGUAGELIST"; Value: "en-US")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\RESILIENCY\STARTUPITEMS"; Key: "75."; Value: "75.")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\LANGUAGERESOURCES\ENABLEDLANGUAGES"; Key: "1033"; Value: "Off")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\LANGUAGERESOURCES\ENABLEDLANGUAGES"; Key: "1033"; Value: "4F006E000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL"; Key: "MTTT"; Value: "6C0E00009CBEFF4EE66BDA0100000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS"; Value: "01000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "INTRANETNAME"; Value: "01000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "UNCASINTRANET"; Value: "01000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "AUTODETECT"; Value: "00000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\RESILIENCY\DOCUMENTRECOVERY\3615F3E8"; Key: "3615F3E8"; Value: "040000006C0E00002D00000043003A005C0069006E0066006F0072006D006500620061006E0063006100720069006F0079006D006F007400690076006F00640065006C007000610067006F00720065006300680061007A00610064006F002E0078006C006100000000000300000043003A005C000100000000000000E0F1D353E66BDA01E8F31536E8F3153600000000B8020000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\RESILIENCY\DOCUMENTRECOVERY\3615F3E8"; Key: "3615F3E8"; Value: "040000006C0E00002D00000043003A005C0069006E0066006F0072006D006500620061006E0063006100720069006F0079006D006F007400690076006F00640065006C007000610067006F00720065006300680061007A00610064006F002E0078006C006100000000000300000043003A005C000100000000000000E0F1D353E66BDA01E8F31536E8F3153600000000B8020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\REVIEWCYCLE"; Key: "REVIEWTOKEN"; Value: "{84F1AD45-92A8-463E-81F4-E4DF930C37E7}")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT"; Key: "CACHEPREFIX"; Value: "0000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES"; Key: "CACHEPREFIX"; Value: "Cookie:")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY"; Key: "CACHEPREFIX"; Value: "Visited:")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "EXCELFILES"; Value: "12006158")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "PRODUCTFILES"; Value: "16006158")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\PLACE MRU"; Key: "MAX DISPLAY"; Value: "19000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\PLACE MRU"; Key: "ITEM 1"; Value: "[F00000000][T01DA6BE65F140A90][O00000000]*C:\")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\FILE MRU"; Key: "MAX DISPLAY"; Value: "19000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL\FILE MRU"; Key: "ITEM 1"; Value: "[F00000000][T01DA6BE65F167B90][O00000000]*C:\informebancarioymotivodelpagorechazado.xla")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\SHTU.BE"; Key: "NUMBEROFSUBDOMAINS"; Value: "01000000")
"EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\TOTAL"; Key: "(DEFAULT)"; Value: "72167B00"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\SHTU.BE"; Key: "(DEFAULT)"; Value: "20000000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\SHTU.BE"; Key: "TOTAL"; Value: "20000000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\TOTAL"; Key: "(DEFAULT)"; Value: "52167B00"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\SHTU.BE"; Key: "(DEFAULT)"; Value: "00000000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\SHTU.BE"; Key: "TOTAL"; Value: "00000000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\COMMON\LICENSING"; Key: "8B1BF0B4A1CA4656AA46D11C50BC55A4"; Value: "05000000270000007B39313134303030302D303031312D303030302D313030302D3030303030303046463143457D00500000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F0050006C00750073002D00520065007400610069006C002000650064006900740069006F006E000000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "PRODUCTFILES"; Value: "17006158"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "CAGFILES"; Value: "01006158"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "CAGFILES"; Value: "02006158"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NOTIFICATIONS\DATA"; Key: "418A073AA3BC1C75"; Value: "FB140000000000000400040001002500020000000D7879000DA1810016DDA4001E8D520021777A00259960002C3D81003E33830042264A004AAA8100560A8500726E4A007477AD0075A37E00799C39008106950081515D0087DE83008E78A200938661009D9D9200A736A800B1CE9800B3F1A200C36D8100CC495600CF74AA00D0175600D3826100D3E88D00E1C97700E21B5600E7997F00F1FC6000F7125E00F7D36F00F7ED6A0006000600000019C398001C4452007140A30091508A009CE0A8009F60C3000100400100000571AE00"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "PRODUCTFILES"; Value: "18006158"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004119110000000100000000F01FEC\USAGE"; Key: "PRODUCTFILES"; Value: "19006158"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL"; Key: "MTTF"; Value: "9C020000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\EXCEL"; Key: "MTTA"; Value: "9C020000"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NOTIFICATIONS\DATA"; Key: "418A073AA3BC1C75"; Value: "FC140000000000000400040001002600020000000D7879000DA1810016DDA4001B4278001E8D520021777A00259960002C3D81003E33830042264A004AAA8100560A8500726E4A007477AD0075A37E00799C39008106950081515D0087DE83008E78A200938661009D9D9200A736A800B1CE9800B3F1A200C36D8100CC495600CF74AA00D0175600D3826100D3E88D00E1C97700E21B5600E7997F00F1FC6000F7125E00F7D36F00F7ED6A0006000600000019C398001C4452007140A30091508A009CE0A8009F60C3000100400100000571AE00"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NOTIFICATIONS\DATA"; Key: "418A073AA3BC1C75"; Value: "FD140000000000000400040001002700020000000571AE000D7879000DA1810016DDA4001B4278001E8D520021777A00259960002C3D81003E33830042264A004AAA8100560A8500726E4A007477AD0075A37E00799C39008106950081515D0087DE83008E78A200938661009D9D9200A736A800B1CE9800B3F1A200C36D8100CC495600CF74AA00D0175600D3826100D3E88D00E1C97700E21B5600E7997F00F1FC6000F7125E00F7D36F00F7ED6A0006000600000019C398001C4452007140A30091508A009CE0A8009F60C3000100400100000571AE00"), "EXCEL.EXE" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NOTIFICATIONS\DATA"; Key: "418A073AA3BC1C75"; Value: "FE140000000000000400040001002800020000000571AE000D7879000DA1810016DDA4001B4278001E8D520021777A00259960002C3D81003E33830042264A004AAA8100560A8500726E4A007477AD0075A37E00799C39008106950081515D0087DE83008E78A200938661009D9D9200A736A800B1CE9800B3F1A200C36D8100CA23B700CC495600CF74AA00D0175600D3826100D3E88D00E1C97700E21B5600E7997F00F1FC6000F7125E00F7D36F00F7ED6A0006000600000019C398001C4452007140A30091508A009CE0A8009F60C3000100400100000571AE00") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries services related registry keys
-
Unusual Characteristics
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
- details
-
"f_1_.txt" contains indicator ".Run" (Line: 170; Offset: 83)
"f_1_.txt" contains indicator ".Run" (Line: 554; Offset: 279)
"f_1_.txt" contains indicator ".Run" (Line: 560; Offset: 137)
"f_1_.txt" contains indicator ".Run" (Line: 576; Offset: 2084)
"f_1_.txt" contains indicator ".Run" (Line: 577; Offset: 921)
"js_1_.js" contains indicator ".Run" (Line: 404; Offset: 237)
"js_1_.js" contains indicator ".Run" (Line: 603; Offset: 332)
"js_1_.js" contains indicator ".Run" (Line: 604; Offset: 156)
"js_1_.js" contains indicator ".Run" (Line: 605; Offset: 156)
"js_1_.js" contains indicator ".Run" (Line: 610; Offset: 343)
"js_1_.js" contains indicator ".Run" (Line: 612; Offset: 454)
"js_1_.js" contains indicator ".Run" (Line: 619; Offset: 394)
"js_1_.js" contains indicator ".Run" (Line: 622; Offset: 374)
"js_1_.js" contains indicator ".Run" (Line: 624; Offset: 382)
"js_1_.js" contains indicator ".Run" (Line: 625; Offset: 376)
"js_1_.js" contains indicator ".Run" (Line: 628; Offset: 320)
"js_1_.js" contains indicator ".Run" (Line: 631; Offset: 253)
"js_1_.js" contains indicator ".Run" (Line: 637; Offset: 266)
"js_1_.js" contains indicator ".Run" (Line: 641; Offset: 172)
"js_1_.js" contains indicator ".Run" (Line: 642; Offset: 330)
"js_1_.js" contains indicator ".Run" (Line: 647; Offset: 410)
"js_1_.js" contains indicator ".Run" (Line: 655; Offset: 198)
"f_1_.txt" contains indicator ".Run" (Line: 294; Offset: 4151)
"jquery.min_1_.js" contains indicator ".Run" (Line: 2; Offset: 59563) - source
- Binary File
- relevance
- 8/10
- ATT&CK ID
- T1105 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops files inside appdata directory
- details
-
Dropped file: "informebancarioymotivodelpagorechazado.xla.LNK" - Location: [%APPDATA%\Microsoft\Office\Recent\informebancarioymotivodelpagorechazado.xla.LNK]- [targetUID: 00000000-00003692]
Dropped file: "index.dat" - Location: [%APPDATA%\Microsoft\Office\Recent\index.dat]- [targetUID: 00000000-00003692] - source
- Binary File
- relevance
- 3/10
- ATT&CK ID
- T1036 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops a text file that contains suspicious strings (e.g. shell/ActiveX/DOM related)
File Details
informe bancario y motivo del pago rechazado.xla
- Filename
- informe bancario y motivo del pago rechazado.xla
- Size
- 30KiB (30720 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 00:00:00 2006, Last Saved Time/Date: Wed Jan 31 10:00:26 2024, Security: 1
- Architecture
- WINDOWS
- SHA256
- d7ae9c118c01c6751d64e011c70f601a73cb566df9ab3d43d25e69e30a5d8e4a
- MD5
- 40e068be98ea0b6ca31af370328840b6
- SHA1
- 11e7096e6268536aa7e80e6f87c0c7815b067566
- ssdeep
- 768:grYJUWXzyicoPdTeSGoqfSE8yCFDKPcM6c:grYhX2NATeSlzJqcM
Classification (TrID)
- 46.5% (.XLS) Microsoft Excel sheet (alternate)
- 26.7% (.XLS) Microsoft Excel sheet
- 20.1% (.XLS) Microsoft Excel sheet (alternate)
- 6.5% (.) Generic OLE2 / Multistream Compound
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- EXCEL.EXE /dde (PID: 3692)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
cdn.jsdelivr.net |
151.101.1.229
TTL: 103 |
- | United States |
googleads.g.doubleclick.net |
142.250.188.226
TTL: 300 |
- | United States |
pagead2.googlesyndication.com |
172.217.12.130
TTL: 300 |
- | United States |
shtu.be |
104.21.69.44
TTL: 300 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
104.21.69.44 |
80
TCP |
excel.exe PID: 3692 |
United States |
104.21.69.44 |
443
TCP |
excel.exe PID: 3692 |
United States |
151.101.1.229 |
443
TCP |
excel.exe PID: 3692 |
United States |
172.217.12.130 |
443
TCP |
excel.exe PID: 3692 |
United States |
142.250.188.226 |
443
TCP |
excel.exe PID: 3692 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
104.21.69.44:80 (shtu.be) | GET | shtu.be/7c9d1c | GET /7c9d1c HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: shtu.be
Connection: Keep-Alive 301 Moved Permanently More Details |
Extracted Strings
Extracted Files
Displaying 19 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 19
-
-
index.dat
- Size
- 216B (216 bytes)
- Type
- unknown
- Description
- Generic INItialization configuration [misc]\015
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 11941edcd6ac5efe6eb799295b2fba63
- SHA1
- d0875563044af098a9646b349ad09682277df4f2
- SHA256
- 25694cca0cd50dfd823a7cdda5cc16b15505eed8e804f2f18392e60ce2e3498a
-
informebancarioymotivodelpagorechazado.xla.LNK
- Size
- 676B (676 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Mar 1 14:39:23 2024, mtime=Fri Mar 1 14:39:23 2024, atime=Fri Mar 1 14:39:34 2024, length=30720, window=hide
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- f7d794b59e570a0ac9f557da169b78e4
- SHA1
- 9c46779a77dcfc43942820feaf2fd107f952c822
- SHA256
- 07ad421af68862aa28f5733fac3078beb17d361f8881cb5e748b7dc60b850e04
-
f_1_.txt
- Size
- 175KiB (178941 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- a26a05dd7d61c09d56f0f2692b367826
- SHA1
- 62aa0066fdca23c5f3168308c7b8ddf1bf204e31
- SHA256
- f9ef7d2a8897d240f6294a9fa937f01c8a2aafdad804300a04765375980326f8
-
js_1_.js
- Size
- 268KiB (274243 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 785c26912cac153c1c69d19d72786696
- SHA1
- 903f21e633f4496e2a30751dcf90d7d60a1c20f6
- SHA256
- 202c13f64346e98d7fa7750dad837acff139ca59e4489efa7ff07f3ce45730db
-
bootstrap.min_1_.css
- Size
- 160KiB (163873 bytes)
- Type
- text
- Description
- UTF-8 Unicode text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 94994c66fec8c3468b269dc0cc242151
- SHA1
- ec16bd19bf4ae9bc2e2336ac409a503bbbdaacad
- SHA256
- 62f74b1cf824a89f03554c638e719594c309b4d8a627a758928c0516fa7890ab
-
jquery.min_1_.js
- Size
- 87KiB (89501 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 8fb8fee4fcc3cc86ff6c724154c49c42
- SHA1
- b82d238d4e31fdf618bae8ac11a6c812c03dd0d4
- SHA256
- ff1523fb7389539c84c65aba19260648793bb4f5e29329d2ee8804bc37a3fe6e
-
bootstrap-icons_1_.css
- Size
- 79KiB (80510 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 79877fb82de8ca50845081e3c9a201c5
- SHA1
- 4f6ea69c0e03431ffa1a097a45453b5b3b246d8b
- SHA256
- af35cc6aba34e5005de77099dfa72d4c1a7715d28ddcec343f48031dc8cb08bc
-
bootstrap.bundle.min_1_.js
- Size
- 76KiB (78129 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 7ccd9d390d31af98110f74f842ea9b32
- SHA1
- a85e681624c91a106a514c31eacf80de817b2cc3
- SHA256
- f5210fa3e7f0245a4c51eb7f280092c0ef99fdd28c45e17dab8cc5854fdf4fd3
-
bootstrap-colors_1_.css
- Size
- 43KiB (43652 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 12d443e8f957774232da156e522d8695
- SHA1
- 709a73db883c8c7c4f9e11632ebfd85169f18ce4
- SHA256
- 2a998714a9c296d9e52fed0fb51a8a953b43fe51e7be739fbb30ab694e3acc1c
-
bootstrap-colors-themes_1_.css
- Size
- 32KiB (33025 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 04c56e52da14a6c7049124b3ee55faab
- SHA1
- f866d6aa6acdac64f1bb02115ac702f1719385b3
- SHA256
- 1049e41d680f008916fe5e4d4fc426940842ef0956074bd8bb9f7fb682b782a0
-
jquery.validate.min_1_.js
- Size
- 24KiB (24376 bytes)
- Type
- script javascript
- Description
- UTF-8 Unicode text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 8a25965d822705f957a243443d219787
- SHA1
- 0da4c535b50bdb4dffa3b5fae3e999aeee137cb5
- SHA256
- b0f074179d185032b4a2d0e7b1f3476b0626039334a638d47f84ef44990616b2
-
jxbbs2022.06.06_1_.css
- Size
- 19KiB (19916 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 894b29766fc4d750909f06cc71f4fb59
- SHA1
- ca2f0cb0dff9121f7b07f3106ac25c62c0703711
- SHA256
- 2dbb0cd9ba4f7f42e057aca8a0594ee9e60298f2b984be1f6431155c09b6f889
-
pretty-checkbox.min_1_.css
- Size
- 19KiB (19286 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 3b4feda74f49792ae92118d3846eed84
- SHA1
- 7c5d27a0b39bbd8029367305045826383224193a
- SHA256
- b08d7830746349ff8a17d3234078ea1e46c33f0b1d29752484151d9c60a0d625
-
vspacing.min_1_.css
- Size
- 12KiB (11891 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- ffdd44692c7f4443ab12574a1cb690d8
- SHA1
- 3aed6f62fda7dde8da291749aac38e4036cf1adc
- SHA256
- 62f2dd5b01bee5bc2fc68956ae9097ef89a6072814af05c0d85d4187f32b2ada
-
bootstrap-select.min_1_.css
- Size
- 12KiB (11825 bytes)
- Type
- text
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 841b4e6f21e9ed0aef6829d258a822b6
- SHA1
- 9faae07f6bfa1612ae4eb56fa0ae169c9b42b494
- SHA256
- 7300c976e6ccb2f209700618e445d4640b902f14a510bc45610971becc5d62cf
-
zrt_lookup_nohtml_1_.htm
- Size
- 10KiB (10296 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 4894adcb983fff27950325181cb1b93d
- SHA1
- 0f135a06adccc1553177cc99b09faa7df4d2142f
- SHA256
- 16b2554192f0343ace41fe01d15ffb5e1d6eb8ebea17c344c4b180ef2d107d04
-
lazysizes.min_1_.js
- Size
- 7.6KiB (7771 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- b80e49640d4794d4333d00db76ea22f7
- SHA1
- 72ced7e7e78ccb760c4050d7ee12d86c38671756
- SHA256
- fb649fcae62177dfe63e67081ddceb830b5ce1f05a4184e9bbb7d87ac4b8f4e5
-
ekko-lightbox.min_1_.css
- Size
- 7.2KiB (7358 bytes)
- Type
- text
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 90b38212ac4cb3eac20e15dc34ef2e4b
- SHA1
- 5336ffb1b5766d8af624d04b949e0b39f6a0e85c
- SHA256
- 060991b2a75807681a90e14ab6cfdbc63ceb8edb180482d0fa29c15e0754707f
-
dayjs.min_1_.js
- Size
- 6.3KiB (6410 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines
- Runtime Process
- EXCEL.EXE (PID: 3692)
- MD5
- 63b957df5122d85eacbd24081d317487
- SHA1
- 470d9249d888426e6df8f1a4035ddc8950fa0237
- SHA256
- b72da63eb045ffc8dc25ed7e25f18ce65d87b18b3bcc46ecf9fe97d27a2b79ba
-
Notifications
-
Runtime
- Not all created files are visible for EXCEL.EXE (PID: 3692)
- Not all file accesses are visible for EXCEL.EXE (PID: 3692)
- Some low-level data is hidden, as this is only a slim report
- Not all sources for indicator ID "api-263" are available in the report
- Not all sources for indicator ID "registry-172" are available in the report
- Not all sources for indicator ID "string-102" are available in the report
- Not all sources for indicator ID "api-237" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-177" are available in the report
- Not all sources for indicator ID "registry-173" are available in the report
Anonymous commented 2 months ago updated