Edit tour

Windows Analysis Report
K63NjiQEa5.html

Overview

General Information

Sample name:	K63NjiQEa5.html renamed because original name is a hash value
Original sample name:	f96837c4aa577dd5adaacbf95c35d5e346b491a03379fdce290beea59fb2ab0d.html
Analysis ID:	1577276
MD5:	5d4ed32561889c468b5f771a26ecfeba
SHA1:	d930eff7be7968977c9e16209eb125d17dd7d72b
SHA256:	f96837c4aa577dd5adaacbf95c35d5e346b491a03379fdce290beea59fb2ab0d
Tags:	92-255-57-155htmluser-JAMESWT_MHT
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious Javascript

Detected javascript redirector / loader

HTML Script injector detected

HTML page contains string obfuscation

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

chrome.exe (PID: 480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\K63NjiQEa5.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,652140676510124543,7511898349956267164,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: K63NjiQEa5.html	ReversingLabs: Detection: 29%
Source: K63NjiQEa5.html	Virustotal: Detection: 19%			Perma Link

Phishing

AI detected suspicious Javascript

Source: 0.1.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirection to suspicious domains. The heavy obfuscation and use of encoded strings further increase the risk. While the script may have some legitimate functionality, the overall behavior is highly suspicious and indicative of malicious intent.
Source: 0.2.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. The use of `eval()` to execute remote code, combined with the heavily obfuscated string manipulation, suggests this script is likely malicious in nature and poses a significant security risk.
Source: 0.8.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script exhibits several high-risk indicators, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The extensive use of string manipulation and the lack of any clear legitimate purpose suggest this is a highly suspicious and potentially malicious script.
Source: 0.12.i.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script demonstrates high-risk behavior by using the `eval()` function to execute dynamic and potentially malicious code. The obfuscated code also suggests an attempt to hide the true intent of the script. These factors indicate a high likelihood of malicious activity, such as data exfiltration or system compromise.
Source: 0.5.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It manipulates the DOM aggressively, disables critical browser functions, and appears to be designed for malicious purposes. The combination of these factors indicates a high-risk script that should be thoroughly investigated and blocked from execution.
Source: 0.3.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script demonstrates high-risk behavior by using the `eval()` function to execute dynamic and potentially malicious code. The obfuscated code also suggests an attempt to hide the true intent of the script. These factors indicate a high likelihood of malicious activity, such as data exfiltration or system compromise.
Source: 0.11.i.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The combination of these factors indicates a highly suspicious and potentially malicious script that should be treated with caution.
Source: 0.4.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/Desktop/K63NjiQEa5.html... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to a suspicious domain. The use of `document.write()` to inject HTML content, along with the presence of obfuscated code, further increases the risk. While the script appears to be promoting a product called 'HTML Guardian', the overall behavior is highly suspicious and indicative of potential malicious intent.

Detected javascript redirector / loader

Source: K63NjiQEa5.html

HTTP Parser: Low number of body elements: 0

HTML Script injector detected

Source: file:///C:/Users/user/Desktop/K63NjiQEa5.html	HTTP Parser: New script tag found
Source: file:///C:/Users/user/Desktop/K63NjiQEa5.html	HTTP Parser: New script tag found

Source: file:///C:/Users/user/Desktop/K63NjiQEa5.html

HTTP Parser: Found new string: script /*................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................*/var ppconf=0;var qy7='';qy8=String.fromCharCode(13,10,13,10);for(i=0;i<472;i...

Source: file:///C:/Users/user/Desktop/K63NjiQEa5.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/K63NjiQEa5.html	HTTP Parser: No favicon
Source: https://www.protware.com/	HTTP Parser: No favicon
Source: https://www.protware.com/	HTTP Parser: No favicon

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.protware.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mm.js HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.protware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /menu.htm HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: frameReferer: https://www.protware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /blank.htm HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: frameReferer: https://www.protware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /home.htm HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: frameReferer: https://www.protware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /mm.js HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /styleIE.css HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.protware.com/blank.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /style_M.css HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.protware.com/menu.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /frm.js HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.protware.com/blank.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /tpmnu.js HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.protware.com/menu.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /stat.js HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.protware.com/home.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scroll.js HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.protware.com/home.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /frm.js HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /tpmnu.js HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scroll.js HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /new3.jpg HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.protware.com/home.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /prev.gif HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.protware.com/home.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /next.gif HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.protware.com/home.htmAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /encrypt_html.ico HTTP/1.1Host: www.protware.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.protware.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /new3.jpg HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /prev.gif HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /next.gif HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /encrypt_html.ico HTTP/1.1Host: www.protware.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.protware.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.protware.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 01 Feb 2023 19:18:58 GMTetag: "999-63dabb22-abaa6af0da50d292;;;"accept-ranges: bytescontent-length: 2457date: Wed, 18 Dec 2024 09:58:31 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Source: chromecache_82.2.dr, chromecache_91.2.dr	String found in binary or memory: http://www.encrypt-html.com
Source: chromecache_91.2.dr	String found in binary or memory: http://www.encrypt-html.com/_disable_view_source.htm
Source: chromecache_91.2.dr	String found in binary or memory: http://www.encrypt-html.com/hide_html_source.htm
Source: K63NjiQEa5.html	String found in binary or memory: http://www.protware.com
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/betatest.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/buy.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/download.htm
Source: chromecache_90.2.dr, chromecache_91.2.dr	String found in binary or memory: http://www.protware.com/encrypt_asp.htm
Source: chromecache_91.2.dr	String found in binary or memory: http://www.protware.com/encrypt_html.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/encrypt_html.htm#t00
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/encrypt_javascript.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/faq.htm
Source: chromecache_82.2.dr	String found in binary or memory: http://www.protware.com/faq1.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/features.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/history.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/html_password_protect.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/image_protection.htm
Source: chromecache_90.2.dr	String found in binary or memory: http://www.protware.com/support.htm
Source: chromecache_82.2.dr	String found in binary or memory: http://www.protware.com/tech/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: classification engine

Classification label: mal60.phis.winHTML@25/36@8/6

Source: K63NjiQEa5.html	ReversingLabs: Detection: 29%
Source: K63NjiQEa5.html	Virustotal: Detection: 19%

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\K63NjiQEa5.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,652140676510124543,7511898349956267164,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,652140676510124543,7511898349956267164,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
K63NjiQEa5.html	29%	ReversingLabs	Script-JS.Trojan.Cryxos
K63NjiQEa5.html	20%	Virustotal		Browse

Source	Detection	Scanner	Label
https://www.protware.com/home.htm	0%	Avira URL Cloud	safe
https://www.protware.com/menu.htm	0%	Avira URL Cloud	safe
file:///C:/Users/user/Desktop/K63NjiQEa5.html	0%	Avira URL Cloud	safe
https://www.protware.com/styleIE.css	0%	Avira URL Cloud	safe
http://www.protware.com/betatest.htm	0%	Avira URL Cloud	safe
http://www.protware.com/encrypt_html.htm	0%	Avira URL Cloud	safe
https://www.protware.com/mm.js	0%	Avira URL Cloud	safe
http://www.protware.com/html_password_protect.htm	0%	Avira URL Cloud	safe
http://www.encrypt-html.com/_disable_view_source.htm	0%	Avira URL Cloud	safe
https://www.protware.com/next.gif	0%	Avira URL Cloud	safe
http://www.encrypt-html.com/hide_html_source.htm	0%	Avira URL Cloud	safe
http://www.protware.com/faq1.htm	0%	Avira URL Cloud	safe
http://www.encrypt-html.com	0%	Avira URL Cloud	safe
https://www.protware.com/style_M.css	0%	Avira URL Cloud	safe
https://www.protware.com/scroll.js	0%	Avira URL Cloud	safe
http://www.protware.com/download.htm	0%	Avira URL Cloud	safe
https://www.protware.com/new3.jpg	0%	Avira URL Cloud	safe
http://www.protware.com/encrypt_html.htm#t00	0%	Avira URL Cloud	safe
http://www.protware.com/buy.htm	0%	Avira URL Cloud	safe
http://www.protware.com/history.htm	0%	Avira URL Cloud	safe
http://www.protware.com/	0%	Avira URL Cloud	safe
https://www.protware.com/blank.htm	0%	Avira URL Cloud	safe
https://www.protware.com/prev.gif	0%	Avira URL Cloud	safe
http://www.protware.com/features.htm	0%	Avira URL Cloud	safe
http://www.protware.com/faq.htm	0%	Avira URL Cloud	safe
https://www.protware.com/tpmnu.js	0%	Avira URL Cloud	safe
http://www.protware.com/encrypt_javascript.htm	0%	Avira URL Cloud	safe
https://www.protware.com/frm.js	0%	Avira URL Cloud	safe
http://www.protware.com/tech/	0%	Avira URL Cloud	safe
http://www.protware.com/image_protection.htm	0%	Avira URL Cloud	safe
http://www.protware.com/encrypt_asp.htm	0%	Avira URL Cloud	safe
http://www.protware.com/support.htm	0%	Avira URL Cloud	safe
https://www.protware.com/encrypt_html.ico	0%	Avira URL Cloud	safe
https://www.protware.com/stat.js	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
protware.com	89.117.9.125	true	false	unknown
www.google.com	142.250.181.132	true	false	high
www.protware.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/K63NjiQEa5.html	true	Avira URL Cloud: safe	unknown
https://www.protware.com/menu.htm	false	Avira URL Cloud: safe	unknown
https://www.protware.com/styleIE.css	false	Avira URL Cloud: safe	unknown
https://www.protware.com/mm.js	false	Avira URL Cloud: safe	unknown
https://www.protware.com/home.htm	false	Avira URL Cloud: safe	unknown
https://www.protware.com/next.gif	false	Avira URL Cloud: safe	unknown
https://www.protware.com/style_M.css	false	Avira URL Cloud: safe	unknown
https://www.protware.com/new3.jpg	false	Avira URL Cloud: safe	unknown
https://www.protware.com/scroll.js	false	Avira URL Cloud: safe	unknown
http://www.protware.com/	false	Avira URL Cloud: safe	unknown
https://www.protware.com/	false		unknown
https://www.protware.com/blank.htm	false	Avira URL Cloud: safe	unknown
https://www.protware.com/prev.gif	false	Avira URL Cloud: safe	unknown
https://www.protware.com/tpmnu.js	false	Avira URL Cloud: safe	unknown
https://www.protware.com/frm.js	false	Avira URL Cloud: safe	unknown
https://www.protware.com/stat.js	false	Avira URL Cloud: safe	unknown
https://www.protware.com/encrypt_html.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.protware.com/encrypt_html.htm	chromecache_91.2.dr	false	Avira URL Cloud: safe	unknown
http://www.encrypt-html.com/_disable_view_source.htm	chromecache_91.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/betatest.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/html_password_protect.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.encrypt-html.com	chromecache_82.2.dr, chromecache_91.2.dr	false	Avira URL Cloud: safe	unknown
http://www.encrypt-html.com/hide_html_source.htm	chromecache_91.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/faq1.htm	chromecache_82.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/encrypt_html.htm#t00	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com	K63NjiQEa5.html	false		high
http://www.protware.com/download.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/history.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/buy.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/encrypt_asp.htm	chromecache_90.2.dr, chromecache_91.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/features.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/faq.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/encrypt_javascript.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/tech/	chromecache_82.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/image_protection.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown
http://www.protware.com/support.htm	chromecache_90.2.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
89.117.9.125	protware.com	Lithuania	15419	LRTC-ASLT	false
142.250.181.132	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.16
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577276
Start date and time:	2024-12-18 10:57:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	K63NjiQEa5.html renamed because original name is a hash value
Original Sample Name:	f96837c4aa577dd5adaacbf95c35d5e346b491a03379fdce290beea59fb2ab0d.html
Detection:	MAL
Classification:	mal60.phis.winHTML@25/36@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .html

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.99, 172.217.17.78, 64.233.162.84, 142.250.181.142, 142.250.181.106, 142.250.181.42, 142.250.181.74, 142.250.181.138, 172.217.19.234, 172.217.19.170, 172.217.17.74, 142.250.181.10, 172.217.21.42, 172.217.19.10, 172.217.19.202, 172.217.17.42, 217.20.58.101, 172.217.17.46, 192.229.221.95, 172.217.17.35, 172.217.19.206, 23.218.208.109, 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information

Input	Output
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and redirection to suspicious domains. The heavy obfuscation and use of encoded strings further increase the risk. While the script may have some legitimate functionality, the overall behavior is highly suspicious and indicative of malicious intent." }
fQds8Jy=new Array();fQds8Jy[0]='%69%33%70\111\144N\107%55\125%72%32%6D';q9HQ2p7=new Array();q9HQ2p7[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd">\r\n<~W x~~/="~=~?~A~C~E~G~I/19~{~V~l~f~h~jead><script>ev~6(une}ape(\'\\166}41r%20%71y%37}+D}$}-2}-3B}61}}(}+8}.S}64}\nng}$Ef}\'2om%43}50} 1}G}K3%6Fd}V5}$}<3}R3}U2C}+}_}&29}+B}V}157}#28i}.}+}&}4}N}_}c32}u}d}+}[}4}s2}j\|}$}h7Bq}9}_}1}j3}/}(}3}<7}/}w14}l65nc}\'4}x}N}-6E}$0q\|6}\\\|}\'}5}m1}F}q}$}R64o} 3um} 5}N\|4}D} \|@}W\|8}65me\|>\|}}m\|7\|\| \|}[2\|\|S\|3d\|N}L}\'\|=}m5en}?}D}V}8}m\|C}c}g\|-d\|"cu}N\|]\|>\|`2E}6}o}V9te}\\}6\|c}:},\|,\|}\'\|\| \|)\|+\|g\|\|\|Z\|J6}M}\|C9\|"\|J}%\|z\|}+}h\|2\|g\|}9}\|6}h3{}/2}\|~}6}a}\|\|{ p\|bn\|&{#\|}\'{\|d\|<}t}2dis}60l\|b\|A}V\|%\|D}m6\|x}2}+\|%~}\'0r\|x3\|%{ }$\|.}7{\|}{&{!\|fF{G}S\|{D}+{U{,{M{S{7a{={Z{M}4}\'{<{}+{!D{{Y7}10A}62{ra{{7af}?\|<{r\|.45}C{{{C}b}0} {5{z}m7{r}ZEn}Yz\|fz\|\|c\|}?\|I}}\|{{=\|B}0}$zz\|x}\|N6{s\|Q}j\|g}xz}1{Bz}x}+}U\|}}\'{oAr}#{P1}:{w}N}&7\|P5}[6zz z}m0z}!}V\|@zzz&\|"zN{.z{B}F{?z&\|y}mz4\|}vBk{[}.z\|uz3\|A\|d}Z{=z+{z@}izb{&\|\|z0zf3\|@\|zNo}V{\|}J\|\|>t}Dz\|[\|5}K\|[54z#D\|^\|`7}U4}\|79T\|bgN\|b\|Hz\\7{{}U5za%5{z/f~H}\\j}t3z`}N{T}.{z2zvzhy{\|{@zl\|5zn}4y(zq\|~zX{z}\\}szxy}izu}z\|z4z){\|zr\|-i\|18y/\|/}+\|@y}V{<y"y<z1yRy1yy(yX\|q\|!{@szjy\|`}!}Y6A{a{\nz5\|?}K8T\|L\|[\|\|+7AyA}\|yz2y_CyQ5}_{\|\|x{zcx}4\'))</}}\n}}x}}\r\|W\|k\|Hnt~D}\n\|w("<table wi~ch=\'10}&\' b~Hderx0\'}~[x9dx0gcol~Hx#x-}x-x/~6ign = \'c\|^\|wrx8<y%x styx#xM\'xWt-family: Vx4d~.a, z9i~6xpHelve~2cxoxY~.s-sx4yN; x`wizexi12pxwx?xArxi#Fwwwbackgro}d-w~HwxE6xG>Thx$sw!rxQ x?x3 of th{5 pagx$w<pw \|wc\|wx<by <b}x`xYx[x]xw%w wFCCw~#~% Guar{4~.xx`}/wMwKbrw+w- ul~2ma\|ww9ox@wvw=wDewF yw0 w\\~&w4expiwsw@sxpJa} }px#';keBDv03YOMz='fu';fR52Gr0='g1oQb4HHPB4';ht3mg='stdKcOxItNGwEHbM';keBDv03YOMz+= 'nction ulFXb414'+'j5QbCUN(nNzZuWf'+'filLuS2z30){';uk2S20t='xIWklRlI7rd';xmKq7t1r5='i\146%28z\114%50%2Ein%64ex\117f%28%27%5C%35%35%27%29%3E%30%29%7Bq%39\110Q%32p%37%5B%30%5D%3D%27\170%27%7D%3B\166a%72%20%6C%32%3D\167%69\156%64%6F%77%2Eo%70e%72%61%3F%31%3A%30%3Bfun%63t\151o%6E%20\141\146%65%36c%28%29%7B%69\146%28c%36e\146a%29%7Bdo%63%75%6Dent%2E%77r%69t\145%28\154O%29%7D%7D%3B%66unc\164\151\157n%20\154%33%28l%34%29%7B%6C%35%3D%2Fz\143%2F\147%3B\154%36%3DS\164%72i\156g%2Ef%72\157\155C%68arCo\144\145%28%30%29%3Bl%34%3Dl%34%2Er%65p\154\141c\145%28\154%35%2C%6C%36%29%3B%76a\162%20%6C%37%3D\156e\167%20%41r%72%61%79%28%29%2C%6C%38%3D%5F%31%3D\154%34%2El\145\156%67th%2Cl%39%2C%6C\111%2C\151l%3D%31%36%32%35%36%2C%5F%31%3D%30%2CI%3D%30%2C\154i%3D%27%27%3B\144\157%7Bl%39%3Dl%34%2E%63\150\141rC%6Fd%65%41\164%28%5F%31%29%3B%6CI%3D%6C%34%2E';function j5QbCUNulFXb414(yc5Mng8TaYM){ht3mg+=yc5Mng8TaYM};eval(unescape('%66un\143%74io\156%20%62%35o%34v%56\166%68I%6D%20%20%20%20%28%6D\114%74v\150%64%51%37%37\162\142%30%29%7Bfo%35%33GQ%31%36%3D\155%4C%74%76\150d\121%37%37rb%30%7D%3B'));q9HQ2p7[0]+= 'tv\n v}x}vlinkvkeepx%ebw3~4\|wxXfxfxSsvwawJ~.x<much m~He.v=wK/wfwLwl<awPx\\x$x\|wxxax3x?~-~2~4xin~4ewx@w&wVwwYxG~ {Ifx~r~@/~Bw.wCotv0{I.x?mx/x ~Ixzx_x"~.kx8wjwNv(vFwRx_v(xbxdxfxhxjxlxnxpxrxtvxwxyx{x}sxwwfww~0w\nwwwv\'wwvZwZ0wwww w"w$vWwUxD0xFx7>vd.PwDWwav<vmwev(wgwMxawg~du<vC/x x"e>");dl=x\|:xR.lv1x4s;oe=x&zoveo}~-?1:u xm=(uKxxuexRMox3\|\|uhx.~6l)&&!uT;w@uJoxuMw@tEx#ufById;wsuVv\|Wve~0x3wr?~[uwxclw;tN=~5vxJwt~H.uwrAw@uptoLuYx4Caw(uFw tt.texOf}}
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. The use of `eval()` to execute remote code, combined with the heavily obfuscated string manipulation, suggests this script is likely malicious in nature and poses a significant security risk." }
ot8U4xyWr2TR31 ='WZrrOabuGcuiOZeLclwOfOOTqOiiOgdHBriErdnIwgqZnELIl';ulFXb414j5QbCUN (xmKq7t1r5);j5QbCUNulFXb414 (lFPYnPID8f7E);upD2S6n3IrH7w='jy3Jagve6GwM8I0TIh9iwb28';eval(unescape('%71%79%36%28%27%39%62%35%63%36%65%27%29%3B'));yKewyw+= 'ROrGOsIlZltdmRoZkNrJNJJPOVyffbLfHMjNOcOOIpRfBOOiOuLxOZUOEMhtttINQBRVFKYOQlTydsqGaYTcOOOEQDdjinbOiQmGOWiqn';
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 10, "reasoning": "This script exhibits several high-risk indicators, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The extensive use of string manipulation and the lack of any clear legitimate purpose suggest this is a highly suspicious and potentially malicious script." }
/* /P373184153331444373184153331444373184153331444373184153331444373184153331444373184153331444373184153331444373184153331444='959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725959255497781725'/ */
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 10, "reasoning": "This script demonstrates high-risk behavior by using the `eval()` function to execute dynamic and potentially malicious code. The obfuscated code also suggests an attempt to hide the true intent of the script. These factors indicate a high likelihood of malicious activity, such as data exfiltration or system compromise." }
/* /eval(unescape('\166\141r%20%71y%37%3D%27%27%3B\161\171%38%3DS\164ring%2Ef%72om%43\150\141%72%43%6Fd%65%28%31%33%2C%31%30%29%3B%66\157r%28i%3D%30%3B\151%3C%32%30%31%35%3Bi%2B%2B%29%7Bq\171%37%2B%3D%71y%38%7D%3B\146\165nc%74\151\157%6E%20qy%36%28%29%7B\151f%28%21%64o\143um\145\156\164%2E\144%6F\143\165me\156%74\115o\144\145%26%26%21do\143%75\155en\164%2E%61\154%6C%29%7Bd\157cu\155e\156\164%2E\167r%69te%28\161\171%37%29%7D%7D%3Bqy%36%28%29%3B\146%75\156%63\164%69\157\156%20\161\171%39%28%29%7B\172%69%39%3D%22%3C\163%22%2B%22p%61n%20\163%74%79\154\145%3D%27dis\160l%61y%3A%6E%6F\156e%27%3E%3C%70re%3E%22%2B\161\171%37%2B%22%3C%2F%70%72%65%3E%3C%2F\163%22%2B%22\160a%6E%3E%22%3B%7A%69%32%3Dn%65%77%20A\162\162a\171%28%27af\164\145\162B\145g%69n%27%2C%27\142%65f\157\162%65End%27%2C%27\141\146\164e\162%45%6E\144%27%2C%27\142e%66o\162\145B%65g\151n%27%29%3Bz\151%33%3Dne%77%20Arr%61\171%28%27\150%74\155%6C%27%2C%27\150e\141%64%27%2C%27%62\157%64%79%27%29%3Bf%6F\162%28\153%3D%30%3Bk%3C%3Dz%69%33%2E\154%65%6Eg\164\150%3Bk%2B%2B%29%7Bz%69%34%3D%64o%63\165m%65\156t%2Eg%65\164%45\154e%6Den\164%73%42%79T%61gN%61me%28\172%69%33%5Bk%5D%29%3Bfor%28j%3D%30%3B\152%3C%3D\172\151%34%2E\154\145\156g\164\150%3Bj%2B%2B%29%7Bf\157\162%28i%3D%30%3B%69%3C%3D%33%3B%69%2B%2B%29%7Bif%28\172\151%34%5B%6A%5D%29%7Bz\151%34%5Bj%5D%2E\151\156s%65%72\164%41d%6Aa%63e\156\164%48T\115\114%28%7Ai%32%5B\151%5D%2C\172\151%39%29%7D%7D%7D%7D%7D%3B'))/ */
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code. It manipulates the DOM aggressively, disables critical browser functions, and appears to be designed for malicious purposes. The combination of these factors indicates a high-risk script that should be thoroughly investigated and blocked from execution." }
var ppconf=0;var qy7='';qy8=String.fromCharCode(13,10,13,10);for(i=0;i<472;i++){qy7+=qy8};lIII="<"+"!--"+qy7+"--"+">";l111="/"+""+qy7+""+"/";lI1I="<scr"+"ipt>"+I1ll(1)+I1ll(2)+"='"+I1ll(3)+"'</scri"+"pt>";III1="<s"+"pan style='display:none'><pre>"+qy7+"</pre></s"+"pan>";llll=III1+lIII+III1;Il11="<"+"span>";I1l1="</"+"span>";Ill1="<"+"span style='visibility:hidden'>qweasdzxc"+I1l1;function l11I(){l1II=new Array('beforeBegin','afterBegin','beforeEnd','afterEnd');Il1I=new Array('html','head','body','a','img','div','form','table','script','input','p');l1I1=lI11();switch(l1I1){case 1:l1Il=new Array(79,79,79,73,73,73,73,73,73,73,73);break;case 2:l1Il=new Array(38,47,47,15,41,15,9,9,22,15,15);break;case 3:l1Il=new Array(0,38,38,15,9,15,9,9,22,15,15);break;case 4:l1Il=new Array(38,47,47,15,41,15,9,9,22,15,15);break;default:l1Il=new Array(0,0,0,0,0,0,0,0,0,0,0)};IIII=new Array(lIII,l111,lI1I,III1,llll,Il11,I1l1,Ill1);Illl(document.getElementsByTagName(Il1I[2])[0],2,IIII[7]);for(t=0;t<Il1I.length;t++){m=l1Il[t];I1lI=document.getElementsByTagName(Il1I[t]);ctaL=I1lI.length;for(j=0;j<ctaL;j++){for(x=0;x<4;x++){if(m&Math.pow(2,x)){Illl(I1lI[j],x,IIII[m>>>4])}}}};IllI();lllI();I111();lIIl();setTimeout('lll1()',1000)};function IllI(){var Il1l=document.images,l11l=document.links,il=Il1l.length,ll=l11l.length,I11I;while(il){I11l=document.createElement('span');I11I=Il1l[--il];if(!(ppconf&2)){try{I11l.appendChild(I11I.parentNode.replaceChild(I11l,I11I))}catch(e){}}};while(ll){I11l=document.createElement('span');I11I=l11l[--ll];if(!(ppconf&1)){try{I11l.appendChild(I11I.parentNode.replaceChild(I11l,I11I))}catch(e){}}}};function lllI(){window.open=null;document.open=null;document.write=null;window.alert=null;};function I111(){var extraFunc1Cntnt=0};function lIIl(){var extraFunc2Cntnt=0};function Illl(e,p,c){try{if(!window.sidebar){e.insertAdjacentHTML(l1II[p],c)}else {rcf=document.createRange().createContextualFragment(c);if(p==0){e.parentNode.insertBefore(rcf,e)};if(p==1){e.insertBefore(rcf,e.firstChild)};if(p==2){e.appendChild(rcf)};if(p==3){e.parentNode.insertBefore(rcf,e.nextSibling)}}}catch(xuu){}};function I1ll(j){r=Math.random();d=new Date().getTime();if(j==1){o=String.fromCharCode(Math.floor(r25+65))}else {o=Math.floor(rd*1000)+'';o+=o;o+=o;o+=o};if(j==3){o+=o;o+=o};return o};if(typeof window.addEventListener!='undefined'){window.addEventListener('load',l11I,false)}else if(typeof document.addEventListener!='undefined'){document.addEventListener('load',l11I,false)}else if(typeof window.attachEvent!='undefined'){window.attachEvent('onload',l11I)};function lI11(){l1I1=0;u=navigator.userAgent.toLowerCase();if(window.sidebar){l1I1=2};if(window.chrome){l1I1=3};if(window.opera){l1I1=4};if(document.all&&l1I1!==4){l1I1=1};if(u.indexOf('safari')>1){l1I1=3};if((l1I1==1)&&(u.indexOf('ie 10')>1)){l1I1=10};return l1I1}
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The script appears to be checking the user's browser environment and making decisions based on the detected browser. While some of the behaviors, such as checking for specific browser strings, are not inherently malicious, the script also includes obfuscated code and checks for the presence of certain browser features. This combination of behaviors suggests the script may have a hidden or unclear purpose, warranting further investigation." }
/* /l1l=document.documentMode\|\|document.all;var c6efa=true;ll1=document.layers;lll=window.sidebar;c6efa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');c6efa\|=lII;zLP=location.protocol+'0FD';nc05c437642='r8d3e1h1eI01';/ */
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 10, "reasoning": "This script demonstrates high-risk behavior by using the `eval()` function to execute dynamic and potentially malicious code. The obfuscated code also suggests an attempt to hide the true intent of the script. These factors indicate a high likelihood of malicious activity, such as data exfiltration or system compromise." }
eval(unescape('\166\141r%20%71y%37%3D%27%27%3B\161\171%38%3DS\164ring%2Ef%72om%43\150\141%72%43%6Fd%65%28%31%33%2C%31%30%29%3B%66\157r%28i%3D%30%3B\151%3C%32%30%31%35%3Bi%2B%2B%29%7Bq\171%37%2B%3D%71y%38%7D%3B\146\165nc%74\151\157%6E%20qy%36%28%29%7B\151f%28%21%64o\143um\145\156\164%2E\144%6F\143\165me\156%74\115o\144\145%26%26%21do\143%75\155en\164%2E%61\154%6C%29%7Bd\157cu\155e\156\164%2E\167r%69te%28\161\171%37%29%7D%7D%3Bqy%36%28%29%3B\146%75\156%63\164%69\157\156%20\161\171%39%28%29%7B\172%69%39%3D%22%3C\163%22%2B%22p%61n%20\163%74%79\154\145%3D%27dis\160l%61y%3A%6E%6F\156e%27%3E%3C%70re%3E%22%2B\161\171%37%2B%22%3C%2F%70%72%65%3E%3C%2F\163%22%2B%22\160a%6E%3E%22%3B%7A%69%32%3Dn%65%77%20A\162\162a\171%28%27af\164\145\162B\145g%69n%27%2C%27\142%65f\157\162%65End%27%2C%27\141\146\164e\162%45%6E\144%27%2C%27\142e%66o\162\145B%65g\151n%27%29%3Bz\151%33%3Dne%77%20Arr%61\171%28%27\150%74\155%6C%27%2C%27\150e\141%64%27%2C%27%62\157%64%79%27%29%3Bf%6F\162%28\153%3D%30%3Bk%3C%3Dz%69%33%2E\154%65%6Eg\164\150%3Bk%2B%2B%29%7Bz%69%34%3D%64o%63\165m%65\156t%2Eg%65\164%45\154e%6Den\164%73%42%79T%61gN%61me%28\172%69%33%5Bk%5D%29%3Bfor%28j%3D%30%3B\152%3C%3D\172\151%34%2E\154\145\156g\164\150%3Bj%2B%2B%29%7Bf\157\162%28i%3D%30%3B%69%3C%3D%33%3B%69%2B%2B%29%7Bif%28\172\151%34%5B%6A%5D%29%7Bz\151%34%5Bj%5D%2E\151\156s%65%72\164%41d%6Aa%63e\156\164%48T\115\114%28%7Ai%32%5B\151%5D%2C\172\151%39%29%7D%7D%7D%7D%7D%3B'))
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 10, "reasoning": "This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The combination of these factors indicates a highly suspicious and potentially malicious script that should be treated with caution." }
/* /ot8U4xyWr2TR31 ='WZrrOabuGcuiOZeLclwOfOOTqOiiOgdHBriErdnIwgqZnELIl';ulFXb414j5QbCUN (xmKq7t1r5);j5QbCUNulFXb414 (lFPYnPID8f7E);upD2S6n3IrH7w='jy3Jagve6GwM8I0TIh9iwb28';eval(unescape('%71%79%36%28%27%39%62%35%63%36%65%27%29%3B'));yKewyw+= 'ROrGOsIlZltdmRoZkNrJNJJPOVyffbLfHMjNOcOOIpRfBOOiOuLxOZUOEMhtttINQBRVFKYOQlTydsqGaYTcOOOEQDdjinbOiQmGOWiqn';/ */
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The script contains several indicators of potential risk, including obfuscated code, browser detection, and the use of a seemingly random string. While the intent is not entirely clear, the combination of these factors warrants further investigation to determine if the script is engaging in any malicious activities." }
l1l=document.documentMode\|\|document.all;var c6efa=true;ll1=document.layers;lll=window.sidebar;c6efa=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');c6efa\|=lII;zLP=location.protocol+'0FD';nc05c437642='r8d3e1h1eI01';
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and redirects to a suspicious domain. The use of `document.write()` to inject HTML content, along with the presence of obfuscated code, further increases the risk. While the script appears to be promoting a product called 'HTML Guardian', the overall behavior is highly suspicious and indicative of potential malicious intent." }
document.write("<table width='100%' border='0'><tr><td bgcolor='#006600' align = 'center'><font style ='font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #FFFFFF; background-color: #006600'>The source code of this page is protected by <b><font style ='color: #FFCC00'>HTML Guardian</font></b> <br>The ultimate tool to protect your HTML code, images, Java applets, Javascripts, links, keep web content filters away and much more... </font><br><a style ='text-decoration: none; color: #FFCC00' href='http://www.protware.com' target='_blank'> <b><font style ='font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; color: #FFCC00; background-color: #006600'>www.ProtWare.com</font></b></a></td></tr></table>");dl=document.layers;oe=window.opera?1:0;da=(document.documentMode\|\|document.all)&&!oe;ge=document.getElementById;ws=window.sidebar?true:false;tN=navigator.userAgent.toLowerCase();izN=tN.indexOf('netscape')>=0?true:false;zis=da;zis8=da;var msg='';function nem(){return true};window.onerror = nem;zOF=window.location.protocol.indexOf('file')!=-1?true:false;i7f=zis&&!zOF?true:false;
URL: :// Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: ://
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: file:///C:/Users/user/Desktop/K63NjiQEa5.html Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: https://www.protware.com/ Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Click here to view document", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://www.protware.com/ Model: Joe Sandbox AI	{ "brands": [ "ProtWare" ] }
	{ "brands": [ "ProtWare" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://lamperdingen.ch/reports.php	Get hash	malicious	Unknown	Browse
	https://2024sharepointonline.z28.web.core.windows.net/	Get hash	malicious	Unknown	Browse
	https://cc.naver.com/cc?a=pst.link&m=1&nsc=Mblog.post&u=https://prestamosgarantizados.com/wvr/#svk8Lh6vLh6njx3lLh6vg4Pnq07qug4Plvk8Lh6rjx3z9BR15WPy	Get hash	malicious	HTMLPhisher	Browse
	http://efaktura.dhlecommerce.pl	Get hash	malicious	Unknown	Browse
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse
	http://efaktura.dhlecommerce.pl	Get hash	malicious	Unknown	Browse
	https://syndiclair-my.sharepoint.com/:o:/g/personal/ml_syndiclair_fr/En8EbZMYpZ5CodZQ05mt4IMBGZHEHcSylnIeMh0DoULmZw?e=UkXb4Y	Get hash	malicious	Unknown	Browse
	Capcha.html	Get hash	malicious	Unknown	Browse
	https://t.ly/2PGC5	Get hash	malicious	Unknown	Browse
	https://myportalonline.org/landingPage/2/90720666bc8811efa6350242ac19000a	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LRTC-ASLT	powerpc.elf	Get hash	malicious	Unknown	Browse	86.38.75.32
	wi86CSarYC.exe	Get hash	malicious	DanaBot	Browse	89.116.191.177
	UFh7A8CImG.exe	Get hash	malicious	DanaBot	Browse	89.116.191.177
	nSORtPkIOR.msi	Get hash	malicious	DanaBot	Browse	89.116.191.177
	cloudflare.msi	Get hash	malicious	DanaBot	Browse	89.116.191.177
	zDcNyG6Csn.exe	Get hash	malicious	DanaBot	Browse	89.116.191.177
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	89.117.100.57
	ET5.exe	Get hash	malicious	Unknown	Browse	89.117.55.228
	b1.exe	Get hash	malicious	PureCrypter, MicroClip	Browse	89.117.79.31
	b1.exe	Get hash	malicious	PureCrypter, MicroClip	Browse	89.117.79.31

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	361
Entropy (8bit):	4.891394041667123
Encrypted:	false
SSDEEP:	6:yL1fkLV55HeyA9L1fkL7NXvA9L1fkLBcE5Hey1O1tubDRdALbDRd7J/Pc5x+tAVq:MfkLVfHfMfkL7RvMfkLBcE5Hf1O1+DR+
MD5:	842A7808AAF0389D68C1A021D9E07C56
SHA1:	305D0A3179C8DC2664B6121C37460970C4908140
SHA-256:	0F40314122979FC6E26EF035BFA4B9EF45F36D78DBDF81000580AD3E6D91153C
SHA-512:	CF83F1B5794095E3767A4B5234594E3046ED3A558F4847D414FF6ECE6FE8FE5547990E2B82C040313BFA724365C2231E2338FDB96C586F33DC5BAEED38CC879D
Malicious:	false
Reputation:	low
Preview:	document.body.style.scrollbarArrowColor="white";..document.body.style.scrollbarFaceColor="#009900";..document.body.style.scrollbarTrackColor="white";....function setodl(){if(document.getElementById){document.getElementById('odl').style.display='none'}};..function unsetodl(){if(document.getElementById){document.getElementById('odl').style.display='inline'}};..

File type:	data
Entropy (8bit):	6.132223366474262
TrID:	HyperText Markup Language (12001/1) 29.26% HyperText Markup Language (12001/1) 29.26% HyperText Markup Language (11001/1) 26.83% HyperText Markup Language (6006/1) 14.65%
File name:	K63NjiQEa5.html
File size:	10'720 bytes
MD5:	5d4ed32561889c468b5f771a26ecfeba
SHA1:	d930eff7be7968977c9e16209eb125d17dd7d72b
SHA256:	f96837c4aa577dd5adaacbf95c35d5e346b491a03379fdce290beea59fb2ab0d
SHA512:	1541b0c1c1319043e8b48f6c9cfd5b4599122a367d45c06eef6d218022a3d5fd8072b0b0179d81060527a6e33de66a9948a68ff11314871089fe8cd85e94aa30
SSDEEP:	192:+YfCONTw7Cu4z0GQ6pYQ4w8cwDQQG7lMicDkp2jKqhz3vhfH26tsyvx:+YaO5w7C9z60YQ4xcwDNccD8SKq7psA
TLSH:	1E226D28B59F7464C8A360F7D43ABF0BE220CDA9CFFBC148E41055862DECB994E00595
File Content Preview:	<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><META NAME='GENERATOR' Content='The source code of this page is encrypted with HTML Guardian, the world's standart for website protection. Visit http://www.protware.com for details'><met

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 10:58:12.416410923 CET	53	51690	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:12.545921087 CET	53	50225	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:15.345546961 CET	53	50432	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:15.735008001 CET	57749	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:15.735284090 CET	50980	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:15.872869015 CET	53	57749	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:15.873456955 CET	53	50980	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:22.610518932 CET	54373	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:22.610865116 CET	49766	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:23.055118084 CET	53	49766	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:23.055752993 CET	53	54373	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:24.354307890 CET	138	138	192.168.2.4	192.168.2.255
Dec 18, 2024 10:58:24.388864040 CET	61319	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:24.389857054 CET	59829	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:24.526288033 CET	53	61319	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:24.526578903 CET	53	59829	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:24.577193975 CET	53	60206	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:28.291758060 CET	59265	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:28.292084932 CET	52831	53	192.168.2.4	1.1.1.1
Dec 18, 2024 10:58:28.429434061 CET	53	52831	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:28.429730892 CET	53	59265	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:32.200108051 CET	53	55257	1.1.1.1	192.168.2.4
Dec 18, 2024 10:58:51.261765003 CET	53	55712	1.1.1.1	192.168.2.4
Dec 18, 2024 10:59:11.844656944 CET	53	51410	1.1.1.1	192.168.2.4
Dec 18, 2024 10:59:13.922677040 CET	53	51754	1.1.1.1	192.168.2.4
Dec 18, 2024 10:59:44.434680939 CET	53	54834	1.1.1.1	192.168.2.4
Dec 18, 2024 11:00:28.421494961 CET	53	50000	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 10:58:23.176678896 CET	431	OUT	GET / HTTP/1.1 Host: www.protware.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 18, 2024 10:58:24.384999990 CET	1112	IN	HTTP/1.1 301 Moved Permanently Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: text/html content-length: 795 date: Wed, 18 Dec 2024 09:58:24 GMT server: LiteSpeed location: https://www.protware.com/ platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:25 UTC	665	OUT	GET / HTTP/1.1 Host: www.protware.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:26 UTC	519	IN	HTTP/1.1 200 OK Connection: close content-type: text/html last-modified: Thu, 12 Dec 2024 17:52:05 GMT etag: "2e37-675b22c5-e136071adf047a63;;;" accept-ranges: bytes content-length: 11831 date: Wed, 18 Dec 2024 09:58:26 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:26 UTC	11831	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 45 6e 63 72 79 70 74 20 48 54 4d 4c 20 73 6f 75 72 63 65 2c 20 4a 61 76 61 73 63 72 69 70 74 2c 20 41 53 50 2e 20 50 72 6f 74 65 63 74 20 6c 69 6e 6b 73 20 26 61 6d 70 3b 20 69 6d 61 67 65 73 2e 20 48 54 4d 4c 20 65 6e 63 72 79 70 74 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0d 0a 3c 4c Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Encrypt HTML source, Javascript, ASP. Protect links & images. HTML encryption</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><L

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:27 UTC	522	OUT	GET /mm.js HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.protware.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:28 UTC	610	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:28 GMT content-type: application/x-javascript last-modified: Thu, 12 Dec 2024 17:52:12 GMT etag: "296-675b22cc-905d548d1719dbc0;;;" accept-ranges: bytes content-length: 662 date: Wed, 18 Dec 2024 09:58:28 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:28 UTC	662	IN	Data Raw: 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 42 72 77 73 72 20 3d 20 22 49 45 22 7d 0d 0a 69 66 28 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 29 7b 42 72 77 73 72 20 3d 20 22 4e 4e 34 22 7d 0d 0a 69 66 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 20 26 26 20 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 29 7b 42 72 77 73 72 20 3d 20 22 4e 4e 36 22 7d 0d 0a 69 66 28 6e 61 76 69 67 61 74 6f 72 2e 61 70 70 4e 61 6d 65 20 3d 3d 22 4f 70 65 72 61 22 29 7b 42 72 77 73 72 20 3d 20 22 4f 70 65 72 61 22 7d 0d 0a 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 4d 4d 5f 72 65 6c 6f 61 64 50 61 67 65 28 69 6e 69 74 29 20 7b 20 20 2f 2f 72 65 6c 6f 61 64 73 20 74 68 65 20 77 69 6e 64 6f 77 20 69 66 20 4e 61 76 34 20 72 65 73 69 7a 65 64 0d 0a 20 Data Ascii: if(document.all){Brwsr = "IE"}if(document.layers){Brwsr = "NN4"}if(document.getElementById && window.sidebar){Brwsr = "NN6"}if(navigator.appName =="Opera"){Brwsr = "Opera"}function MM_reloadPage(init) { //reloads the window if Nav4 resized

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:29 UTC	687	OUT	GET /menu.htm HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: frame Referer: https://www.protware.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:30 UTC	518	IN	HTTP/1.1 200 OK Connection: close content-type: text/html last-modified: Thu, 12 Dec 2024 17:52:12 GMT etag: "1c58-675b22cc-260b762930345c12;;;" accept-ranges: bytes content-length: 7256 date: Wed, 18 Dec 2024 09:58:29 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:30 UTC	7256	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 45 6e 63 72 79 70 74 20 48 54 4d 4c 2c 20 4a 61 76 61 73 63 72 69 70 74 2c 20 41 53 50 2e 20 50 72 6f 74 65 63 74 20 6c 69 6e 6b 73 20 26 61 6d 70 3b 20 69 6d 61 67 65 73 2e 20 48 54 4d 4c 20 45 6e 63 72 79 70 74 20 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Encrypt HTML, Javascript, ASP. Protect links & images. HTML Encrypt ion</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><meta na

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:29 UTC	688	OUT	GET /blank.htm HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: frame Referer: https://www.protware.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:30 UTC	516	IN	HTTP/1.1 200 OK Connection: close content-type: text/html last-modified: Thu, 12 Dec 2024 17:52:03 GMT etag: "1f4-675b22c3-9836bc4119ba7cf5;;;" accept-ranges: bytes content-length: 500 date: Wed, 18 Dec 2024 09:58:29 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:30 UTC	500	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 48 54 4d 4c 20 47 75 61 72 64 69 61 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 73 74 79 6c 65 49 45 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>HTML Guardian</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><link rel="stylesheet" href="styleIE.css" type="text/css"><script la

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:29 UTC	687	OUT	GET /home.htm HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: frame Referer: https://www.protware.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:30 UTC	518	IN	HTTP/1.1 200 OK Connection: close content-type: text/html last-modified: Thu, 12 Dec 2024 20:33:27 GMT etag: "21a8-675b4897-5dbf1a9523fc29a1;;;" accept-ranges: bytes content-length: 8616 date: Wed, 18 Dec 2024 09:58:29 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:30 UTC	8616	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 45 6e 63 72 79 70 74 20 20 48 54 4d 4c 2c 20 4a 61 76 61 73 63 72 69 70 74 2c 20 41 53 50 2e 20 50 72 6f 74 65 63 74 20 6c 69 6e 6b 73 20 26 61 6d 70 3b 20 69 6d 61 67 65 73 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 4d 45 54 41 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 63 72 79 70 74 2c 70 72 6f 74 65 63 74 2c 68 74 6d 6c 2c 6a 61 76 61 73 63 72 69 70 74 2c 61 73 70 2c 76 62 73 63 72 69 70 74 2c 63 6f 64 65 2c 65 6d 61 69 6c 2c 73 63 72 61 6d 62 6c 65 20 22 3e 0d Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Encrypt HTML, Javascript, ASP. Protect links & images</title><META name="keywords" content="Encrypt,protect,html,javascript,asp,vbscript,code,email,scramble ">

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:31 UTC	551	OUT	GET /styleIE.css HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://www.protware.com/blank.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:31 UTC	595	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:31 GMT content-type: text/css last-modified: Thu, 12 Dec 2024 17:52:17 GMT etag: "152f-675b22d1-3ff2d35482344fa;;;" accept-ranges: bytes content-length: 5423 date: Wed, 18 Dec 2024 09:58:31 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:31 UTC	5423	IN	Data Raw: 41 3a 6c 69 6e 6b 20 7b 43 4f 4c 4f 52 3a 20 23 30 30 30 30 30 30 3b 20 46 4f 4e 54 2d 57 45 49 47 48 54 3a 20 6e 6f 72 6d 61 6c 3b 20 54 45 58 54 2d 44 45 43 4f 52 41 54 49 4f 4e 3a 20 6e 6f 6e 65 7d 41 3a 76 69 73 69 74 65 64 20 7b 43 4f 4c 4f 52 3a 20 23 30 30 30 30 30 30 3b 20 46 4f 4e 54 2d 57 45 49 47 48 54 3a 20 6e 6f 72 6d 61 6c 3b 20 54 45 58 54 2d 44 45 43 4f 52 41 54 49 4f 4e 3a 20 6e 6f 6e 65 7d 41 3a 61 63 74 69 76 65 20 7b 42 41 43 4b 47 52 4f 55 4e 44 3a 20 23 46 46 46 46 46 46 3b 20 46 4f 4e 54 2d 57 45 49 47 48 54 3a 20 62 6f 6c 64 3b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 7d 41 3a 68 6f 76 65 72 20 7b 46 4f 4e 54 2d 57 45 49 47 48 54 3a 20 62 6f 6c 64 3b 20 54 45 58 54 2d 44 45 43 4f 52 41 54 49 4f 4e 3a 20 6e 6f 6e 65 3b 20 62 61 Data Ascii: A:link {COLOR: #000000; FONT-WEIGHT: normal; TEXT-DECORATION: none}A:visited {COLOR: #000000; FONT-WEIGHT: normal; TEXT-DECORATION: none}A:active {BACKGROUND: #FFFFFF; FONT-WEIGHT: bold; color: #000000}A:hover {FONT-WEIGHT: bold; TEXT-DECORATION: none; ba

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:31 UTC	550	OUT	GET /style_M.css HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://www.protware.com/menu.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:31 UTC	595	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:31 GMT content-type: text/css last-modified: Thu, 12 Dec 2024 17:52:16 GMT etag: "86e-675b22d0-bbc4266cd7373178;;;" accept-ranges: bytes content-length: 2158 date: Wed, 18 Dec 2024 09:58:31 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:31 UTC	773	IN	Data Raw: 64 69 76 7b 0d 0a 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 34 70 78 3b 20 74 6f 70 3a 34 70 78 3b 20 77 69 64 74 68 3a 32 30 25 3b 20 68 65 69 67 68 74 3a 38 39 70 78 3b 20 7a 2d 69 6e 64 65 78 3a 31 3b 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 0d 0a 7d 0d 0a 0d 0a 41 3a 6c 69 6e 6b 20 7b 0d 0a 09 43 4f 4c 4f 52 3a 20 23 46 46 46 46 46 46 3b 20 46 4f 4e 54 2d 57 45 49 47 48 54 3a 20 62 6f 6c 64 3b 20 54 45 58 54 2d 44 45 43 4f 52 41 54 49 4f 4e 3a 20 6e 6f 6e 65 0d 0a 7d 0d 0a 41 3a 76 69 73 69 74 65 64 20 Data Ascii: div{position:absolute; left:4px; top:4px; width:20%; height:89px; z-index:1; visibility: hidden; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 11px}A:link {COLOR: #FFFFFF; FONT-WEIGHT: bold; TEXT-DECORATION: none}A:visited
2024-12-18 09:58:31 UTC	1385	IN	Data Raw: 64 69 6e 67 2d 6c 65 66 74 3a 20 31 70 78 3b 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 66 6f 6e 74 2d 76 61 72 69 61 6e 74 3a 20 6e 6f 72 6d 61 6c 3b 20 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 6e 6f 6e 65 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 32 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 35 70 78 20 35 70 78 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 Data Ascii: ding-left: 1px; font-style: normal; font-weight: bold; font-variant: normal; text-transform: none; margin-right: 2px; margin-left: 2px; background-position: 5px 5px; text-decoration: none; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12p

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:31 UTC	532	OUT	GET /frm.js HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.protware.com/blank.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:31 UTC	610	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:31 GMT content-type: application/x-javascript last-modified: Thu, 12 Dec 2024 17:52:09 GMT etag: "337-675b22c9-9a2bbc4967696694;;;" accept-ranges: bytes content-length: 823 date: Wed, 18 Dec 2024 09:58:31 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:31 UTC	758	IN	Data Raw: 69 66 20 28 28 70 61 72 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 3d 20 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 26 26 20 77 69 6e 64 6f 77 2e 6e 61 6d 65 21 3d 27 71 61 7a 78 73 77 65 64 63 27 29 7b 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 64 65 66 61 75 6c 74 2e 68 74 6d 27 29 7d 3b 76 61 72 20 6e 38 3b 0d 0a 66 75 6e 63 74 69 6f 6e 20 72 70 6c 63 28 69 6e 70 66 2c 66 65 29 7b 0d 0a 09 66 65 41 3d 41 72 72 61 79 28 27 68 74 6d 27 2c 27 68 74 6d 6c 27 2c 27 61 73 70 27 2c 27 70 68 70 27 2c 27 73 68 74 6d 6c 27 29 3b 0d 0a 09 6e 75 3d 69 6e 70 66 2b 27 2e 27 2b 66 65 41 5b 66 65 5d 3b 0d 0a 09 64 4f 62 6a 3d 27 6c 6f 63 61 74 69 6f 6e 27 3b 20 64 56 61 6c 3d 27 27 3b 20 64 41 63 74 3d 27 2e 72 65 70 6c 61 63 Data Ascii: if ((parent.location.href == self.location.href) && window.name!='qazxswedc'){location.replace('default.htm')};var n8;function rplc(inpf,fe){feA=Array('htm','html','asp','php','shtml');nu=inpf+'.'+feA[fe];dObj='location'; dVal=''; dAct='.replac
2024-12-18 09:58:31 UTC	65	IN	Data Raw: 3b 65 76 61 6c 28 22 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 69 6e 70 5b 69 5d 29 22 2b 22 2e 22 2b 63 2b 22 61 2b 27 2e 27 2b 66 65 4d 5b 62 5d 22 29 3b 7d 7d 7d Data Ascii: ;eval("document.getElementById(inp[i])"+"."+c+"a+'.'+feM[b]");}}}

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:31 UTC	533	OUT	GET /tpmnu.js HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.protware.com/menu.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:31 UTC	611	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:31 GMT content-type: application/x-javascript last-modified: Thu, 12 Dec 2024 17:52:17 GMT etag: "6bb-675b22d1-fbabac40e70f3b23;;;" accept-ranges: bytes content-length: 1723 date: Wed, 18 Dec 2024 09:58:31 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:31 UTC	757	IN	Data Raw: 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 42 72 77 73 72 20 3d 20 22 49 45 22 7d 3b 0d 0a 69 66 28 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 29 7b 42 72 77 73 72 20 3d 20 22 4e 4e 34 22 7d 3b 0d 0a 69 66 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 20 26 26 20 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 29 7b 42 72 77 73 72 20 3d 20 22 4e 4e 36 22 7d 3b 0d 0a 69 66 28 6e 61 76 69 67 61 74 6f 72 2e 61 70 70 4e 61 6d 65 20 3d 3d 22 4f 70 65 72 61 22 29 7b 42 72 77 73 72 20 3d 20 22 4f 70 65 72 61 22 7d 3b 0d 0a 66 75 6e 63 74 69 6f 6e 20 6e 6f 45 72 72 4d 73 67 28 29 7b 72 65 74 75 72 6e 20 74 72 75 65 7d 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 20 3d 20 6e 6f 45 72 72 4d 73 67 3b 0d 0a 74 68 65 66 69 6c 65 3d 22 22 Data Ascii: if(document.all){Brwsr = "IE"};if(document.layers){Brwsr = "NN4"};if(document.getElementById && window.sidebar){Brwsr = "NN6"};if(navigator.appName =="Opera"){Brwsr = "Opera"};function noErrMsg(){return true};window.onerror = noErrMsg;thefile=""
2024-12-18 09:58:31 UTC	966	IN	Data Raw: 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 74 68 65 66 69 6c 65 29 2e 73 74 79 6c 65 2e 62 61 63 6b 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 3d 20 22 77 68 69 74 65 22 0d 0a 7d 0d 0a 69 66 28 74 68 65 6f 6c 64 66 69 6c 65 2e 6c 65 6e 67 74 68 3e 31 20 26 26 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 74 68 65 6f 6c 64 66 69 6c 65 29 21 3d 6e 75 6c 6c 29 7b 0d 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 74 68 65 6f 6c 64 66 69 6c 65 29 2e 73 74 79 6c 65 2e 63 6f 6c 6f 72 20 3d 20 22 77 68 69 74 65 22 0d 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 74 68 65 6f 6c 64 66 69 6c 65 29 2e 73 74 79 6c 65 2e 62 61 63 6b 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 3d 20 22 23 30 30 39 39 Data Ascii: etElementById(thefile).style.backgroundColor = "white"}if(theoldfile.length>1 && document.getElementById(theoldfile)!=null){document.getElementById(theoldfile).style.color = "white"document.getElementById(theoldfile).style.backgroundColor = "#0099

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:31 UTC	532	OUT	GET /stat.js HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.protware.com/home.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:31 UTC	472	IN	HTTP/1.1 404 Not Found Connection: close content-type: text/html last-modified: Wed, 01 Feb 2023 19:18:58 GMT etag: "999-63dabb22-abaa6af0da50d292;;;" accept-ranges: bytes content-length: 2457 date: Wed, 18 Dec 2024 09:58:31 GMT server: LiteSpeed platform: hostinger panel: hpanel alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:31 UTC	896	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# si
2024-12-18 09:58:31 UTC	1561	IN	Data Raw: 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 Data Ascii: bsolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, something lost</title> <meta name="description" content="Oops, looks li

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:31 UTC	534	OUT	GET /scroll.js HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.protware.com/home.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:32 UTC	610	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:31 GMT content-type: application/x-javascript last-modified: Thu, 12 Dec 2024 17:52:15 GMT etag: "169-675b22cf-a8014902a3c40d6a;;;" accept-ranges: bytes content-length: 361 date: Wed, 18 Dec 2024 09:58:31 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:32 UTC	361	IN	Data Raw: 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 73 74 79 6c 65 2e 73 63 72 6f 6c 6c 62 61 72 41 72 72 6f 77 43 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3b 0d 0a 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 73 74 79 6c 65 2e 73 63 72 6f 6c 6c 62 61 72 46 61 63 65 43 6f 6c 6f 72 3d 22 23 30 30 39 39 30 30 22 3b 0d 0a 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 73 74 79 6c 65 2e 73 63 72 6f 6c 6c 62 61 72 54 72 61 63 6b 43 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3b 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 73 65 74 6f 64 6c 28 29 7b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 6f 64 6c 27 29 2e 73 74 79 6c 65 2e 64 69 73 70 6c 61 79 3d 27 6e 6f 6e 65 27 7d 7d 3b 0d 0a Data Ascii: document.body.style.scrollbarArrowColor="white";document.body.style.scrollbarFaceColor="#009900";document.body.style.scrollbarTrackColor="white";function setodl(){if(document.getElementById){document.getElementById('odl').style.display='none'}};

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:33 UTC	346	OUT	GET /frm.js HTTP/1.1 Host: www.protware.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	610	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:33 GMT content-type: application/x-javascript last-modified: Thu, 12 Dec 2024 17:52:09 GMT etag: "337-675b22c9-9a2bbc4967696694;;;" accept-ranges: bytes content-length: 823 date: Wed, 18 Dec 2024 09:58:33 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:33 UTC	758	IN	Data Raw: 69 66 20 28 28 70 61 72 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 3d 20 73 65 6c 66 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 26 26 20 77 69 6e 64 6f 77 2e 6e 61 6d 65 21 3d 27 71 61 7a 78 73 77 65 64 63 27 29 7b 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 64 65 66 61 75 6c 74 2e 68 74 6d 27 29 7d 3b 76 61 72 20 6e 38 3b 0d 0a 66 75 6e 63 74 69 6f 6e 20 72 70 6c 63 28 69 6e 70 66 2c 66 65 29 7b 0d 0a 09 66 65 41 3d 41 72 72 61 79 28 27 68 74 6d 27 2c 27 68 74 6d 6c 27 2c 27 61 73 70 27 2c 27 70 68 70 27 2c 27 73 68 74 6d 6c 27 29 3b 0d 0a 09 6e 75 3d 69 6e 70 66 2b 27 2e 27 2b 66 65 41 5b 66 65 5d 3b 0d 0a 09 64 4f 62 6a 3d 27 6c 6f 63 61 74 69 6f 6e 27 3b 20 64 56 61 6c 3d 27 27 3b 20 64 41 63 74 3d 27 2e 72 65 70 6c 61 63 Data Ascii: if ((parent.location.href == self.location.href) && window.name!='qazxswedc'){location.replace('default.htm')};var n8;function rplc(inpf,fe){feA=Array('htm','html','asp','php','shtml');nu=inpf+'.'+feA[fe];dObj='location'; dVal=''; dAct='.replac
2024-12-18 09:58:33 UTC	65	IN	Data Raw: 3b 65 76 61 6c 28 22 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 69 6e 70 5b 69 5d 29 22 2b 22 2e 22 2b 63 2b 22 61 2b 27 2e 27 2b 66 65 4d 5b 62 5d 22 29 3b 7d 7d 7d Data Ascii: ;eval("document.getElementById(inp[i])"+"."+c+"a+'.'+feM[b]");}}}

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:33 UTC	593	OUT	GET /new3.jpg HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.protware.com/home.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	596	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:33 GMT content-type: image/jpeg last-modified: Thu, 12 Dec 2024 17:52:12 GMT etag: "303-675b22cc-3b2441efac56c8c1;;;" accept-ranges: bytes content-length: 771 date: Wed, 18 Dec 2024 09:58:33 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:33 UTC	771	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 00 14 00 19 03 01 11 00 02 11 01 03 11 01 ff c4 00 18 00 00 03 01 01 00 00 00 00 00 00 00 00 00 00 00 00 03 06 07 04 05 ff c4 00 2a 10 00 01 03 03 02 05 02 07 00 00 00 00 00 00 00 00 01 02 03 04 05 06 11 00 31 13 21 32 41 81 15 22 07 12 51 53 71 91 a1 ff c4 00 1a 01 00 02 02 Data Ascii: JFIFHHC $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222*1!2A"QSq

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:33 UTC	593	OUT	GET /prev.gif HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.protware.com/home.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	595	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:33 GMT content-type: image/gif last-modified: Thu, 12 Dec 2024 17:52:14 GMT etag: "305-675b22ce-29846ef171d9d31d;;;" accept-ranges: bytes content-length: 773 date: Wed, 18 Dec 2024 09:58:33 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:33 UTC	773	IN	Data Raw: 47 49 46 38 39 61 1e 00 1e 00 e6 ff 00 14 13 13 72 6d 6d 4a 47 47 c0 c0 c0 29 28 28 c0 be be ff ff ff f5 f5 f5 eb eb eb e8 e8 e8 df df df de de de dd dd dd db db db da da da d2 d2 d2 cf cf cf cd cd cd cb cb cb ca ca ca c5 c5 c5 c4 c4 c4 c1 c1 c1 be be be bc bc bc b9 b9 b9 b8 b8 b8 b7 b7 b7 b5 b5 b5 b3 b3 b3 b1 b1 b1 af af af ae ae ae ad ad ad a9 a9 a9 a7 a7 a7 9f 9f 9f 9b 9b 9b 9a 9a 9a 96 96 96 8e 8e 8e 8d 8d 8d 8c 8c 8c 8a 8a 8a 87 87 87 86 86 86 80 80 80 7c 7c 7c 7b 7b 7b 78 78 78 77 77 77 74 74 74 71 71 71 70 70 70 6f 6f 6f 6e 6e 6e 6d 6d 6d 6a 6a 6a 68 68 68 66 66 66 65 65 65 64 64 64 63 63 63 62 62 62 61 61 61 60 60 60 5e 5e 5e 5d 5d 5d 5b 5b 5b 5a 5a 5a 59 59 59 58 58 58 56 56 56 54 54 54 53 53 53 52 52 52 51 51 51 4d 4d 4d 4c 4c 4c 4b 4b 4b 4a 4a Data Ascii: GIF89armmJGG)((\|\|\|{{{xxxwwwtttqqqpppooonnnmmmjjjhhhfffeeedddcccbbbaaa```^^^]]][[[ZZZYYYXXXVVVTTTSSSRRRQQQMMMLLLKKKJJ

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:33 UTC	593	OUT	GET /next.gif HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.protware.com/home.htm Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:33 UTC	595	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:33 GMT content-type: image/gif last-modified: Thu, 12 Dec 2024 17:52:13 GMT etag: "313-675b22cd-2e5bdfc99585344c;;;" accept-ranges: bytes content-length: 787 date: Wed, 18 Dec 2024 09:58:33 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:33 UTC	773	IN	Data Raw: 47 49 46 38 39 61 1e 00 1e 00 e6 ff 00 14 13 13 72 6d 6d 4a 47 47 c0 c0 c0 29 28 28 c0 be be ff ff ff e8 e8 e8 df df df de de de dd dd dd db db db d2 d2 d2 cf cf cf cd cd cd cb cb cb ca ca ca c5 c5 c5 c4 c4 c4 c1 c1 c1 bc bc bc b9 b9 b9 b7 b7 b7 b5 b5 b5 b3 b3 b3 b1 b1 b1 af af af ad ad ad a9 a9 a9 a7 a7 a7 a6 a6 a6 a5 a5 a5 9f 9f 9f 9b 9b 9b 9a 9a 9a 96 96 96 94 94 94 8e 8e 8e 8d 8d 8d 8c 8c 8c 8a 8a 8a 87 87 87 86 86 86 84 84 84 80 80 80 7c 7c 7c 7b 7b 7b 79 79 79 78 78 78 77 77 77 76 76 76 75 75 75 74 74 74 71 71 71 70 70 70 6f 6f 6f 6e 6e 6e 6d 6d 6d 6a 6a 6a 68 68 68 66 66 66 65 65 65 64 64 64 63 63 63 62 62 62 61 61 61 60 60 60 5d 5d 5d 5b 5b 5b 5a 5a 5a 59 59 59 58 58 58 56 56 56 54 54 54 53 53 53 52 52 52 51 51 51 4c 4c 4c 4b 4b 4b 4a 4a 4a 49 49 Data Ascii: GIF89armmJGG)((\|\|\|{{{yyyxxxwwwvvvuuutttqqqpppooonnnmmmjjjhhhfffeeedddcccbbbaaa```]]][[[ZZZYYYXXXVVVTTTSSSRRRQQQLLLKKKJJJII
2024-12-18 09:58:33 UTC	14	IN	Data Raw: c0 c1 03 87 0c 14 92 c7 a3 23 0a 04 00 3b Data Ascii: #;

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:35 UTC	593	OUT	GET /encrypt_html.ico HTTP/1.1 Host: www.protware.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.protware.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:35 UTC	598	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:35 GMT content-type: image/x-icon last-modified: Thu, 12 Dec 2024 17:52:07 GMT etag: "2fe-675b22c7-341065ca9a8b24a5;;;" accept-ranges: bytes content-length: 766 date: Wed, 18 Dec 2024 09:58:35 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:35 UTC	766	IN	Data Raw: 00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00 00 00 77 77 77 77 77 77 77 77 77 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77 77 00 00 00 00 00 33 bb ff bb bb bb bb bb 33 07 77 70 00 00 00 00 3b bb ff bb bb bb bb b3 b3 30 77 70 00 00 00 00 33 bb ff bb bb bb bb bb 33 33 07 70 00 00 00 00 3b bb ff 0b bb 0b bb b3 b3 33 07 70 00 00 00 00 33 bb f0 0b bb 00 bb bb 33 33 07 70 00 00 00 00 3b bb 00 bb bb b0 0b b3 b3 33 07 70 00 00 Data Ascii: ( @wwwwwwwwwpww33wp;0wp333p;3p333p;3p

Timestamp	Bytes transferred	Direction	Data
2024-12-18 09:58:37 UTC	356	OUT	GET /encrypt_html.ico HTTP/1.1 Host: www.protware.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-18 09:58:37 UTC	598	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Wed, 25 Dec 2024 09:58:37 GMT content-type: image/x-icon last-modified: Thu, 12 Dec 2024 17:52:07 GMT etag: "2fe-675b22c7-341065ca9a8b24a5;;;" accept-ranges: bytes content-length: 766 date: Wed, 18 Dec 2024 09:58:37 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-18 09:58:37 UTC	766	IN	Data Raw: 00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00 00 00 77 77 77 77 77 77 77 77 77 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77 77 00 00 00 00 00 33 bb ff bb bb bb bb bb 33 07 77 70 00 00 00 00 3b bb ff bb bb bb bb b3 b3 30 77 70 00 00 00 00 33 bb ff bb bb bb bb bb 33 33 07 70 00 00 00 00 3b bb ff 0b bb 0b bb b3 b3 33 07 70 00 00 00 00 33 bb f0 0b bb 00 bb bb 33 33 07 70 00 00 00 00 3b bb 00 bb bb b0 0b b3 b3 33 07 70 00 00 Data Ascii: ( @wwwwwwwwwpww33wp;0wp333p;3p333p;3p

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report K63NjiQEa5.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Chrome Cache Entry: 83

Chrome Cache Entry: 84

Chrome Cache Entry: 85

Chrome Cache Entry: 86

Chrome Cache Entry: 87

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
K63NjiQEa5.html

Target ID:	0
Start time:	04:58:07
Start date:	18/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\K63NjiQEa5.html"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	04:58:09
Start date:	18/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,652140676510124543,7511898349956267164,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre