Edit tour

Windows Analysis Report
https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/

Overview

General Information

Sample URL:	https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/
Analysis ID:	1502352
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2748 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=2280,i,18288379450182580564,15341699228832172337,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1412 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	Avira URL Cloud: detection malicious, Label: phishing
Source: https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	SlashNext: detection malicious, Label: Fraudulent Website type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://phy.lew.mybluehost.me/favicon.ico

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: phy.lew.mybluehost.me

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/

Virustotal: Detection: 16%

Perma Link

Source: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49731 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /wp-content/plugins/L/LM/TU17HLK/ HTTP/1.1Host: phy.lew.mybluehost.meConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: phy.lew.mybluehost.meConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /media/user/suspended_account/_bh/suspended.css HTTP/1.1Host: bluehost-cdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://phy.lew.mybluehost.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /media/user/suspended_account/_bh/beback-soon.png HTTP/1.1Host: bluehost-cdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://phy.lew.mybluehost.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: phy.lew.mybluehost.meConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgiAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: phy.lew.mybluehost.meConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgiAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /media/user/suspended_account/_bh/beback-soon.png HTTP/1.1Host: bluehost-cdn.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: phy.lew.mybluehost.meConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dug8gMEef62hXN7&MD=awSTdppy HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dug8gMEef62hXN7&MD=awSTdppy HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: phy.lew.mybluehost.me
Source: global traffic	DNS traffic detected: DNS query: bluehost-cdn.com

Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS2mu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSCmu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSGmu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSKmu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSOmu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSumu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSymu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTUGmu1aB.woff2)
Source: chromecache_67.1.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTVOmu1aB.woff2)

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49731 version: TLS 1.2

Source: classification engine

Classification label: mal72.win@16/18@10/6

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=2280,i,18288379450182580564,15341699228832172337,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=2280,i,18288379450182580564,15341699228832172337,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	100%	Avira URL Cloud	phishing
https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	17%	Virustotal		Browse
https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	100%	SlashNext	Fraudulent Website type: Phishing & Social Engineering

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.google.com	0%	Virustotal	Browse
phy.lew.mybluehost.me	5%	Virustotal	Browse
bluehost-cdn.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://phy.lew.mybluehost.me/favicon.ico	100%	Avira URL Cloud	phishing
https://bluehost-cdn.com/media/user/suspended_account/_bh/beback-soon.png	0%	Avira URL Cloud	safe
https://bluehost-cdn.com/media/user/suspended_account/_bh/suspended.css	0%	Avira URL Cloud	safe
https://bluehost-cdn.com/media/user/suspended_account/_bh/suspended.css	0%	Virustotal		Browse
https://bluehost-cdn.com/media/user/suspended_account/_bh/beback-soon.png	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
phy.lew.mybluehost.me	50.87.169.246	true	false	5%, Virustotal, Browse	unknown
bluehost-cdn.com	34.233.140.183	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.186.68	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi	false		unknown
https://bluehost-cdn.com/media/user/suspended_account/_bh/suspended.css	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bluehost-cdn.com/media/user/suspended_account/_bh/beback-soon.png	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://phy.lew.mybluehost.me/favicon.ico	false	Avira URL Cloud: phishing	unknown
https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
34.233.140.183	bluehost-cdn.com	United States	14618	AMAZON-AESUS	false
50.87.169.246	phy.lew.mybluehost.me	United States	46606	UNIFIEDLAYER-AS-1US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502352
Start date and time:	2024-09-01 00:48:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.win@16/18@10/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 216.58.206.78, 74.125.133.84, 34.104.35.123, 142.250.184.234, 172.217.18.3, 199.232.214.172, 192.229.221.95, 13.85.23.206, 142.250.185.99
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, glb.cws.prod.dcat.dsp.trafficmanager.net, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi Model: jbxai	{ "brand":[], "contains_trigger_text":false, "prominent_button_name":"unknown", "text_input_field_labels":["unknown"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":true, "has_visible_qrcode":false}

Input

Output

URL: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi Model: jbxai

{
"brand":[],
"contains_trigger_text":false,
"prominent_button_name":"unknown",
"text_input_field_labels":["unknown"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":true,
"has_visible_qrcode":false}

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 31 21:49:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.979254907522656
Encrypted:	false
SSDEEP:	48:8hdmTCeFHhidAKZdA19ehwiZUklqehTy+3:8KH5oy
MD5:	767B5F22111B72580DBD76A24814BD0B
SHA1:	0F386D9BB352037F031A642E633920A1BA65030E
SHA-256:	5E443E3574C32863899A473D520DADDD62ACAB90892215D5D61A43EC2A8577ED
SHA-512:	04B160F2D918E135AAA57BF8F2D5AF32DC282110DA08EDCF9F017CD8CF6EEA72A20C45438752FB732CE57FDF82CEE539E69936BD7832DC3C969D0AD89E48F9FE
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......l.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y).....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y).....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y).....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y)............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 31 21:49:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.995551299667221
Encrypted:	false
SSDEEP:	48:8IdmTCeFHhidAKZdA1weh/iZUkAQkqehYy+2:8pHr9Q1y
MD5:	B7FDBFE517F646A7438A252E43772452
SHA1:	C71A503D436F483B9FDF1BCAD99C8B6F8B51B039
SHA-256:	6546D349D6898EF30507B137B4C376FB53C1C3255246F794B80A10E42F8277CA
SHA-512:	BE3C7445050781E7D3C2DE06F65DC480D2DB65BB11F39665523827572EEF2545AD2CAC833D03DA7A4413D17C688DA45C67BFED5431C1C541B56D852B398E954C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......].....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y).....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y).....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y).....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y)............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.006546601498298
Encrypted:	false
SSDEEP:	48:8xHdmTCesHhidAKZdA14tseh7sFiZUkmgqeh7sSy+BX:8x4Honsy
MD5:	E0F7D30E91DC43CF1FAD8C33BA4F54E4
SHA1:	2B4E500E95DCECB67213DE8B18D7D5040C626E54
SHA-256:	70C07005E686E8C388453A0194DCFE407DE7DA3D52DB3F1D9D32E53B954A5881
SHA-512:	B4776767F24ACE5944042773499F1C8215A994A1036CCDDB11AD1359132D180AF72B52947E081DA5DD6473288AF95DF39DE9FF7F6F2E37A1560DA498B246E7B5
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y).....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y).....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y).....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y)............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 31 21:49:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9945264416739
Encrypted:	false
SSDEEP:	48:8OdmTCeFHhidAKZdA1vehDiZUkwqeh0y+R:8vHoay
MD5:	50196E0B1C69500B263145ADEFDC5376
SHA1:	DB7B0859DBF32BCB883766508328F644CC9D0B56
SHA-256:	9FAA59FFA4ADCDB8D748710E74F2D2154A85C4AACFE4AA36B9F6F0D52C192C01
SHA-512:	47DD254DBF1E95EB034EC9C196D15095B538D54DB21E8C09D882260CD2FE4373D955C82F0A573407E6838D3929EE50889286BA19CD01436FBA7D5733B27BD165
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....q.X.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y).....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y).....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y).....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y)............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 31 21:49:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.981575344871714
Encrypted:	false
SSDEEP:	48:8bdmTCeFHhidAKZdA1hehBiZUk1W1qehGy+C:88H49my
MD5:	3FC9A4B6CBCAB5A9CC6C311FF3A76CBF
SHA1:	EFED52D81A93004D4CBE4BEC53BC3C79AB0A7FEC
SHA-256:	901ED20FFB986BB1C3EDB402F7F92E941D895EE147999A2D7C462DFDBE66695D
SHA-512:	D254462DF37813CBF714B1F0A20A4B558CBD839DC50EBE52B94402F92B7E34A1D8BD91BBB6285CC119B31D6A3A0339BA70385FF0591F28E2A61B1B75230FB871
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......f.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y).....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y).....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y).....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y)............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 31 21:49:27 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.9930200628283816
Encrypted:	false
SSDEEP:	48:8+dmTCeFHhidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbsy+yT+:8/HWT/TbxWOvTbsy7T
MD5:	94D661DC38CCE5ED3643492C56194465
SHA1:	65214474C203511F93654B8646530D2A5D34EF26
SHA-256:	C25EC6122828A04C5AB8F36D6E399EDBCD5BDF6EBB68CE717B7B0E28D5364548
SHA-512:	F1D7376B036DCB56ED355DC8B9D2E5C5953961C88EE78DEBEFC70E6CE0973E9D5F4DDD8AEC81EF3045F289510A7228C03A5B83BEC947C8B0084E5716606999DF
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....v.O.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Y).....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y).....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y).....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y)............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............9.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	946
Entropy (8bit):	4.810938905259325
Encrypted:	false
SSDEEP:	12:hYUy7G2CnddWNWprzaSbZBEdYXg2y/iEftCxRxwHEV7FzVKiw/7WoQL:hYUCZC3WNIbZyOXXyKEMRxUg8dQ
MD5:	624B88AEE8E0DE419722288D2978F917
SHA1:	5E2AB4F6E167B86F3C824080381E5656EED0C2FE
SHA-256:	B4537CCF6B54E753C4D82946E5733C45C28AED807744495935C7357F53A702A9
SHA-512:	E6F62FB6D96118B275D0B0867E5F6C04601E1047AF1F0814E3235339BB30D15433D7624F52B08E76933958CE17AB61C75D683BF77D177B3FE002B56898AF6E30
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>.<html lang="en">. <head>. <meta charset="UTF-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <link rel="stylesheet" href="//bluehost-cdn.com/media/user/suspended_account/_bh/suspended.css">. <link rel="preconnect" href="//fonts.gstatic.com">. <link href="//fonts.googleapis.com/css2?family=Open+Sans:wght@300;400&display=swap" rel="stylesheet">. </head>. <body>. <div>. <img class="suspend-photo" src="//bluehost-cdn.com/media/user/suspended_account/_bh/beback-soon.png" alt="Account suspended photo">. <h2 class="suspend-text">Account Suspended!</h2>. <p class="contact-support">Please contact our support team for further assistance.</p>. <p class="questions">*If you.re the owner of this website and have questions, reach out to Bluehost. We.re happy to help.</p>. </div>. </body>.</html>.

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 1430 x 982, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	43201
Entropy (8bit):	7.659124990561904
Encrypted:	false
SSDEEP:	768:LugxQTPvEE/wt7V88rsJDyE+w04UgOHX0voOdejIU0MKADQzR+Ra:LSDcewB5r8DyEs4XO30voOeZDU84
MD5:	495826852EE860B53716AEEDFCAD9F75
SHA1:	6FF9EEF566AA5BFE11749B37E16C1F24941633CC
SHA-256:	A9119A330A2C1F636051FC96E31AF730D7BD096D358D7AD1681AC3770630F4A8
SHA-512:	8A6DEE67E925081690D085DC789E7142F33F8C131323A3C067F46C0E2C913EF6651AC64EE61067C6E678FCBAF0FFA91F4BC6CE814F3050647D2736E63609A326
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............s..Q....IDATx...Q.. .......k.z.P...}.......'......,..e......2.....b.............X.....@,......X.....@,..... ..............e......2......e......2.....b.............X.....@,......X.....@,..... ...............T......e......2.....b.............X.............X.....@,..... ..............e.............e......2.....b.............X.............X.....@,..... .............$........e......2.....b.............b.............X.....@,..... ............. ..............e......2.....b.............b.............X.....@,..... .S..... ..............e......2.....b.......2.....b.............X.....@,..... ......@,..... ..............e......2.....b.......2.....b.............X.....@,......@,..... ..............e......2......e......2.....b.............X.....@,......X.....@,..... ..............e......2......e......2.....b.............XN......X.....@,..... ..............e.............e......2.....b.............X.............X.....@,..... ..............e.............e......2.....b.......

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 48236, version 1.0
Category:	downloaded
Size (bytes):	48236
Entropy (8bit):	7.994912604882335
Encrypted:	true
SSDEEP:	768:uj6JxavgLx5rjTH3CdZ3y11o4uMb2IVEhiB6z6GAAHJApICtBgso6HaOjTXHRWK:ujoa4LxZPCdm3B2IVEhiB62apApISxos
MD5:	015C126A3520C9A8F6A27979D0266E96
SHA1:	2ACF956561D44434A6D84204670CF849D3215D5F
SHA-256:	3C4D6A1421C7DDB7E404521FE8C4CD5BE5AF446D7689CD880BE26612EAAD3CFA
SHA-512:	02A20F2788BB1C3B2C7D3142C664CDEC306B6BA5366E57E33C008EDB3EB78638B98DC03CDF932A9DC440DED7827956F99117E7A3A4D55ACADD29B006032D9C5C
Malicious:	false
Reputation:	low
URL:	https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTS-muw.woff2
Preview:	wOF2.......l......D...............................O..B..h?HVAR.x.`?STAT.$'...0+...\|.../V........+..2.0..6.6.$..`. ..~......[B4q.....t..P.M_.z...1..R.S...u.#..R....fR.1.N.v.N.P...;.2........!Z......Qs...5f.G.K.an2&....2.........C.H.t..N!.....nh.<(.vN.....j.._.L.P.t..Ai.%.............._I.i,..o,C.].H.X9.....a.=N....k.....n.L..k.f.u..{...:.}^\[..~5...Z`...........`!...%4..,...K0..&.a/....P....S....m.Z......u...D.j.F...f.0`I.`.`.h#..)(FQ.F!o$........S.).MV8%Rh...r...x...T]$.=......Y...!.3.&U..."....Q....{.l/0..d..4iJ/..}...3....i[Z..NG.WD...>.[U..Q.h..@m.=..S...1C2...d...<..v.?.q.f..n...OUz.....&Z......Z."..N.....n...9.B..C..W....}...W..6Zs.i.+Z........jB.n..x.8M.....q..@I....-.%..,C,..K..#.2...4)/.v_..x.<....t.....%[.4?.=j.V..jj''..W.u..q....I.L.=......E...\.M.7{.>......W........C.`...,9$......\..o........y...4A..m.P.,X..=?.:................wF`..+.P..........M!.4.......l.>M..t.ff5r..^..Z.g...!fA,hIIQ...e.R>B.AH.VuX..>..\.=.ky...1>C....>C.c.;...6D.

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, from Unix, original size modulo 2^32 946
Category:	downloaded
Size (bytes):	496
Entropy (8bit):	7.547708485132795
Encrypted:	false
SSDEEP:	12:XsDmYs8WokyEYUFwEKkyDM2/E0bNYn7YZXW:XbDyELFpKkQNNa7EW
MD5:	8A4739ACEFA3FA43B4A319B0EE0F56E2
SHA1:	210B981647C164A2FD0EE66955B042AD00380E75
SHA-256:	A50AC9698612931225B9407C63EF64247CA096FB260F6F48F7E1325F1E0A1841
SHA-512:	69BF338BD37F31F346BD578DBC1B73A062E68545044FB62C8CD723B2658AA14C52885E5FC002589F7C0BFE5648FE58689B716705B9872775B1487269198066B3
Malicious:	false
Reputation:	low
URL:	https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi
Preview:	...........RKr.0...):^......)..?U...$E.J...,..<.\..q.4..1....-.}.......n.]}..:.....4..L.$........);..B.g.er{.9.HN..vT&+E..>$ ..d..A.A.5...tS..2(.)..T>...tZ.{....%Q..2..J.$-.T.&...;...=..gG.........]%...`........GBMl.....%.J..'7.m5.S.....o...........Z...._........]..m..!....xd.V.C..Q].B#sd..N...&.^....P.l..i.@.C}7.=.&..?rqj'....~....>.'`......r.6oky.....}...........}..!2............8(k..x.......~z.H.v0..6.P..U.....$......!...D...oG..W..$:7..$i...".Y.S.q"....o).1....

Chrome Cache Entry: 66

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 1430 x 982, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	43201
Entropy (8bit):	7.659124990561904
Encrypted:	false
SSDEEP:	768:LugxQTPvEE/wt7V88rsJDyE+w04UgOHX0voOdejIU0MKADQzR+Ra:LSDcewB5r8DyEs4XO30voOeZDU84
MD5:	495826852EE860B53716AEEDFCAD9F75
SHA1:	6FF9EEF566AA5BFE11749B37E16C1F24941633CC
SHA-256:	A9119A330A2C1F636051FC96E31AF730D7BD096D358D7AD1681AC3770630F4A8
SHA-512:	8A6DEE67E925081690D085DC789E7142F33F8C131323A3C067F46C0E2C913EF6651AC64EE61067C6E678FCBAF0FFA91F4BC6CE814F3050647D2736E63609A326
Malicious:	false
Reputation:	low
URL:	https://bluehost-cdn.com/media/user/suspended_account/_bh/beback-soon.png
Preview:	.PNG........IHDR.............s..Q....IDATx...Q.. .......k.z.P...}.......'......,..e......2.....b.............X.....@,......X.....@,..... ..............e......2......e......2.....b.............X.....@,......X.....@,..... ...............T......e......2.....b.............X.............X.....@,..... ..............e.............e......2.....b.............X.............X.....@,..... .............$........e......2.....b.............b.............X.....@,..... ............. ..............e......2.....b.............b.............X.....@,..... .S..... ..............e......2.....b.......2.....b.............X.....@,..... ......@,..... ..............e......2.....b.......2.....b.............X.....@,......@,..... ..............e......2......e......2.....b.............X.....@,......X.....@,..... ..............e......2......e......2.....b.............XN......X.....@,..... ..............e.............e......2.....b.............X.............X.....@,..... ..............e.............e......2.....b.......

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1572)
Category:	downloaded
Size (bytes):	11634
Entropy (8bit):	5.3577118756441005
Encrypted:	false
SSDEEP:	192:f/Pz+qSc6uy9rbqGIwYGV1pi/KWbqXV6uyErbqGIwYjc1Yf:nb8q9DaHq9N
MD5:	D404D8BE119B0C778116319D1B9FE734
SHA1:	C62A27A948F601BF3781EBEBD5049FF6AB89593D
SHA-256:	8BD8A746EFD5972536245F2F2C6E4213360405BE048112EE66E3A2612EDB43BF
SHA-512:	5C7BD037730E92BAE8ABE6DA9C327AF4612C9DEFFBEE64C373CB71F458BB9B9D302FB515A8523A3BA82EAE5BA5385B453CF641CA172FF6B5F4473EC38AC25C9C
Malicious:	false
Reputation:	low
URL:	https://fonts.googleapis.com/css2?family=Open+Sans:wght@300;400&display=swap
Preview:	/* cyrillic-ext /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 300;. font-stretch: 100%;. font-display: swap;. src: url(https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSKmu1aB.woff2) format('woff2');. unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./ cyrillic /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 300;. font-stretch: 100%;. font-display: swap;. src: url(https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSumu1aB.woff2) format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./ greek-ext /.@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 300;. font-stretch: 100%;. font-display: swap;. src: url(https://fonts.gstatic.com/s/opensans/v40/memvYaGs126MiZpBA-UvWbX2vVnXBbObj2OVTSOmu1aB.woff2) format('woff2');. unicode-range: U+1F00-1FFF;.}./ greek

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	955
Entropy (8bit):	4.875299756989579
Encrypted:	false
SSDEEP:	24:SF68pSAzxYRGvyOSejw0GvOcw0O8BDcZA:SFPSU6GvyOS8GvnOwDQA
MD5:	6AC12DE9CA46F24A05A01C7BA24C40DC
SHA1:	27F9E7A53436525AFF12B1A1E4FB6486DCDE8A08
SHA-256:	33FB84F9CC077193B201B1BBFFC3F98AF428A915202E911ACF56BC822834B4D4
SHA-512:	F94034D5A53D2DE17ED903A761CBCF39F133D43F0A7690351FA917709B29B7E5190FA06F58974A7491C65D71C717C9CC958C5AB1DBD1EB32F92401CAC01F4EC3
Malicious:	false
Reputation:	low
URL:	https://bluehost-cdn.com/media/user/suspended_account/_bh/suspended.css
Preview:	.suspend-photo {. background: transparent url('bh-beback-soon.png') no-repeat;. background: center;. width: 100%;. height: 100%;. opacity: 1;.}..suspend-text {. position: absolute;. font-size: 36px;. top: 370px;. margin-left: 10px;. color: #5C5C5C;. opacity: 1;. font-weight: 200;. font-family: 'Open Sans', sans-serif;.}..contact-support {. position: absolute;. font-size: 16px;. text-align: center;. top: 450px;. margin-left: 10px;. color: #5B5B5B;. font-family: 'Open Sans', sans-serif;.}..questions {. text-align: center;. color: #5B5B5B;. font-family: 'Open Sans', sans-serif;. font-size: 15px;.}.@media (max-width: 600px) {. .suspend-text {. font-size: 1.0em;. top: 60px;. }. .contact-support {. font-size: 14px;. top: 85px;. }.}.@media (min-width: 768px) and (max-width: 1024px) {. .suspend-text {. font-size: 1.25em;. top: 200px;. }. .contact-support {. font-size: 15px;. top: 245px;. }.}.

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 00:49:15.972050905 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:15.987653971 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:16.143918037 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:25.596276999 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:25.658061028 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:25.798707962 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:27.384113073 CEST	443	49703	23.1.237.91	192.168.2.5
Sep 1, 2024 00:49:27.384210110 CEST	49703	443	192.168.2.5	23.1.237.91
Sep 1, 2024 00:49:27.663790941 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:27.663824081 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:27.663887024 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:27.664195061 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:27.664206028 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:27.713571072 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:27.713608980 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:27.714117050 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:27.714155912 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:27.714169979 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:27.714226007 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:27.714728117 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:27.714745998 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:27.714874029 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:27.714884043 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.251378059 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.251914978 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.251946926 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.252996922 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.253103018 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.256764889 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.256851912 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.257541895 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.257560015 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.299530983 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.303782940 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.303811073 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.304930925 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.305013895 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.307149887 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.307231903 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.308322906 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.360630989 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.360649109 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.365367889 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:28.398737907 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:28.398753881 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:28.399898052 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:28.399960041 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:28.402663946 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:28.402746916 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:28.409393072 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.452091932 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:28.452107906 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:28.498931885 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:28.625257969 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.670816898 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.670855999 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:28.682797909 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:28.728491068 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:29.100805998 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:29.146799088 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:29.194731951 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.194765091 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.194823980 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.195137024 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.195162058 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.195210934 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.195550919 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.195566893 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.195866108 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.195877075 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.807576895 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.810333967 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.849076986 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.865211964 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.962506056 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.962523937 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.962831974 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.962853909 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.963748932 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.963762999 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.963810921 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:29.964478016 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:29.964565039 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.205717087 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.205873013 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.206623077 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.206804037 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.208137035 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.208147049 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.208492994 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.208508968 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.248197079 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.264679909 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.492625952 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.492710114 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.492897987 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.522504091 CEST	49716	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.522522926 CEST	443	49716	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756783009 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756813049 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756822109 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756854057 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756867886 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756876945 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756886005 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.756911039 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.756931067 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.756958961 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.757864952 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.757873058 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.757900953 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.757939100 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.757946014 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.757987022 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.758002996 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.759054899 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.759092093 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.759135962 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:30.759141922 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.759187937 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.871634007 CEST	49715	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:30.871669054 CEST	443	49715	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:31.133373022 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:31.133424044 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:31.133491993 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:31.135576010 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:31.135588884 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:31.713274956 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:31.713305950 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:31.752151966 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:31.752190113 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:31.752262115 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:31.752485991 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:31.752500057 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:31.797066927 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:31.797167063 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:31.837146997 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:31.837184906 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:31.837480068 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:31.899446964 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:31.932182074 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:32.051556110 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:32.068006992 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.105221987 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:32.105230093 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:32.112500906 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:32.224250078 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.224961996 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.224989891 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.226223946 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.226314068 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.230271101 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.230339050 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.230776072 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.230784893 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.257086992 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:32.257160902 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:32.257392883 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.278819084 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.432966948 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:32.467082977 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.467109919 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.467117071 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.467130899 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.467160940 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.467231989 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.467267990 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.467284918 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.467315912 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.468980074 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.469000101 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.469073057 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.469080925 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.469122887 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.556246042 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.556296110 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.556322098 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.556335926 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.556349993 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.556385994 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.556405067 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.591327906 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:32.599351883 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.599395037 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:32.599411964 CEST	49719	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.599417925 CEST	443	49719	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:32.785542965 CEST	49720	443	192.168.2.5	34.233.140.183
Sep 1, 2024 00:49:32.785573959 CEST	443	49720	34.233.140.183	192.168.2.5
Sep 1, 2024 00:49:32.999028921 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.999069929 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:32.999152899 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.999583006 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:32.999603033 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.447407007 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:33.447443008 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:33.447567940 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:33.447906971 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:33.447922945 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:33.631344080 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.631439924 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:33.675940990 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:33.675972939 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.676327944 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.677383900 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:33.720510960 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.906387091 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.906485081 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.906580925 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:33.930088997 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:33.930120945 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:33.930140972 CEST	49722	443	192.168.2.5	184.28.90.27
Sep 1, 2024 00:49:33.930147886 CEST	443	49722	184.28.90.27	192.168.2.5
Sep 1, 2024 00:49:34.033747911 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.034187078 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:34.034215927 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.035109997 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.035168886 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:34.035553932 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:34.035615921 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.035918951 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:34.035928011 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.076014042 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:34.441451073 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.482259035 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:34.482299089 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:34.529138088 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:36.120704889 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:36.120757103 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:36.121066093 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:36.122001886 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:36.122014999 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:36.704433918 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:36.704507113 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:36.706458092 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:36.706470013 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:36.706686974 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:36.747859001 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.256405115 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.300501108 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.434262991 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:37.434367895 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:37.434423923 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:37.447489977 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447515965 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447524071 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447534084 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447570086 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447593927 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.447612047 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447647095 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.447664022 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.447793961 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.447859049 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.447864056 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.448095083 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:37.448141098 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.892592907 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:37.892592907 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:37.892653942 CEST	443	49709	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:37.892714977 CEST	49709	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:37.967144966 CEST	49724	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:49:37.967178106 CEST	443	49724	20.12.23.50	192.168.2.5
Sep 1, 2024 00:49:38.260273933 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:38.260735989 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:49:38.260811090 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:38.462858915 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:38.462949991 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:38.463073969 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:39.442084074 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:39.442168951 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:39.442230940 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:40.271686077 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:40.271718979 CEST	443	49723	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:40.271730900 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:40.271785021 CEST	49710	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:40.271806002 CEST	49723	443	192.168.2.5	50.87.169.246
Sep 1, 2024 00:49:40.271807909 CEST	443	49710	50.87.169.246	192.168.2.5
Sep 1, 2024 00:49:40.271814108 CEST	49711	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:49:40.271840096 CEST	443	49711	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:14.659471989 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:14.659507036 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:14.659567118 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:14.659918070 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:14.659934998 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.239237070 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.239326000 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.243360996 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.243372917 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.243623972 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.252319098 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.292500019 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.444387913 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.444408894 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.444468021 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.444508076 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.444531918 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.444561005 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.444890022 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.445597887 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.445673943 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.445692062 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.445704937 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.445776939 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.446063995 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.446703911 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.448620081 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.448620081 CEST	49731	443	192.168.2.5	20.12.23.50
Sep 1, 2024 00:50:15.448632956 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:15.448641062 CEST	443	49731	20.12.23.50	192.168.2.5
Sep 1, 2024 00:50:27.461077929 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:27.461097002 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:27.461160898 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:27.461601973 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:27.461616039 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:28.090068102 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:28.105179071 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:28.105190992 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:28.105588913 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:28.105937958 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:28.106000900 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:28.154151917 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:38.032713890 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:38.032790899 CEST	443	49733	142.250.186.68	192.168.2.5
Sep 1, 2024 00:50:38.032864094 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:39.908042908 CEST	49733	443	192.168.2.5	142.250.186.68
Sep 1, 2024 00:50:39.908087015 CEST	443	49733	142.250.186.68	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2024 00:49:25.656109095 CEST	53	49711	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:25.732155085 CEST	53	55440	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:26.731832027 CEST	53	64235	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:27.442313910 CEST	63781	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:27.442380905 CEST	55804	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:27.442555904 CEST	62028	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:27.442687035 CEST	56644	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:27.448915958 CEST	53	55804	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:27.448982954 CEST	53	63781	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:27.454061985 CEST	53	62028	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:27.455090046 CEST	53	56644	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:29.185489893 CEST	61095	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:29.185728073 CEST	58724	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:29.193444967 CEST	53	64708	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:29.193819046 CEST	53	61095	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:29.194248915 CEST	53	58724	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:29.665941000 CEST	53	64576	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:31.742702961 CEST	52636	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:31.743104935 CEST	56935	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:31.751195908 CEST	53	52636	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:31.751247883 CEST	53	56935	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:33.432760954 CEST	55016	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:33.433531046 CEST	49635	53	192.168.2.5	1.1.1.1
Sep 1, 2024 00:49:33.444988012 CEST	53	55016	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:33.447014093 CEST	53	49635	1.1.1.1	192.168.2.5
Sep 1, 2024 00:49:43.882466078 CEST	53	63744	1.1.1.1	192.168.2.5
Sep 1, 2024 00:50:02.936580896 CEST	53	52797	1.1.1.1	192.168.2.5
Sep 1, 2024 00:50:25.282639027 CEST	53	58233	1.1.1.1	192.168.2.5
Sep 1, 2024 00:50:25.629214048 CEST	53	54717	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 1, 2024 00:49:27.442313910 CEST	192.168.2.5	1.1.1.1	0xae4a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:27.442380905 CEST	192.168.2.5	1.1.1.1	0xe4b2	Standard query (0)	www.google.com	65	IN (0x0001)	false
Sep 1, 2024 00:49:27.442555904 CEST	192.168.2.5	1.1.1.1	0xa370	Standard query (0)	phy.lew.mybluehost.me	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:27.442687035 CEST	192.168.2.5	1.1.1.1	0x31e3	Standard query (0)	phy.lew.mybluehost.me	65	IN (0x0001)	false
Sep 1, 2024 00:49:29.185489893 CEST	192.168.2.5	1.1.1.1	0x4b11	Standard query (0)	bluehost-cdn.com	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:29.185728073 CEST	192.168.2.5	1.1.1.1	0x65	Standard query (0)	bluehost-cdn.com	65	IN (0x0001)	false
Sep 1, 2024 00:49:31.742702961 CEST	192.168.2.5	1.1.1.1	0x3dd5	Standard query (0)	bluehost-cdn.com	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:31.743104935 CEST	192.168.2.5	1.1.1.1	0x6d93	Standard query (0)	bluehost-cdn.com	65	IN (0x0001)	false
Sep 1, 2024 00:49:33.432760954 CEST	192.168.2.5	1.1.1.1	0x971c	Standard query (0)	phy.lew.mybluehost.me	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:33.433531046 CEST	192.168.2.5	1.1.1.1	0x84eb	Standard query (0)	phy.lew.mybluehost.me	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 1, 2024 00:49:27.448915958 CEST	1.1.1.1	192.168.2.5	0xe4b2	No error (0)	www.google.com		65	IN (0x0001)	false
Sep 1, 2024 00:49:27.448982954 CEST	1.1.1.1	192.168.2.5	0xae4a	No error (0)	www.google.com	142.250.186.68	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:27.454061985 CEST	1.1.1.1	192.168.2.5	0xa370	No error (0)	phy.lew.mybluehost.me	50.87.169.246	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:29.193819046 CEST	1.1.1.1	192.168.2.5	0x4b11	No error (0)	bluehost-cdn.com	34.233.140.183	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:29.193819046 CEST	1.1.1.1	192.168.2.5	0x4b11	No error (0)	bluehost-cdn.com	52.29.153.112	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:29.193819046 CEST	1.1.1.1	192.168.2.5	0x4b11	No error (0)	bluehost-cdn.com	18.216.86.236	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:29.193819046 CEST	1.1.1.1	192.168.2.5	0x4b11	No error (0)	bluehost-cdn.com	52.52.57.238	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:31.751195908 CEST	1.1.1.1	192.168.2.5	0x3dd5	No error (0)	bluehost-cdn.com	34.233.140.183	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:31.751195908 CEST	1.1.1.1	192.168.2.5	0x3dd5	No error (0)	bluehost-cdn.com	18.216.86.236	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:31.751195908 CEST	1.1.1.1	192.168.2.5	0x3dd5	No error (0)	bluehost-cdn.com	52.52.57.238	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:31.751195908 CEST	1.1.1.1	192.168.2.5	0x3dd5	No error (0)	bluehost-cdn.com	52.29.153.112	A (IP address)	IN (0x0001)	false
Sep 1, 2024 00:49:33.444988012 CEST	1.1.1.1	192.168.2.5	0x971c	No error (0)	phy.lew.mybluehost.me	50.87.169.246	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

phy.lew.mybluehost.me

https:

bluehost-cdn.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	50.87.169.246	443	2748	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:28 UTC	696	OUT	GET /wp-content/plugins/L/LM/TU17HLK/ HTTP/1.1 Host: phy.lew.mybluehost.me Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:28 UTC	299	IN	HTTP/1.1 302 Found Date: Sat, 31 Aug 2024 22:49:28 GMT Server: nginx/1.21.6 Content-Type: text/html; charset=iso-8859-1 Content-Length: 239 Location: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi X-Server-Cache: true X-Proxy-Cache: HIT host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
2024-08-31 22:49:28 UTC	239	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 68 79 2e 6c 65 77 2e 6d 79 62 6c 75 65 68 6f 73 74 2e 6d 65 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>
2024-08-31 22:49:28 UTC	689	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Host: phy.lew.mybluehost.me Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:29 UTC	733	IN	HTTP/1.1 200 OK Date: Sat, 31 Aug 2024 22:49:29 GMT Server: nginx/1.21.6 Content-Type: text/html Content-Length: 496 Vary: Accept-Encoding Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: false RKr0):^)?U$EJ,<\q41-}n]}:4L$); Bg er{9HNvT&+E>$ dAA5tS2()T>tZ{%Q2J$-T&;=gG]%`GBMl%J'7m5SoZ_]m!xdVCQ]B#sdN&^Pli@C}7=&?rqj'~>'`r6oky}}!28(kx~zHv06PU$! DoGW$:7$i"YSq"o)1
2024-08-31 22:49:31 UTC	623	OUT	GET /favicon.ico HTTP/1.1 Host: phy.lew.mybluehost.me Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:31 UTC	542	IN	HTTP/1.1 302 Found Date: Sat, 31 Aug 2024 22:49:31 GMT Server: nginx/1.21.6 Content-Type: text/html; charset=iso-8859-1 Content-Length: 239 Location: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi X-Server-Cache: true X-Proxy-Cache: EXPIRED host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi">here</a>.</p> </body></html>
2024-08-31 22:49:32 UTC	637	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Host: phy.lew.mybluehost.me Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://phy.lew.mybluehost.me/cgi-sys/suspendedpage.cgi Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:32 UTC	733	IN	HTTP/1.1 200 OK Date: Sat, 31 Aug 2024 22:49:32 GMT Server: nginx/1.21.6 Content-Type: text/html Content-Length: 496 Vary: Accept-Encoding Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: false RKr0):^)?U$EJ,<\q41-}n]}:4L$); Bg er{9HNvT&+E>$ dAA5tS2()T>tZ{%Q2J$-T&;=gG]%`GBMl%J'7m5SoZ_]m!xdVCQ]B#sdN&^Pli@C}7=&?rqj'~>'`r6oky}}!28(kx~zHv06PU$! DoGW$:7$i"YSq"o)1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49716	34.233.140.183	443	2748	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:30 UTC	581	OUT	GET /media/user/suspended_account/_bh/suspended.css HTTP/1.1 Host: bluehost-cdn.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://phy.lew.mybluehost.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:30 UTC	404	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 31 Aug 2024 22:49:30 GMT Content-Type: text/css Content-Length: 955 Connection: close Vary: Accept-Encoding Last-Modified: Tue, 09 Jul 2024 15:33:34 GMT ETag: "3bb-61cd240b846b2" Vary: Accept-Encoding Access-Control-Allow-Origin: * Expires: Sat, 07 Sep 2024 22:49:30 GMT Cache-Control: max-age=604800 X-Proxy-Cache: MISS Accept-Ranges: bytes
2024-08-31 22:49:30 UTC	955	IN	Data Raw: 2e 73 75 73 70 65 6e 64 2d 70 68 6f 74 6f 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 20 75 72 6c 28 27 62 68 2d 62 65 62 61 63 6b 2d 73 6f 6f 6e 2e 70 6e 67 27 29 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 63 65 6e 74 65 72 3b 0a 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 6f 70 61 63 69 74 79 3a 20 31 3b 0a 7d 0a 2e 73 75 73 70 65 6e 64 2d 74 65 78 74 20 7b 0a 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 36 70 78 3b 0a 20 20 74 6f 70 3a 20 33 37 30 70 78 3b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 0a 20 20 63 6f 6c 6f 72 3a 20 23 35 43 35 43 Data Ascii: .suspend-photo { background: transparent url('bh-beback-soon.png') no-repeat; background: center; width: 100%; height: 100%; opacity: 1;}.suspend-text { position: absolute; font-size: 36px; top: 370px; margin-left: 10px; color: #5C5C

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	34.233.140.183	443	2748	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:30 UTC	629	OUT	GET /media/user/suspended_account/_bh/beback-soon.png HTTP/1.1 Host: bluehost-cdn.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://phy.lew.mybluehost.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:30 UTC	385	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 31 Aug 2024 22:49:30 GMT Content-Type: image/png Content-Length: 43201 Connection: close Last-Modified: Tue, 30 Mar 2021 21:51:54 GMT ETag: "a8c1-5bec801b2a2c2" Vary: Accept-Encoding Access-Control-Allow-Origin: * Expires: Sat, 07 Sep 2024 22:49:30 GMT Cache-Control: max-age=604800 X-Proxy-Cache: MISS Accept-Ranges: bytes
2024-08-31 22:49:30 UTC	15999	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 96 00 00 03 d6 08 06 00 00 00 73 e6 cd 51 00 00 a8 88 49 44 41 54 78 01 ec d8 51 01 80 20 10 05 b0 b3 8c cd 0c 6b 0f 7a 1c 50 80 00 8f 7d ac c4 ea fb c7 0b 00 27 00 00 00 00 d5 fd 2c b5 89 65 00 00 00 00 00 c4 32 00 00 00 00 00 62 19 00 00 00 00 00 b1 0c 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 20 96 01 00 00 00 00 10 cb 00 00 00 00 00 88 65 00 00 00 00 00 c4 32 00 00 00 00 00 88 65 00 00 00 00 00 c4 32 00 00 00 00 00 62 19 00 00 00 00 00 b1 0c 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 20 96 01 00 00 00 00 10 cb 00 00 00 00 00 88 e5 54 00 00 00 00 00 88 65 00 00 00 00 00 c4 32 00 00 00 00 00 Data Ascii: PNGIHDRsQIDATxQ kzP}',e2bX@,X@, e2e2bX@,X@, Te2
2024-08-31 22:49:30 UTC	16384	IN	Data Raw: 73 1e 97 f9 0b 2e c6 46 de a7 7d e1 df 71 dd 47 58 06 00 00 00 90 45 f3 6c 8e b7 cc 14 96 97 37 3a 32 fe 1c 13 de 5b 9b f1 5d cb af ed 3c 91 f4 d7 eb 8b c4 85 11 96 73 b1 a3 6e 7f 4e a3 f2 2d 15 75 b2 cf d1 2f a5 bc c6 fe 50 ce 7f ae e9 bb 97 e7 d9 1c 39 8d cb f7 ef 69 10 7f 2c 2e c3 8f 31 e6 8e c4 5f e7 ba 8f b0 0c 00 00 00 20 8b 66 d5 da 6f 2e a6 3b 96 07 fd cf 83 af 66 14 96 ef fe 60 5d f2 e7 3b d7 bb e5 ad fa 1e 64 d9 9d bb 9b f3 12 96 c7 94 d5 9b f2 fb 7f e1 a4 43 ae dd d1 28 57 ef 68 c8 89 bb f6 b7 c9 cc 5a 57 de bf 2f 67 38 6e b2 3b c2 bd 79 fb f9 b6 a1 b5 47 6e ad a8 cb 59 5c d6 77 46 47 8c 84 0c 1d 63 2c 6c a8 5d 5c f7 11 96 01 00 00 00 64 d9 d2 06 c7 a1 62 b9 5b 79 d0 82 ea 76 f9 8f b1 8f a7 1d 96 2f 7a ec cd a4 bf d6 6d fb da e4 9a ca 56 64 d9 Data Ascii: s.F}qGXEl7:2[]<snN-u/P9i,.1_ fo.;f`];dC(WhZW/g8n;yGnY\wFGc,l]\db[yv/zmVd
2024-08-31 22:49:30 UTC	10818	IN	Data Raw: c7 51 19 9d e7 30 df d4 e6 73 f5 29 32 af 28 aa 4a 91 50 4b 58 e6 cb fb 7a 17 96 7f 33 f2 3d f5 b8 01 bb 6b f9 e1 57 66 eb ae fd bf b7 8e 96 bc 52 6b 5a 86 e5 6c 57 a3 30 46 58 8e 19 00 00 00 96 9a 1c e3 36 97 3a 9b 52 2d 5a 9d ac 6a 10 46 58 8e 07 10 96 67 5e b5 44 44 e3 93 55 ae 01 89 cc 05 75 ae 98 9e 4b fd 0e fd 7f 2d 20 2c 1b ef d5 79 6b 63 8e ca b6 aa 4a f9 a7 fb 5e ea d3 cf 19 f6 6a f4 bb 96 8f 66 5d 54 31 59 77 ed fd 2f cd 4a ab b0 ac ce 53 36 37 b7 09 63 84 65 00 00 00 f4 8a 3e 2a a7 16 93 bb 55 18 61 19 84 e5 81 b6 b9 d4 ae 8b bc 37 03 71 53 9b 53 17 86 63 a1 ae 55 8f 51 8f 95 60 87 98 9e 6b e4 e9 62 83 5e 3f 08 cb 03 eb 1f ef 7b 51 8e 65 5f ee 31 2a 9f 38 7f 45 f7 c5 7d 7d 71 3c fb 52 d4 f7 69 c4 b4 25 11 d7 1e c8 bc 92 16 61 79 29 e7 29 33 c2 Data Ascii: Q0s)2(JPKXz3=kWfRkZlW0FX6:R-ZjFXg^DDUuK- ,ykcJ^jf]T1Yw/JS67ce>Ua7qSScUQ`kb^?{Qe_18E}}q<Ri%ay))3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49719	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:32 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-31 22:49:32 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF70) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-neu-z1 Cache-Control: public, max-age=237368 Date: Sat, 31 Aug 2024 22:49:32 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49720	34.233.140.183	443	2748	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:32 UTC	388	OUT	GET /media/user/suspended_account/_bh/beback-soon.png HTTP/1.1 Host: bluehost-cdn.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:32 UTC	384	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 31 Aug 2024 22:49:32 GMT Content-Type: image/png Content-Length: 43201 Connection: close Last-Modified: Tue, 30 Mar 2021 21:51:54 GMT ETag: "a8c1-5bec801b2a2c2" Vary: Accept-Encoding Access-Control-Allow-Origin: * Expires: Sat, 07 Sep 2024 22:49:32 GMT Cache-Control: max-age=604800 X-Proxy-Cache: HIT Accept-Ranges: bytes
2024-08-31 22:49:32 UTC	16000	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 96 00 00 03 d6 08 06 00 00 00 73 e6 cd 51 00 00 a8 88 49 44 41 54 78 01 ec d8 51 01 80 20 10 05 b0 b3 8c cd 0c 6b 0f 7a 1c 50 80 00 8f 7d ac c4 ea fb c7 0b 00 27 00 00 00 00 d5 fd 2c b5 89 65 00 00 00 00 00 c4 32 00 00 00 00 00 62 19 00 00 00 00 00 b1 0c 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 20 96 01 00 00 00 00 10 cb 00 00 00 00 00 88 65 00 00 00 00 00 c4 32 00 00 00 00 00 88 65 00 00 00 00 00 c4 32 00 00 00 00 00 62 19 00 00 00 00 00 b1 0c 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 80 58 06 00 00 00 00 40 2c 03 00 00 00 00 20 96 01 00 00 00 00 10 cb 00 00 00 00 00 88 e5 54 00 00 00 00 00 88 65 00 00 00 00 00 c4 32 00 00 00 00 00 Data Ascii: PNGIHDRsQIDATxQ kzP}',e2bX@,X@, e2e2bX@,X@, Te2
2024-08-31 22:49:32 UTC	16384	IN	Data Raw: 1e 97 f9 0b 2e c6 46 de a7 7d e1 df 71 dd 47 58 06 00 00 00 90 45 f3 6c 8e b7 cc 14 96 97 37 3a 32 fe 1c 13 de 5b 9b f1 5d cb af ed 3c 91 f4 d7 eb 8b c4 85 11 96 73 b1 a3 6e 7f 4e a3 f2 2d 15 75 b2 cf d1 2f a5 bc c6 fe 50 ce 7f ae e9 bb 97 e7 d9 1c 39 8d cb f7 ef 69 10 7f 2c 2e c3 8f 31 e6 8e c4 5f e7 ba 8f b0 0c 00 00 00 20 8b 66 d5 da 6f 2e a6 3b 96 07 fd cf 83 af 66 14 96 ef fe 60 5d f2 e7 3b d7 bb e5 ad fa 1e 64 d9 9d bb 9b f3 12 96 c7 94 d5 9b f2 fb 7f e1 a4 43 ae dd d1 28 57 ef 68 c8 89 bb f6 b7 c9 cc 5a 57 de bf 2f 67 38 6e b2 3b c2 bd 79 fb f9 b6 a1 b5 47 6e ad a8 cb 59 5c d6 77 46 47 8c 84 0c 1d 63 2c 6c a8 5d 5c f7 11 96 01 00 00 00 64 d9 d2 06 c7 a1 62 b9 5b 79 d0 82 ea 76 f9 8f b1 8f a7 1d 96 2f 7a ec cd a4 bf d6 6d fb da e4 9a ca 56 64 d9 d5 Data Ascii: .F}qGXEl7:2[]<snN-u/P9i,.1_ fo.;f`];dC(WhZW/g8n;yGnY\wFGc,l]\db[yv/zmVd
2024-08-31 22:49:32 UTC	10817	IN	Data Raw: 51 19 9d e7 30 df d4 e6 73 f5 29 32 af 28 aa 4a 91 50 4b 58 e6 cb fb 7a 17 96 7f 33 f2 3d f5 b8 01 bb 6b f9 e1 57 66 eb ae fd bf b7 8e 96 bc 52 6b 5a 86 e5 6c 57 a3 30 46 58 8e 19 00 00 00 96 9a 1c e3 36 97 3a 9b 52 2d 5a 9d ac 6a 10 46 58 8e 07 10 96 67 5e b5 44 44 e3 93 55 ae 01 89 cc 05 75 ae 98 9e 4b fd 0e fd 7f 2d 20 2c 1b ef d5 79 6b 63 8e ca b6 aa 4a f9 a7 fb 5e ea d3 cf 19 f6 6a f4 bb 96 8f 66 5d 54 31 59 77 ed fd 2f cd 4a ab b0 ac ce 53 36 37 b7 09 63 84 65 00 00 00 f4 8a 3e 2a a7 16 93 bb 55 18 61 19 84 e5 81 b6 b9 d4 ae 8b bc 37 03 71 53 9b 53 17 86 63 a1 ae 55 8f 51 8f 95 60 87 98 9e 6b e4 e9 62 83 5e 3f 08 cb 03 eb 1f ef 7b 51 8e 65 5f ee 31 2a 9f 38 7f 45 f7 c5 7d 7d 71 3c fb 52 d4 f7 69 c4 b4 25 11 d7 1e c8 bc 92 16 61 79 29 e7 29 33 c2 72 Data Ascii: Q0s)2(JPKXz3=kWfRkZlW0FX6:R-ZjFXg^DDUuK- ,ykcJ^jf]T1Yw/JS67ce>Ua7qSScUQ`kb^?{Qe_18E}}q<Ri%ay))3r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49722	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:33 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-31 22:49:33 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=237367 Date: Sat, 31 Aug 2024 22:49:33 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-31 22:49:33 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	50.87.169.246	443	2748	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:34 UTC	370	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Host: phy.lew.mybluehost.me Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-08-31 22:49:34 UTC	220	IN	HTTP/1.1 200 OK Date: Sat, 31 Aug 2024 22:49:34 GMT Server: nginx/1.21.6 Content-Type: text/html Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Server-Cache: false Transfer-Encoding: chunked
2024-08-31 22:49:34 UTC	958	IN	Data Raw: 33 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 62 6c 75 65 68 6f 73 74 2d 63 64 6e 2e 63 6f 6d 2f 6d 65 64 69 61 2f 75 73 65 72 2f 73 75 73 70 65 6e 64 65 64 5f 61 63 63 6f 75 6e 74 2f 5f 62 68 2f 73 75 73 70 65 6e 64 Data Ascii: 3b2<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link rel="stylesheet" href="//bluehost-cdn.com/media/user/suspended_account/_bh/suspend

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:49:37 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dug8gMEef62hXN7&MD=awSTdppy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-31 22:49:37 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 6dae3d07-e037-4b52-b738-4f4b80b87f2e MS-RequestId: e67c1cdb-31f2-4c5f-8000-aaac8470aa9b MS-CV: 0kbcFpRJlEmtnEbN.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 31 Aug 2024 22:49:37 GMT Connection: close Content-Length: 24490
2024-08-31 22:49:37 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-31 22:49:37 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49731	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-08-31 22:50:15 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dug8gMEef62hXN7&MD=awSTdppy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-31 22:50:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: b8171178-cada-4b38-94ba-502697fc19de MS-RequestId: 6adddc51-288f-4a49-84f1-2a8627e49816 MS-CV: acGYHsm+BkyFYR+d.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 31 Aug 2024 22:50:14 GMT Connection: close Content-Length: 30005
2024-08-31 22:50:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-31 22:50:15 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 3380, Parent PID: 5464

General

Target ID:	0
Start time:	18:49:17
Start date:	31/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 2748, Parent PID: 3380

General

Target ID:	1
Start time:	18:49:21
Start date:	31/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 --field-trial-handle=2280,i,18288379450182580564,15341699228832172337,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 1412, Parent PID: 5464

General

Target ID:	3
Start time:	18:49:26
Start date:	31/08/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Chrome Cache Entry: 66

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Windows Analysis Report
https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/