Edit tour

Windows Analysis Report
Payment copy.HTML

Overview

General Information

Sample name:	Payment copy.HTML
Analysis ID:	1655135
MD5:	a84eb8ccb518dc96f1d4f0f2f53556df
SHA1:	b0f17a8f02660f37f12f8c70c3cb45411a40eb5d
SHA256:	d73a1e132450df375107353e0ccfa8de5916a645252a807ba2f3f1f70d2afbaa
Infos:

Detection

Score:	68
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Antivirus detection for URL or domain

HTML document with suspicious name

HTML document with suspicious title

HTML file submission containing password form

Creates files inside the system directory

Deletes files inside the Windows folder

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Suspicious form URL found

Classification

Process Tree

System is w10x64

chrome.exe (PID: 7396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,7512422396215173747,8855882059684338427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2096 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 3932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Payment copy.HTML" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

HTTP traffic detected: POST /admin/save/mer.php HTTP/1.1Host: thynkfinance.co.zaConnection: keep-aliveContent-Length: 56Cache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Origin: nullContent-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: Payment copy.HTML

String found in binary or memory: https://thynkfinance.co.za/admin/save/mer.php

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 142.250.80.4:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.0.165.249:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 154.0.165.249:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 207.174.26.219:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.251:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.131.251:443 -> 192.168.2.4:49749 version: TLS 1.2

System Summary

HTML document with suspicious name

Source: Name includes: Payment copy.HTML

Initial sample: payment

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir7396_1416000944

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir7396_1416000944

Jump to behavior

Source: classification engine

Classification label: mal68.phis.winHTML@24/5@10/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,7512422396215173747,8855882059684338427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2096 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Payment copy.HTML"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,7512422396215173747,8855882059684338427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2096 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Stealing of Sensitive Information

HTML file submission containing password form

Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML

HTTP Parser: file:///C:/Users/user/Desktop/Payment%20copy.HTML

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Desktop/Payment%20copy.HTML	0%	Avira URL Cloud	safe
https://thynkfinance.co.za/admin/save/mer.php	100%	Avira URL Cloud	phishing

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
simgbb.com	172.67.131.251	true	false	high
www.google.com	142.250.80.4	true	false	high
thynkfinance.co.za	154.0.165.249	true	false	unknown
i.ibb.co	207.174.26.219	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://thynkfinance.co.za/admin/save/mer.php	false	Avira URL Cloud: phishing	unknown
https://simgbb.com/images/favicon.png	false		high
file:///C:/Users/user/Desktop/Payment%20copy.HTML	true	Avira URL Cloud: safe	unknown
https://i.ibb.co/favicon.ico	false		high
https://i.ibb.co/nBXYTs4/wrong-details.jpg	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
207.174.26.219	i.ibb.co	United States	6079	RCN-ASUS	false
172.67.131.251	simgbb.com	United States	13335	CLOUDFLARENETUS	false
142.250.80.4	www.google.com	United States	15169	GOOGLEUS	false
154.0.165.249	thynkfinance.co.za	South Africa	37611	AfrihostZA	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1655135
Start date and time:	2025-04-03 00:52:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment copy.HTML
Detection:	MAL
Classification:	mal68.phis.winHTML@24/5@10/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .HTML

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.80.110, 172.217.165.131, 142.251.40.142, 172.253.122.84, 142.251.40.174, 142.250.64.110, 142.250.80.78, 142.250.65.174, 23.203.176.221, 199.232.210.172, 142.251.40.206, 142.251.35.174, 172.217.165.142, 142.250.65.227, 142.250.65.206, 142.250.72.99, 142.251.40.238, 142.250.81.238, 142.251.32.110, 142.250.176.206, 142.251.40.110, 184.31.69.3, 4.245.163.56
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, ocsp.digicert.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
207.174.26.219	https://hidrive.ionos.com/lnk/MyScbyomU	Get hash	malicious	HTMLPhisher	Browse
	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse
	F Notice Docx 433 (1).html	Get hash	malicious	HTMLPhisher	Browse
	https://orgfarm-4ccb539e27-dev-ed.develop.my.salesforce-sites.com/	Get hash	malicious	Unknown	Browse
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse
	roblox.exe	Get hash	malicious	XWorm	Browse
	WizClient.exe	Get hash	malicious	XWorm	Browse
	XC.exe	Get hash	malicious	XWorm	Browse
	FINAL -Legal Notice Presentation (1).pptx	Get hash	malicious	HTMLPhisher	Browse
172.67.131.251	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse
	Payment.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://tap-rt-prod1-t.campaign.adobe.com/r/?id=h9ecb88b,c1e96b3,69fe0fb&p1=zoom-meeting.top/scJF1SSXVzFB/zFBa2scJF17067/HkeS73tjSSXV1331248624633021?HkeS73tjSSXV1331248624633021=Yy5iYWtrZXJAbWVkaXJldmEubmw=	Get hash	malicious	HTMLPhisher	Browse
154.0.165.249	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
i.ibb.co	https://hidrive.ionos.com/lnk/MyScbyomU	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse	207.174.26.219
	F Notice Docx 433 (1).html	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	https://orgfarm-4ccb539e27-dev-ed.develop.my.salesforce-sites.com/	Get hash	malicious	Unknown	Browse	207.174.26.219
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	roblox.exe	Get hash	malicious	XWorm	Browse	207.174.26.219
	WizClient.exe	Get hash	malicious	XWorm	Browse	207.174.26.219
	XC.exe	Get hash	malicious	XWorm	Browse	207.174.26.219
	FINAL -Legal Notice Presentation (1).pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
thynkfinance.co.za	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse	154.0.165.249
simgbb.com	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse	172.67.131.251
	Payment.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.4.104
	AGREEMENT AND APPROVAL REPORT DIAMOND TRAILER 2024-502244_6.5.248.pdf	Get hash	malicious	Unknown	Browse	104.21.4.104
	https://tap-rt-prod1-t.campaign.adobe.com/r/?id=h9ecb88b,c1e96b3,69fe0fb&p1=zoom-meeting.top/scJF1SSXVzFB/zFBa2scJF17067/HkeS73tjSSXV1331248624633021?HkeS73tjSSXV1331248624633021=Yy5iYWtrZXJAbWVkaXJldmEubmw=	Get hash	malicious	HTMLPhisher	Browse	104.21.4.104

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RCN-ASUS	xd.x86_64.elf	Get hash	malicious	Mirai	Browse	207.96.68.177
	xd.x86_64.elf	Get hash	malicious	Mirai	Browse	216.164.110.37
	https://hidrive.ionos.com/lnk/MyScbyomU	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	207.175.75.148
	xd.x86.elf	Get hash	malicious	Mirai	Browse	66.44.1.128
	Payment Remittance.pdf	Get hash	malicious	Unknown	Browse	207.174.26.219
	F Notice Docx 433 (1).html	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	https://orgfarm-4ccb539e27-dev-ed.develop.my.salesforce-sites.com/	Get hash	malicious	Unknown	Browse	207.174.26.219
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
	Presentation Of Court Order_Letter.pptx	Get hash	malicious	HTMLPhisher	Browse	207.174.26.219
CLOUDFLARENETUS	http://www.standupforkids.org	Get hash	malicious	Unknown	Browse	104.19.229.21
	Payment Error.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	https://e-hazard.com/arc-flash-training/advanced-electrical-safety-for-key-personnel/	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://microsoft365.craft.me/document	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	104.21.27.108
	http://found19.z20.web.core.windows.net/werrx01USAHTML/index.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://selecthealth.nationsbenefits.com	Get hash	malicious	Unknown	Browse	172.67.218.119
	https://vqr.vc/6ossVvCJo	Get hash	malicious	Unknown	Browse	104.18.27.193
	https://storage.googleapis.com/kzrzrzrzrzr/wattere.html#/redirect.html?od=1syb67eb1c8583e99_vl_topvl_1544.54qf18g.C0000rjawyf2czq00l_x11480.jawyf%5DM3hoeHE4LTA3YzBjcmM0u6Nvi	Get hash	malicious	Phisher	Browse	104.18.121.34
	https://www.earthcam.net/refer/refer.php?h=1&t=ai&a=MjAyMTAzVExPTQ==&u=https://gamma.app/docs/Ikegami-Electronics-USA-Inc-7imknbprp42mt7n?mode=present#card-551p7iq4lgkr821	Get hash	malicious	HTMLPhisher	Browse	104.18.11.200
	http://www.lozoyalawaz.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.24.14
AfrihostZA	xd.x86_64.elf	Get hash	malicious	Mirai	Browse	169.33.219.229
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	169.71.211.183
	xd.m68k.elf	Get hash	malicious	Mirai	Browse	102.183.29.162
	xd.i686.elf	Get hash	malicious	Mirai	Browse	169.174.79.216
	xd.x86_64.elf	Get hash	malicious	Mirai	Browse	169.65.254.4
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	169.80.16.103
	xd.x86.elf	Get hash	malicious	Mirai	Browse	169.225.255.4
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	192.143.250.212
	xd.powerpc-440fp.elf	Get hash	malicious	Mirai	Browse	169.107.8.154
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	169.108.199.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://pl25946353.effectiveratecpm.com	Get hash	malicious	Unknown	Browse	204.79.197.222
	https://storage.googleapis.com/m030325nw/0203010214585.html#4dgBPD109344NHwX674ydbhwbcdjf377WZWJVQGWFRXHUDM187807FNMP18377G21	Get hash	malicious	Phisher	Browse	204.79.197.222
	https://up.culturaljourney.de/RwBmy/	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222
	http://franoapas.co.in	Get hash	malicious	Unknown	Browse	204.79.197.222
	https://u.masdnfikjentriu.ru/dfgbwerfsd/dfgjher.html	Get hash	malicious	Unknown	Browse	204.79.197.222
	Statement 02-03-2025.xlsx	Get hash	malicious	Unknown	Browse	204.79.197.222
	Invoice Confirmation Subscription_2EZHMA9.htm	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222
	http://www.bankmenia.fr	Get hash	malicious	Unknown	Browse	204.79.197.222
	paste.ee_d_ktyPclYy.js	Get hash	malicious	Remcos	Browse	204.79.197.222
	Revolt.bat	Get hash	malicious	HTMLPhisher	Browse	204.79.197.222

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 1119x530, components 3
Category:	downloaded
Size (bytes):	42786
Entropy (8bit):	7.560196098084351
Encrypted:	false
SSDEEP:	384:QzfEtmgAxU+NoHZT04iHP04T19LfTHMhbRE26m1fkGhQOPIhEw6hNhyswQM7vG78:QzfEtjAmG6TxS9fsD7VfkGhRsEBwZN
MD5:	B078562CE3B7759C76E1F184734683DD
SHA1:	192BFFAE3279CFA47A7539B19D3811A18EBA1AEB
SHA-256:	8D2AE2E196083C37B7D3F39601ECEF4A19CDA7AE910F64E49E958C3BDA51A176
SHA-512:	445E4E8E5A8EEACBEB9FD931D7A282992E10645A9C9B0A69ABD83AA58A580F4846AB3CBD143C686B94AC242F38EA929C602719D7BFBD4C3932A93E54DFA0BA3B
Malicious:	false
Reputation:	low
URL:	https://i.ibb.co/nBXYTs4/wrong-details.jpg
Preview:	......JFIF.....`.`....."Exif..MM..........................C....................................................................C........................................................................._.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......./._t....[....{G.^/....i?.......}^.U"b7..Z<.e..(.J...Z<.e..(.(.<.e...Z].......Z<.e..(.(.<.e...Zu.....M*.9.z..^k.......O..7rn.b.h.4p\...g..W,..U..PL...G..y...m...V.S.~._/..........b.hvV7O..TMg$........\|..Y[..n.........fO.....Z<.e..).h..A.._....-&...P.y~.G......'..y~.FV.`....../.iv.n.....Z<.e..).].v....e...Z].......Z<.e

Chrome Cache Entry: 58

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	7235
Entropy (8bit):	7.854530968163744
Encrypted:	false
SSDEEP:	96:XvtH6yH1xG+B9yulnhK/xXD8OktMUgwxqpTLEQhVYEnfxPqCsM8BeHnudkFvL:lHnHzb3yYhiZkCTXnnf9+R9dkFj
MD5:	40B917B7789A2852E23B074DF0EDC560
SHA1:	22CE76F00BC9D294E51409F31ACBBAC3921461E1
SHA-256:	AE2D45946C7B4F594006A87CF961ABA86CE880DE9BA334B03B9CDE9C39EC6FF3
SHA-512:	7D22377A197530B9E377FEE232C3F70CFF9201CF2E806240F20D94C08546C22C9FBC7406304F5E2E0A10B5C6D7C7B970BB8406FE3443EAE33EC7C22661950187
Malicious:	false
Reputation:	low
URL:	https://simgbb.com/images/favicon.png
Preview:	.PNG........IHDR...,...,.....y}.u....bKGD..............pHYs..........+......tIME.....8..Qj.....IDATx..y...}.==.....jOi%!....8.a..e.qA.q%&...@.8.q....Q.q...@......l....m.....a....v.BH......}..?.\.C........E...~.}..;~O[.y..!.(....B..E.!..!..".....B(,B..E.!..!.PX.....B(,B....!..!.PX..Ba.B(,B....!..".PX..Ba.B..E....!..".....Ba.B..E.!..!..".....Ba.B..E.!..!..".....B(,B..E.!..!.PX.....B(,B....!..!.PX..Ba.B(,B....!..".PX..Ba.B..E....!..".....Ba.B..E.!..!..".....Ba.B..E.!..!..".....B(,BHK.m..K.5l..a.. ....."..@..i.d..h...2../aw......-.<j7......-+.....W.}..H..G....,.&o.B(,.,....$.....s.K...Lc.H.64.!...!k..C0..k.\...W.'......'...I..sS. .E...Q..E_..W..s.e.u..`..P~../W.p.@..{eO......~r.#Y.i..z..Q..F..x...?G....g\|...$...O....}~_...q..qH.ii...._.d~.......)..YPXuq..PY.&.....]x./O`.d......?....x...."^..bV..LUh!fAa..y1/.(....F\|....p.......Gu\|e}..F.....x.]B7.. S.;...r.G5...%.=...]!.,&./....z.>.....`.YPX...F..# .?.*.._N.k..k>.....UG..c+..r.~.7.....k%7.......

Chrome Cache Entry: 59

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	7235
Entropy (8bit):	7.854530968163744
Encrypted:	false
SSDEEP:	96:XvtH6yH1xG+B9yulnhK/xXD8OktMUgwxqpTLEQhVYEnfxPqCsM8BeHnudkFvL:lHnHzb3yYhiZkCTXnnf9+R9dkFj
MD5:	40B917B7789A2852E23B074DF0EDC560
SHA1:	22CE76F00BC9D294E51409F31ACBBAC3921461E1
SHA-256:	AE2D45946C7B4F594006A87CF961ABA86CE880DE9BA334B03B9CDE9C39EC6FF3
SHA-512:	7D22377A197530B9E377FEE232C3F70CFF9201CF2E806240F20D94C08546C22C9FBC7406304F5E2E0A10B5C6D7C7B970BB8406FE3443EAE33EC7C22661950187
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...,...,.....y}.u....bKGD..............pHYs..........+......tIME.....8..Qj.....IDATx..y...}.==.....jOi%!....8.a..e.qA.q%&...@.8.q....Q.q...@......l....m.....a....v.BH......}..?.\.C........E...~.}..;~O[.y..!.(....B..E.!..!..".....B(,B..E.!..!.PX.....B(,B....!..!.PX..Ba.B(,B....!..".PX..Ba.B..E....!..".....Ba.B..E.!..!..".....Ba.B..E.!..!..".....B(,B..E.!..!.PX.....B(,B....!..!.PX..Ba.B(,B....!..".PX..Ba.B..E....!..".....Ba.B..E.!..!..".....Ba.B..E.!..!..".....B(,BHK.m..K.5l..a.. ....."..@..i.d..h...2../aw......-.<j7......-+.....W.}..H..G....,.&o.B(,.,....$.....s.K...Lc.H.64.!...!k..C0..k.\...W.'......'...I..sS. .E...Q..E_..W..s.e.u..`..P~../W.p.@..{eO......~r.#Y.i..z..Q..F..x...?G....g\|...$...O....}~_...q..qH.ii...._.d~.......)..YPXuq..PY.&.....]x./O`.d......?....x...."^..bV..LUh!fAa..y1/.(....F\|....p.......Gu\|e}..F.....x.]B7.. S.;...r.G5...%.=...]!.,&./....z.>.....`.YPX...F..# .?.*.._N.k..k>.....UG..c+..r.~.7.....k%7.......

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (17642), with CRLF line terminators
Entropy (8bit):	6.051166653033828
TrID:
File name:	Payment copy.HTML
File size:	18'964 bytes
MD5:	a84eb8ccb518dc96f1d4f0f2f53556df
SHA1:	b0f17a8f02660f37f12f8c70c3cb45411a40eb5d
SHA256:	d73a1e132450df375107353e0ccfa8de5916a645252a807ba2f3f1f70d2afbaa
SHA512:	dbba2cb51c1bdcafb0bf074dbe1d3d38f064a55dd17a9854b012202f9d7cc7c81795a16e7d4981c5234f795da1847109146245ea27a35be2bfbb5cef600fc771
SSDEEP:	384:fUwPSh3Uds6y8fV/D8O9BF+DvX+zIRrEQCjjiJDMVYpJI89Ulp:fUww3PNi/F+izkEQCjGlSYpG+Ulp
TLSH:	0D828C3DF7FAB48D16BD4A64E9BCEC206E8FBC1754D04B6329519368ADC90824B1C3D8
File Content Preview:	.. .. ...<title>REMITTANCE</title> ...<style> ....body { .....background-image: url('data:image/jpeg;base64,/9j/4QBWRXhpZgAATU0AKgAAAAgABAESAAMAAAABAAEAAAEaAAUAAAABAAAAPgEbAAUAAAABAAAARgEoAAMAAAABAAIAAAAAAAAAAACQAAAAAQAAAJAAAAAB/+AAEEpGSUYAAQEBAJAA

File Icon


Icon Hash:	1270ce868a8686b8

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 147
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2025 00:53:46.896480083 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 3, 2025 00:53:50.740700006 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:53:51.052710056 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:53:51.654256105 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:53:52.864432096 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:53:55.272049904 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:53:56.505402088 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 3, 2025 00:53:56.944051981 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:53:56.944097996 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:53:56.944185972 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:53:56.944338083 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:53:56.944346905 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:53:57.159554005 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:53:57.159615040 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:53:57.160753965 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:53:57.160764933 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:53:57.160988092 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:53:57.208502054 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:53:59.511043072 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:53:59.822552919 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:54:00.085233927 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:54:00.431118011 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:54:01.645807028 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:54:04.052630901 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:54:05.542653084 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.542653084 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.542741060 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.646497011 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.646514893 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.646526098 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.647381067 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.647403002 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.647927999 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.649743080 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.649780035 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.650058031 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.663486004 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.669523954 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.763254881 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.769298077 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.771449089 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.771514893 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:54:05.771539927 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.771636009 CEST	49709	443	192.168.2.4	131.253.33.254
Apr 3, 2025 00:54:05.774250984 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:05.774276018 CEST	49737	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:05.774348021 CEST	443	49737	204.79.197.222	192.168.2.4
Apr 3, 2025 00:54:05.777749062 CEST	49737	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:05.777749062 CEST	49737	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:05.777817011 CEST	443	49737	204.79.197.222	192.168.2.4
Apr 3, 2025 00:54:06.083466053 CEST	443	49737	204.79.197.222	192.168.2.4
Apr 3, 2025 00:54:06.083549023 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:06.083674908 CEST	49737	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:06.692847013 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:07.149332047 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:54:07.149470091 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:54:07.149532080 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:54:07.896001101 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:08.476457119 CEST	49733	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:54:08.476527929 CEST	443	49733	142.250.80.4	192.168.2.4
Apr 3, 2025 00:54:08.880064011 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:54:09.700824022 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 3, 2025 00:54:10.310947895 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:14.200872898 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:14.200925112 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:14.201023102 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:14.201455116 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:14.201471090 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:14.201484919 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:14.201491117 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:14.204021931 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:14.204021931 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:14.204055071 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.115755081 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:15.213385105 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.213397980 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.213473082 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:15.213541031 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:15.218003988 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:15.218019009 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.218379021 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.218879938 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:15.218899965 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.219170094 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.219629049 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:15.260277033 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:15.268021107 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:18.262020111 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:18.262217999 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:18.262419939 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:18.262490034 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:18.262511969 CEST	443	49743	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:18.262525082 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:18.262749910 CEST	49743	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:18.367240906 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.367301941 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.367429972 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.367563009 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.367573977 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.491830111 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 3, 2025 00:54:18.571852922 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.571955919 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.572928905 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.572959900 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.573355913 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.573642015 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.616286039 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.741462946 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.741514921 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.741729975 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.741764069 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.743294954 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.747812986 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.752293110 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.758368969 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.760248899 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.760250092 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.760276079 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.769007921 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.785273075 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.786740065 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.834378958 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.834875107 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.847392082 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.847479105 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.853930950 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.857028008 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.867026091 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.869539022 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.878832102 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.878948927 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.884848118 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.886259079 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.891169071 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.891266108 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.891292095 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.891330957 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.891415119 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.891654015 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.891693115 CEST	443	49744	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.891722918 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.893021107 CEST	49744	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.917323112 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.917377949 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:18.918207884 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.918606043 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:18.918626070 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.106777906 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.107018948 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:19.107057095 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.107172012 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:19.107178926 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.293463945 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.293549061 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.299916983 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:19.300389051 CEST	49746	443	192.168.2.4	207.174.26.219
Apr 3, 2025 00:54:19.300407887 CEST	443	49746	207.174.26.219	192.168.2.4
Apr 3, 2025 00:54:19.404031038 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.404088974 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.404175043 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.404323101 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.404337883 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.615190029 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.618542910 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.628566027 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.628590107 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.628968000 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.629319906 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.672271013 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.857779026 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.857851982 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.857894897 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.857922077 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.857934952 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.857949018 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.858028889 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.858091116 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.859237909 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.860694885 CEST	49748	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.860713005 CEST	443	49748	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.968843937 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.968888044 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:19.968950033 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.969090939 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:19.969095945 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.176335096 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.176407099 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.176825047 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.176831007 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.177146912 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.177414894 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.220295906 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.417870045 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418003082 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418090105 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418169022 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418183088 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.418201923 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418229103 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.418313026 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418369055 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.418376923 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418441057 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:20.418549061 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.419051886 CEST	49749	443	192.168.2.4	172.67.131.251
Apr 3, 2025 00:54:20.419064045 CEST	443	49749	172.67.131.251	192.168.2.4
Apr 3, 2025 00:54:24.724384069 CEST	49680	443	192.168.2.4	204.79.197.222
Apr 3, 2025 00:54:38.927380085 CEST	49715	80	192.168.2.4	142.251.41.3
Apr 3, 2025 00:54:38.927509069 CEST	49716	80	192.168.2.4	199.232.214.172
Apr 3, 2025 00:54:38.927612066 CEST	49718	80	192.168.2.4	199.232.214.172
Apr 3, 2025 00:54:39.018539906 CEST	80	49715	142.251.41.3	192.168.2.4
Apr 3, 2025 00:54:39.018619061 CEST	49715	80	192.168.2.4	142.251.41.3
Apr 3, 2025 00:54:39.018712997 CEST	80	49718	199.232.214.172	192.168.2.4
Apr 3, 2025 00:54:39.018745899 CEST	80	49716	199.232.214.172	192.168.2.4
Apr 3, 2025 00:54:39.018794060 CEST	80	49716	199.232.214.172	192.168.2.4
Apr 3, 2025 00:54:39.018843889 CEST	49716	80	192.168.2.4	199.232.214.172
Apr 3, 2025 00:54:39.019861937 CEST	80	49718	199.232.214.172	192.168.2.4
Apr 3, 2025 00:54:39.020009995 CEST	49718	80	192.168.2.4	199.232.214.172
Apr 3, 2025 00:54:39.102166891 CEST	49717	443	192.168.2.4	104.70.121.145
Apr 3, 2025 00:54:44.861557007 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:44.861704111 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:44.861876011 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:46.475861073 CEST	49742	443	192.168.2.4	154.0.165.249
Apr 3, 2025 00:54:46.475899935 CEST	443	49742	154.0.165.249	192.168.2.4
Apr 3, 2025 00:54:56.897583008 CEST	49755	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:54:56.897654057 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:54:56.897741079 CEST	49755	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:54:56.897898912 CEST	49755	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:54:56.897912979 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:54:57.094075918 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:54:57.094501972 CEST	49755	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:54:57.094536066 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:07.094074965 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:07.094228983 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:07.094392061 CEST	49755	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:55:08.478796959 CEST	49755	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:55:08.478828907 CEST	443	49755	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:27.428342104 CEST	49711	443	192.168.2.4	40.126.24.148
Apr 3, 2025 00:55:27.428342104 CEST	49713	80	192.168.2.4	199.232.214.172
Apr 3, 2025 00:55:27.518615961 CEST	80	49713	199.232.214.172	192.168.2.4
Apr 3, 2025 00:55:27.518723965 CEST	80	49713	199.232.214.172	192.168.2.4
Apr 3, 2025 00:55:27.518908024 CEST	49713	80	192.168.2.4	199.232.214.172
Apr 3, 2025 00:55:27.529210091 CEST	443	49711	40.126.24.148	192.168.2.4
Apr 3, 2025 00:55:27.529324055 CEST	49711	443	192.168.2.4	40.126.24.148
Apr 3, 2025 00:55:36.990377903 CEST	49708	443	192.168.2.4	52.113.196.254
Apr 3, 2025 00:55:56.959657907 CEST	49770	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:55:56.959697962 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:56.959755898 CEST	49770	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:55:56.959901094 CEST	49770	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:55:56.959911108 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:57.151628971 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:55:57.151988983 CEST	49770	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:55:57.152003050 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:56:07.146620035 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:56:07.146704912 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:56:07.146773100 CEST	49770	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:56:08.417891026 CEST	443	49709	131.253.33.254	192.168.2.4
Apr 3, 2025 00:56:08.476213932 CEST	49770	443	192.168.2.4	142.250.80.4
Apr 3, 2025 00:56:08.476248980 CEST	443	49770	142.250.80.4	192.168.2.4
Apr 3, 2025 00:56:09.530155897 CEST	443	49737	204.79.197.222	192.168.2.4
Apr 3, 2025 00:56:09.530237913 CEST	49737	443	192.168.2.4	204.79.197.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2025 00:53:52.568958998 CEST	53	59705	1.1.1.1	192.168.2.4
Apr 3, 2025 00:53:52.724831104 CEST	53	50143	1.1.1.1	192.168.2.4
Apr 3, 2025 00:53:53.351161003 CEST	53	60320	1.1.1.1	192.168.2.4
Apr 3, 2025 00:53:53.491008043 CEST	53	61964	1.1.1.1	192.168.2.4
Apr 3, 2025 00:53:56.834608078 CEST	51869	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:53:56.834950924 CEST	49380	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:53:56.934385061 CEST	53	49380	1.1.1.1	192.168.2.4
Apr 3, 2025 00:53:56.943281889 CEST	53	51869	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:10.611242056 CEST	53	51330	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:13.303352118 CEST	63261	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:13.303467035 CEST	60941	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:14.120172024 CEST	53	60941	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:14.199862957 CEST	53	63261	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:18.264987946 CEST	58115	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:18.264987946 CEST	62688	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:18.366414070 CEST	53	58115	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:18.366642952 CEST	53	62688	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:19.302402020 CEST	59464	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:19.302630901 CEST	53713	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:19.400589943 CEST	53	59464	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:19.403558016 CEST	53	53713	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:19.866523027 CEST	61116	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:19.866818905 CEST	61598	53	192.168.2.4	1.1.1.1
Apr 3, 2025 00:54:19.964107990 CEST	53	61116	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:19.968338013 CEST	53	61598	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:29.593296051 CEST	53	51127	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:52.144654036 CEST	53	65082	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:52.657938957 CEST	53	61605	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:55.294234037 CEST	53	56045	1.1.1.1	192.168.2.4
Apr 3, 2025 00:54:58.981129885 CEST	138	138	192.168.2.4	192.168.2.255
Apr 3, 2025 00:55:23.610117912 CEST	53	60909	1.1.1.1	192.168.2.4
Apr 3, 2025 00:56:10.325462103 CEST	53	50112	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 3, 2025 00:53:56.834608078 CEST	192.168.2.4	1.1.1.1	0x1197	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:53:56.834950924 CEST	192.168.2.4	1.1.1.1	0xbe73	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 3, 2025 00:54:13.303352118 CEST	192.168.2.4	1.1.1.1	0xf88	Standard query (0)	thynkfinance.co.za	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:13.303467035 CEST	192.168.2.4	1.1.1.1	0xd0a4	Standard query (0)	thynkfinance.co.za	65	IN (0x0001)	false
Apr 3, 2025 00:54:18.264987946 CEST	192.168.2.4	1.1.1.1	0xbef8	Standard query (0)	i.ibb.co	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:18.264987946 CEST	192.168.2.4	1.1.1.1	0x2987	Standard query (0)	i.ibb.co	65	IN (0x0001)	false
Apr 3, 2025 00:54:19.302402020 CEST	192.168.2.4	1.1.1.1	0x6477	Standard query (0)	simgbb.com	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.302630901 CEST	192.168.2.4	1.1.1.1	0xeda9	Standard query (0)	simgbb.com	65	IN (0x0001)	false
Apr 3, 2025 00:54:19.866523027 CEST	192.168.2.4	1.1.1.1	0x91af	Standard query (0)	simgbb.com	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.866818905 CEST	192.168.2.4	1.1.1.1	0x8e3d	Standard query (0)	simgbb.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 3, 2025 00:53:56.934385061 CEST	1.1.1.1	192.168.2.4	0xbe73	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 3, 2025 00:53:56.943281889 CEST	1.1.1.1	192.168.2.4	0x1197	No error (0)	www.google.com	142.250.80.4	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:14.199862957 CEST	1.1.1.1	192.168.2.4	0xf88	No error (0)	thynkfinance.co.za	154.0.165.249	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:18.366414070 CEST	1.1.1.1	192.168.2.4	0xbef8	No error (0)	i.ibb.co	207.174.26.219	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.400589943 CEST	1.1.1.1	192.168.2.4	0x6477	No error (0)	simgbb.com	172.67.131.251	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.400589943 CEST	1.1.1.1	192.168.2.4	0x6477	No error (0)	simgbb.com	104.21.4.104	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.403558016 CEST	1.1.1.1	192.168.2.4	0xeda9	No error (0)	simgbb.com		65	IN (0x0001)	false
Apr 3, 2025 00:54:19.964107990 CEST	1.1.1.1	192.168.2.4	0x91af	No error (0)	simgbb.com	172.67.131.251	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.964107990 CEST	1.1.1.1	192.168.2.4	0x91af	No error (0)	simgbb.com	104.21.4.104	A (IP address)	IN (0x0001)	false
Apr 3, 2025 00:54:19.968338013 CEST	1.1.1.1	192.168.2.4	0x8e3d	No error (0)	simgbb.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

thynkfinance.co.za

i.ibb.co

simgbb.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	154.0.165.249	443	7580	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-02 22:54:15 UTC	802	OUT	POST /admin/save/mer.php HTTP/1.1 Host: thynkfinance.co.za Connection: keep-alive Content-Length: 56 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Origin: null Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-02 22:54:15 UTC	56	OUT	Data Raw: 32 32 32 32 3d 72 39 6c 38 33 72 25 34 30 74 6d 70 61 2e 63 6f 26 31 31 31 31 3d 2e 56 25 32 36 6e 25 35 44 57 79 25 32 43 54 72 25 32 34 25 32 35 53 63 66 25 37 43 2e Data Ascii: 2222=r9l83r%40tmpa.co&1111=.V%26n%5DWy%2CTr%24%25Scf%7C.
2025-04-02 22:54:18 UTC	315	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Wed, 02 Apr 2025 22:54:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: close Location: https://i.ibb.co/nBXYTs4/wrong-details.jpg X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Server-Powered-By: nginx-ah

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	207.174.26.219	443	7580	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-02 22:54:18 UTC	715	OUT	GET /nBXYTs4/wrong-details.jpg HTTP/1.1 Host: i.ibb.co Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-02 22:54:18 UTC	380	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Apr 2025 22:54:18 GMT Content-Type: image/jpeg Content-Length: 42786 Connection: close Last-Modified: Mon, 18 Dec 2023 06:24:29 GMT Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 Cache-Control: public Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Accept-Ranges: bytes
2025-04-02 22:54:18 UTC	3716	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 22 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 01 01 12 00 03 00 00 00 01 00 01 00 00 00 00 00 00 ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 02 12 04 5f 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 Data Ascii: JFIF``"ExifMM*CC_"
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: 44 50 cb b7 6e dd bf c5 5e e7 fb 67 7c 3e d6 fc 7f fb 32 dd e9 3a 0e 97 71 ab 6b 11 bd 94 a9 67 0b a2 bc 9e 5c a8 cc 14 bb 2a fd d0 df 79 b6 d0 06 cf c3 9f da a7 43 f1 f7 8c a2 f0 ec fa 57 89 bc 2f ae dc c1 f6 8b 3b 3d 7a c3 ec ad 7d 1a fd e6 89 83 32 3e dc fc ca 1b 72 ff 00 76 ba cd 17 e2 df 85 fc 51 e2 7b ad 0f 4d f1 37 87 f5 0d 66 cc 1f b4 58 db 6a 30 cb 75 6f 8e bb e3 56 2c bf 88 af 08 d7 7e 1f 78 db f6 8f f8 91 e1 ad 46 e7 c3 37 de 03 d2 fc 1b 61 76 b1 4b a8 5c 45 25 dd e5 d4 f0 79 6b b5 62 66 55 45 fb db 99 be f7 f0 d7 19 f0 ff 00 f6 78 f1 85 c4 3f 0d 7c 3a be 07 ff 00 84 56 fb c0 b7 ef 71 a8 f8 9c 4b 07 97 7c bb 1d 4b 44 c8 de 6b 34 8c ca cd bd 57 ee d0 07 d4 92 7c 6b f0 78 f1 45 c6 8a de 2c f0 df f6 d5 9a 33 cf a7 ff 00 6a 42 2e a0 55 19 66 78 b7 Data Ascii: DPn^g\|>2:qkg\*yCW/;=z}2>rvQ{M7fXj0uoV,~xF7avK\E%ykbfUEx?\|:VqK\|KDk4W\|kxE,3jB.Ufx
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: f0 b2 5f fe 81 97 5f f7 f5 2b c3 ff 00 62 cf f9 37 bb 1f fb 0b eb 5f fa 76 bc af 56 a2 5f 10 1b 5f f0 b2 5f fe 81 97 5f f7 f5 28 ff 00 85 92 ff 00 f4 0c ba ff 00 bf a9 58 b4 50 06 d7 fc 2c 97 ff 00 a0 65 d7 fd fd 4a 3f e1 64 bf fd 03 2e bf ef ea 56 2d 14 01 b5 ff 00 0b 25 ff 00 e8 19 75 ff 00 7f 52 8f f8 59 2f ff 00 40 cb af fb fa 95 8b 45 00 6d 7f c2 c9 7f fa 06 5d 7f df d4 a3 fe 16 4b ff 00 d0 32 eb fe fe a5 62 d1 40 1b 5f f0 b2 5f fe 81 97 5f f7 f5 28 ff 00 85 92 ff 00 f4 0c ba ff 00 bf a9 58 b4 50 06 d7 fc 2c 87 ff 00 a0 65 d7 fd fd 4a 3f e1 64 bf fd 03 2e bf ef ea 56 2d 14 01 b5 ff 00 0b 25 ff 00 e8 19 75 ff 00 7f 52 8f f8 59 2f ff 00 40 cb af fb fa 95 8b 45 00 6d 7f c2 c9 7f fa 06 5d 7f df d4 a3 fe 16 4b ff 00 d0 32 eb fe fe a5 62 d1 40 1b 5f f0 b2 Data Ascii: __+b7_vV____(XP,eJ?d.V-%uRY/@Em]K2b@___(XP,eJ?d.V-%uRY/@Em]K2b@_
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 40 05 14 51 47 d9 d4 02 8a 28 a0 02 8a 28 a0 02 8a 28 a0 02 8a 28 a3 de 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 f5 2b 97 de 0a 28 a2 82 7d 42 8a 28 a0 02 8a 28 a0 3d de 81 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 45 14 50 01 5b 5e 08 ff 00 90 b4 9f f5 c8 ff 00 35 ac Data Ascii: Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@QG((((((((((+(}B((=EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEP[^5
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: 6b f6 c2 bf 02 ff 00 e0 b1 fa a3 ea 5f f0 51 4f 88 1b bf e5 dd ed 60 53 9d df 76 d6 2f f3 ff 00 01 a3 23 b3 ad 79 74 37 f1 3a b7 26 5a a1 dd 9f 2f 8e 6b b4 fd 9d fc 20 be 3e fd a0 3c 0f a1 ba ee 8f 56 d7 ac ac dc 7f b2 f3 a2 b7 fe 3b ba b8 bc d7 b6 7f c1 38 f4 f5 d5 3f 6e cf 85 71 32 ef 5f f8 48 2d dd 87 de fb ac cd bb fe 03 b7 75 7d 4d 7d 29 36 7e 17 94 53 e7 c6 53 5f de 47 f4 49 6d 0a db db c7 1a ae c5 8d 55 54 7f c0 57 e5 a9 28 ff 00 96 7f e7 fb d4 57 e7 cf e2 e6 3f ae 28 d3 e5 82 51 0a fe 7a ff 00 e0 a9 7e 0a 1e 03 ff 00 82 80 fc 51 b3 8a 3f 2a 1b 8d 5b ed a0 0f bb fe 90 89 3b 7f e3 d2 b5 7f 42 95 f8 4f ff 00 05 ca d2 d7 4c ff 00 82 89 78 99 97 fe 5e b4 ed 3e 76 3b 76 fc df 67 45 ff 00 d9 6b d9 c8 a5 6a cd 1f 9a f8 a1 4e f9 7c 27 e6 7c 8c bf fb 2d 7d Data Ascii: k_QO`Sv/#yt7:&Z/k ><V;8?nq2_H-u}M})6~SS_GImUTW(W?(Qz~Q?*[;BOLx^>v;vgEkjN\|'\|-}
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: 87 94 2f 52 47 e5 de 27 67 10 aa e1 83 a4 ef cb b8 dd f5 f5 a7 fc 11 27 e1 bc 9e 3c ff 00 82 82 78 5e e7 ca 66 b7 f0 dd ad d6 ab 3b ff 00 0a ed 89 91 3f f2 23 ad 7c 93 5f ad 9f f0 6e ff 00 ec ef 37 87 fe 1e f8 bb e2 5d f5 bb 42 de 20 95 74 8d 35 dd 7f e5 8c 4d ba 57 5f f6 5a 4d aa df ee 35 7a 79 85 6e 4c 3b 3e 37 82 f2 f9 62 b3 3a 71 5f 67 53 ec af f8 28 07 fc 99 2f c5 5f fb 16 6f bf f4 43 57 f3 97 ff 00 2c ab fa 5e fd a2 3e 15 cd f1 c3 e0 3f 8b bc 1f 6f 79 1e 9f 37 89 b4 9b 8d 39 2e 64 46 91 61 69 51 94 33 2a b2 ee db bb 76 dd df c3 5f 99 ff 00 f1 0d df 89 bc bf f9 2a 1a 0f aa ff 00 c4 a2 5f fe 3b 5e 36 4f 8c a5 49 38 cd ee 7e 8d e2 07 0f e3 b1 f5 e9 cb 0b 4e ea 27 e6 8e 7f da a3 b7 fe 83 5f a5 7f f1 0d c7 89 bf e8 a8 68 3f f8 27 97 ff 00 8e d1 ff 00 10 Data Ascii: /RG'g'<x^f;?#\|_n7]B t5MW_ZM5zynL;>7b:q_gS(/_oCW,^>?oy79.dFaiQ3v__;^6OI8~N'_h?'
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: c5 f7 a8 03 eb 2a 2b 90 f8 3b e0 3d 5b e1 fe 87 71 6f aa 78 b3 50 f1 6f 9d 2e f8 2e 6e d1 56 48 d3 6a ae dd ca cd bb e6 f9 b7 7c bf 7a ba fa 00 28 a2 8a 00 2b ca 7f 68 8f da 52 4f d9 ff 00 c4 be 19 b7 b8 d1 7e dd a6 6b d7 1f 67 96 f7 ed 5e 5f d9 5b 72 ab 7c bb 5b 76 d5 65 6f bc b5 ea d5 e3 7f b7 67 c3 7f f8 58 9f b3 de a8 d0 c7 be f3 45 65 bf 80 85 dc df 2f ca ca bf dd f9 59 9b fe 03 40 1e c5 1d c2 c9 6e b2 2b 7e ed 97 72 bf f0 ed fb db ab c3 7e 07 fe db 16 3f 19 be 34 6a 9e 13 5d 25 6c 12 d5 65 6b 3b b3 79 e6 35 d6 c6 da df 26 c5 da cc bf 37 de 6f e2 aa fa 5f ed 00 26 fd 85 9b c5 12 4d ba fa 3d 25 ac 98 bb 7c cd 71 fe a9 bf e0 5b be 6f f8 0d 78 3c 7f 0f e6 fd 9b f4 bf 84 3f 10 02 f9 72 5e 4a cb a9 1d bf 36 d9 59 9b 9f e1 ff 00 57 2b 2f fc 06 80 3e d0 f8 Data Ascii: *+;=[qoxPo..nVHj\|z(+hRO~kg^_[r\|[veogXEe/Y@n+~r~?4j]%lek;y5&7o_&M=%\|q[ox<?r^J6YW+/>
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: df 37 f7 b7 3b 7f c0 56 bd 2b fe 0a 75 ff 00 26 e3 0f fd 86 6d ff 00 f4 09 6b df 34 bf 0f d9 68 9b fe c3 63 67 67 e6 7c cf e4 40 b1 ee ff 00 7b 6a ae ea 93 52 d2 ad 75 8b 7f 26 f2 d6 de ea 1d db b6 4c 8b 22 ee fe f6 d6 f9 68 02 2d 03 fe 45 fb 1f fa f6 4f fd 05 6b e4 ef 84 fe 33 8f f6 33 f8 ed e3 2d 37 c6 16 f7 96 fa 2f 88 2e 3e d1 65 aa 24 0d 24 5b 55 99 97 76 d5 6f bc ac bf ee b2 d7 d7 ca bb 57 6a ae d5 fb aa 05 57 d4 b4 7b 5d 62 15 8e f2 d2 de ee 3f bc a9 2c 4b 22 ff 00 df 2c b4 01 f2 9f ed 47 f1 d3 4f fd a9 7c 3f a7 f8 0f e1 fc 37 5a f5 e6 a5 78 93 dc 5d a4 0d 1c 16 a8 bb 97 e6 66 0b fd ed cc df 75 55 7f 8b 77 cb a7 ff 00 05 04 f0 c2 f8 37 f6 42 f0 ee 92 ad e6 2e 9b a8 d9 5b ef c7 de db 04 eb bb ff 00 1d af a5 74 bf 0f e9 fa 18 6f b0 d9 59 d9 ee f9 5b Data Ascii: 7;V+u&mk4hcgg\|@{jRu&L"h-EOk33-7/.>e$$[UvoWjW{]b?,K",GO\|?7Zx]fuUw7B.[toY[
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: 8b 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 a2 80 0a 28 Data Ascii: ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
2025-04-02 22:54:18 UTC	4096	IN	Data Raw: ff 00 7f 7f fb 1a 00 86 8a 9b fb 13 50 ff 00 9f 58 7f ef ef ff 00 63 47 f6 26 a1 ff 00 3e b0 ff 00 df df fe c6 80 21 a2 a6 fe c4 d4 3f e7 d6 1f fb fb ff 00 d8 d1 fd 89 a8 7f cf ac 3f f7 f7 ff 00 b1 a0 08 68 a9 bf b1 35 0f f9 f5 87 fe fe ff 00 f6 34 7f 62 6a 1f f3 eb 0f fd fd ff 00 ec 68 02 1a 2a 6f ec 4d 43 fe 7d 61 ff 00 bf bf fd 8d 1f d8 9a 87 fc fa c3 ff 00 7f 7f fb 1a 00 86 8a 9b fb 13 50 ff 00 9f 58 7f ef ef ff 00 63 47 f6 26 a1 ff 00 3e b0 ff 00 df df fe c6 80 21 a2 a6 fe c4 d4 3f e7 d6 1f fb fb ff 00 d8 d1 fd 89 a8 7f cf ac 3f f7 f7 ff 00 b1 a0 08 68 a9 bf b1 35 0f f9 f5 87 fe fe ff 00 f6 34 7f 62 6a 1f f3 eb 0f fd fd ff 00 ec 68 02 1a 2a 6f ec 4d 43 fe 7d 61 ff 00 bf bf fd 8d 1f d8 9a 87 fc fa c3 ff 00 7f 7f fb 1a 00 86 8a 9b fb 13 50 ff 00 9f 58 Data Ascii: PXcG&>!??h54bjhoMC}aPXcG&>!??h54bjhoMC}aPX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49746	207.174.26.219	443	7580	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-02 22:54:19 UTC	604	OUT	GET /favicon.ico HTTP/1.1 Host: i.ibb.co Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://i.ibb.co/nBXYTs4/wrong-details.jpg Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-02 22:54:19 UTC	200	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 02 Apr 2025 22:54:19 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://simgbb.com/images/favicon.png
2025-04-02 22:54:19 UTC	162	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49748	172.67.131.251	443	7580	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-02 22:54:19 UTC	621	OUT	GET /images/favicon.png HTTP/1.1 Host: simgbb.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Sec-Fetch-Storage-Access: active Referer: https://i.ibb.co/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-02 22:54:19 UTC	896	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 22:54:19 GMT Content-Type: image/png Content-Length: 7235 Connection: close last-modified: Tue, 09 Apr 2024 09:36:03 GMT etag: "66150c03-1c43" Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 6742 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LAluWC3eeAE%2F9Rjg8X3eylp52UiKF9ki8xR8bTDRu%2F%2BlzwRa9CDrYZdtrhdBFozYAT3lXqCz7AN%2Bs25Zz6L%2FkOw6jCPE69YaTZlXjTu3GA8i4T%2FK0zuxymb98PFz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92a3e84dbf713448-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=97373&min_rtt=96182&rtt_var=22080&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2819&recv_bytes=1193&delivery_rate=37335&cwnd=246&unsent_bytes=0&cid=ebe061df00bcc6f2&ts=256&x=0"
2025-04-02 22:54:19 UTC	473	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 2c 00 00 01 2c 08 06 00 00 00 79 7d 8e 75 00 00 00 06 62 4b 47 44 00 ff 00 ff 00 ff a0 bd a7 93 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 07 74 49 4d 45 07 e0 03 0e 14 38 02 9f 51 6a ba 00 00 1b d0 49 44 41 54 78 da ed 9d 79 90 1c d5 7d c7 bf 3d 3d f7 cc ce ec cc 6a 4f 69 25 21 81 84 ae 95 38 c4 61 10 b2 65 97 71 41 ca b1 71 25 26 d8 15 db 40 e1 38 d8 71 8c 8b c4 f1 51 b1 71 95 e3 d8 40 ca 89 83 03 06 93 04 6c a4 10 a7 f0 6d 07 db 18 90 c5 61 8c 8e d5 b5 92 76 b5 42 48 ab dd d5 ce ce ce 7d f4 91 3f 84 5c 84 43 da 99 9d d7 af df cc f7 f3 17 45 c1 cc f4 7e fb 7d fa f5 3b 7e 4f 5b ba 79 d4 06 21 84 28 80 87 7f 02 42 08 85 45 08 21 14 16 21 84 c2 22 84 10 0a 8b 10 42 28 2c Data Ascii: PNGIHDR,,y}ubKGDpHYs+tIME8QjIDATxy}==jOi%!8aeqAq%&@8qQq@lmavBH}?\CE~};~O[y!(BE!!"B(,
2025-04-02 22:54:19 UTC	1369	IN	Data Raw: 08 21 14 16 21 84 c2 22 84 10 0a 8b 10 42 28 2c 42 48 4b e1 6d d6 0b 4b fa 35 6c e8 0d 61 fd bc 20 96 c6 bc 98 1f f1 22 e2 f5 40 d7 80 a2 69 e3 64 c9 c4 68 ce c0 ce a9 32 9e 1d 2f 61 77 ba ca bb 81 10 97 a3 2d dd 3c 6a 37 d3 05 ad 9f e7 c7 2d 2b e2 d8 d0 1d 84 57 9f 7d 07 f2 48 b6 8a 47 86 b3 f8 de a1 2c 0a 26 6f 0c 42 28 2c 81 2c 08 eb b8 e3 e2 24 ae ea 0d cf e9 73 a6 4b 06 ee 1a 4c 63 cb 48 0e 36 34 de 21 af a2 cd ab 21 6b d8 fc 43 30 0b 0a 6b 2e 5c db 1f c6 57 d6 27 11 f1 e9 0d fb cc ad 27 8a b8 ed 99 49 a4 2a ad 73 53 e8 b0 b1 20 e2 45 7f d4 8b 85 51 1f 16 45 5f f9 e7 57 fe dd 73 13 65 dc b2 75 92 b6 60 16 d2 50 7e 0c eb 2f 57 c4 70 db 40 a2 e1 9f 7b 65 4f 08 8f bd b3 17 1f 7e 72 02 23 59 a3 69 02 8f 7a 81 85 51 1f 16 46 bd e8 8f 78 b1 e8 f4 3f 47 bd Data Ascii: !!"B(,BHKmK5la "@idh2/aw-<j7-+W}HG,&oB(,,$sKLcH64!!kC0k.\W''I*sS EQE_Wseu`P~/Wp@{eO~r#YizQFx?G
2025-04-02 22:54:19 UTC	1369	IN	Data Raw: 80 07 38 4f 62 55 00 cb b2 38 c8 cb 2c 28 2c 32 3b 56 27 fc f0 e9 f2 22 19 ce 1a c8 9b cc 81 59 50 58 64 56 af 20 92 07 79 f9 44 67 16 14 16 99 2d b2 07 79 77 70 56 8a 59 50 58 64 d6 4f 75 d6 5d 62 16 cc 82 c2 52 81 a4 5f c3 fc a8 bc 41 de 92 61 61 7f 9a 8d 84 59 50 58 44 81 57 90 bd d3 95 57 b6 25 11 66 e1 5e bc fc 13 b0 91 00 73 ab 6a 19 d1 81 a8 cf 83 80 ae a1 64 da 28 18 16 f2 86 ad 6c 59 14 66 41 61 d5 cc cd cb db 10 f2 ca eb 00 3e 72 28 8b 93 0e 56 fe 1f 90 be aa 7a 76 af 20 f3 c3 3a 2e ef 0e e2 82 8e 00 56 25 fc 58 18 f1 22 16 78 fd 7e 3b d3 b2 30 56 30 71 38 5b c5 48 d6 c0 73 13 25 3c 33 5e 42 d6 70 ff e9 c5 cc 82 c2 aa 89 b8 4f c3 67 d6 25 a5 7d bf 69 59 b8 df a1 e3 bc 00 00 b6 8d 01 c9 55 01 ce b4 0d 64 41 58 c7 75 e7 44 71 f5 82 10 96 b7 cf ae Data Ascii: 8ObU8,(,2;V'"YPXdV yDg-ywpVYPXdOu]bR_AaaYPXDWW%f^sjd(lYfAa>r(Vzv :.V%X"x~;0V0q8[Hs%<3^BpOg%}iYUdAXuDq
2025-04-02 22:54:19 UTC	1369	IN	Data Raw: 4d c3 8b 27 c5 7d cf 82 06 35 12 66 e1 9e 2c 94 10 96 57 b3 a5 2e da 03 9c df 92 d3 2a 67 2e 8a 1c 9b e9 0e e9 cc a2 c9 b2 50 42 58 2b da fd 52 17 ed 9d 2c 1a 38 ee 60 49 e4 7e c9 67 2e 9e 28 54 1d db b0 7a 48 e0 44 46 23 26 69 98 85 7b b2 50 46 58 d2 2b 34 b4 58 49 e4 9d 0e 2e 90 1d 16 d8 48 12 0d 38 0d 81 59 b8 27 0b 75 84 95 6c ad 05 a3 b2 c7 eb b6 3b 38 5e 77 a2 28 6e a0 37 de 10 61 31 0b b7 64 a1 50 0f 4b ee 4d e3 78 0d ac 26 5e 55 fd 5a 52 65 0b 96 25 e6 95 a7 cd e7 61 16 4d 94 85 12 c2 8a 7a 35 2c 8e ca 2d c7 e5 e4 80 bb 0e 5b ca 66 d1 d3 18 a6 e5 e8 a9 40 36 34 a4 2b 62 1a 89 5f d7 98 45 93 64 a1 8c b0 06 92 7e 78 3c f2 3a 78 a3 d9 0a 32 55 e7 ca 63 ac 68 f7 23 28 71 82 e1 60 a6 0a a7 0b 44 4e 0b 2a 81 31 d7 87 3a b3 70 4f 16 ca 08 4b fe eb 20 07 Data Ascii: M'}5f,W.g.PBX+R,8`I~g.(TzHDF#&i{PFX+4XI.H8Y'ul;8^w(n7a1dPKMx&^UZRe%aMz5,-[f@64+b_Ed~x<:x2Uch#(q`DN1:pOK
2025-04-02 22:54:19 UTC	1369	IN	Data Raw: 65 49 79 0d f9 e0 79 e2 9e e8 bf 3a 56 40 a6 ce 4d a0 cc c2 3d 59 28 21 ac a4 5f 43 6f 44 de a0 a7 69 59 18 74 f0 29 f7 af 6f 99 87 3e 89 d7 7b 38 eb 6c 45 55 e0 d4 f6 8f 6b fa c5 cd 48 3d 5a e7 2b 48 47 40 63 16 2e c9 42 19 61 ad 92 bc 1d 67 24 6b 20 ef d0 24 8d 0e 1b 57 0b bc 59 dc fa 0a 72 fd d2 a8 b0 5d 0c c7 f3 55 fc 76 bc be 0d b6 6b 92 01 66 e1 92 2c 94 11 d6 8a 84 ec d7 41 e7 6e 9a 0d 02 a7 91 67 8b d3 55 2d 83 1e e0 c6 e5 31 61 9f bf 79 38 07 bb ce 23 a4 64 0b 8b 59 a8 d8 c3 6a 97 bc 68 cf c1 19 c2 3f 5a 18 91 1e a4 d3 63 26 1f 38 b7 0d 1d 82 8a 32 e6 ab 26 1e 3e 94 ad fb ff 5f 29 f1 48 7a 66 a1 a8 b0 ce 8b 4b de 43 e8 50 b7 3c e9 d7 70 f5 7c b9 3d ac 92 61 61 28 ed ec 11 66 1f 5d 21 ee 89 fe e8 48 7e 4e 03 bc e7 48 3c 4e 8e 59 28 28 2c 0d 36 16 Data Ascii: eIyy:V@M=Y(!_CoDiYt)o>{8lEUkH=Z+HG@c.Bag$k $WYr]Uvkf,AngU-1ay8#dYjh?Zc&82&>_)HzfKCP<p\|=aa(f]!H~NH<NY((,6
2025-04-02 22:54:19 UTC	1286	IN	Data Raw: 89 bf d8 3a 89 f4 6b aa 42 6c 19 c9 b1 55 bc 8a 9f 1d cd e3 93 db 26 a5 1c 11 c5 2c dc 93 85 12 c2 7a 6a ac 08 cb b2 9a 2e f8 b2 61 e1 63 bf 9d c4 de f4 eb 5f 79 9f 99 28 63 28 5d 66 eb 00 f0 d8 68 0e 7f b5 6d d2 d1 03 19 98 85 3b b3 50 42 58 93 65 0b db 26 9a eb 86 31 2d 0b b7 3f 7f 12 cf 9c e1 ba ee dd 97 69 f9 06 b2 65 38 8b db 9f 3b 29 fd 69 ce 2c dc 93 85 eb 85 05 00 9b 87 b3 4d 13 bc 69 59 f8 fc 0b a9 b3 ce ae fc f0 48 1e 3b a7 5a 73 96 ca b4 2c dc b5 2b 85 cf bd 90 72 45 03 61 16 ee c9 42 09 61 3d fe 72 01 47 b2 ea cf 16 56 4c 0b b7 3d 3b 85 47 0f e7 cf fe 1f 6b 1a ee 78 31 05 b3 09 5f 87 cf 44 a6 62 e2 a3 5b 27 f1 ad 7d 2e 7a 48 31 8b a6 bb 36 a1 c2 32 a1 e1 ee c1 b4 d2 7f a0 62 f5 d4 00 fb 4f 8e ce 7e bf d5 ce 54 15 f7 ec 6d 9d d7 91 91 4c 05 ef Data Ascii: :kBlU&,zj.ac_y(c(]fhm;PBXe&1-?ie8;)i,MiYH;Zs,+rEaBa=rGVL=;Gkx1_Db['}.zH162bO~TmL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49749	172.67.131.251	443	7580	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-02 22:54:20 UTC	392	OUT	GET /images/favicon.png HTTP/1.1 Host: simgbb.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-04-02 22:54:20 UTC	359	IN	HTTP/1.1 200 OK Date: Wed, 02 Apr 2025 22:54:20 GMT Content-Type: image/png Content-Length: 7235 Connection: close Server: cloudflare Accept-Ranges: bytes Last-Modified: Tue, 09 Apr 2024 09:36:03 GMT Etag: "66150c03-1c43" Cache-Control: max-age=31536000 Cf-Cache-Status: HIT Age: 6743 CF-RAY: 92a3e8513e10440b-EWR alt-svc: h3=":443"; ma=86400
2025-04-02 22:54:20 UTC	1010	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 2c 00 00 01 2c 08 06 00 00 00 79 7d 8e 75 00 00 00 06 62 4b 47 44 00 ff 00 ff 00 ff a0 bd a7 93 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 07 74 49 4d 45 07 e0 03 0e 14 38 02 9f 51 6a ba 00 00 1b d0 49 44 41 54 78 da ed 9d 79 90 1c d5 7d c7 bf 3d 3d f7 cc ce ec cc 6a 4f 69 25 21 81 84 ae 95 38 c4 61 10 b2 65 97 71 41 ca b1 71 25 26 d8 15 db 40 e1 38 d8 71 8c 8b c4 f1 51 b1 71 95 e3 d8 40 ca 89 83 03 06 93 04 6c a4 10 a7 f0 6d 07 db 18 90 c5 61 8c 8e d5 b5 92 76 b5 42 48 ab dd d5 ce ce ce 7d f4 91 3f 84 5c 84 43 da 99 9d d7 af df cc f7 f3 17 45 c1 cc f4 7e fb 7d fa f5 3b 7e 4f 5b ba 79 d4 06 21 84 28 80 87 7f 02 42 08 85 45 08 21 14 16 21 84 c2 22 84 10 0a 8b 10 42 28 2c Data Ascii: PNGIHDR,,y}ubKGDpHYs+tIME8QjIDATxy}==jOi%!8aeqAq%&@8qQq@lmavBH}?\CE~};~O[y!(BE!!"B(,
2025-04-02 22:54:20 UTC	1369	IN	Data Raw: c3 fb 97 44 e1 d5 9c 1d 3f 88 e8 c0 92 36 79 c3 8d 65 c3 c2 3e 6e 5d 62 16 14 56 6d 5c bb 30 22 fd 37 b4 07 74 5c d9 13 72 f4 3b 07 3a 02 d0 3d f2 a2 da 3f 53 01 c7 db 99 05 85 55 23 6f e9 0e ba e2 77 5c e1 f0 ef 18 48 ca ed 55 ee 9a e2 80 3b b3 a0 b0 6a a2 33 e0 41 5f c4 e7 8a df 72 81 c3 63 18 b2 07 79 b9 c2 9d 59 50 58 35 b2 b8 cd eb a2 df e2 ac 38 07 92 1c e4 75 4f 0f 8b 59 50 58 b3 a0 2b e4 1e 61 b5 07 74 f8 1c 5a dd d0 13 f4 a0 3b 2c ef da 67 ca 26 46 9b 68 2f 25 b3 a0 b0 1c 21 ec d5 5a f2 f7 c8 9e 42 df 95 2a 03 1a cb ec 30 0b 0a ab 26 4c bb 35 7f 8f f4 45 8a 5c e1 ce 2c 28 ac da c9 57 2d d7 fc 16 cb b2 50 30 9c f9 3d 03 1d 72 67 a5 38 7e c5 2c 28 ac 3a 18 2b b8 e7 dd 7d bc 68 c2 72 60 13 b4 06 1b ab 13 72 1b c9 4e 36 12 66 41 61 d5 ce 48 b6 0a cb Data Ascii: D?6ye>n]bVm\0"7t\r;:=?SU#ow\HU;j3A_rcyYPX58uOYPX+atZ;,g&Fh/%!ZB*0&L5E\,(W-P0=rg8~,(:+}hr`rN6fAaH
2025-04-02 22:54:20 UTC	1369	IN	Data Raw: 49 a9 0d e4 34 97 76 85 f0 e0 c6 6e 84 25 0d 21 31 0b f7 64 a1 8c b0 64 77 c9 f7 a6 ab 8e 1d 47 0f 00 ab 12 7e f8 75 ae df 3d cd c5 9d 41 7c eb ca 2e 68 70 7e f4 97 59 b8 27 0b 65 84 25 fd 75 d0 f1 f1 2b 3f 5b c6 6b b8 a2 27 84 db 07 12 12 1e 96 cc c2 2d 59 b0 87 35 4b 9c de 74 2a fb 7a dd ca 2d 2b e2 d8 d8 13 64 16 2d 9a 85 12 c2 f2 c0 c6 ca 76 b9 63 08 4e 0f b8 af 4d b2 91 bc 19 5f bc 28 09 bf 87 59 b4 62 16 4a 08 6b 59 dc 87 b0 4f de 28 5f ea 8d 16 ed 09 a4 dd a7 61 61 9b 8f ad e1 4d e8 8f fa 70 eb ca 38 b3 68 b1 2c 94 11 96 ec 29 e5 c1 14 5f 07 dd c6 8d cb da 90 f0 6b cc a2 85 b2 50 46 58 b2 cf 81 73 fa 94 92 75 6c 24 67 25 e4 d3 f1 e1 65 31 66 d1 42 59 28 23 2c e9 c7 2a 4d 71 86 d0 8d 7c f0 dc 36 e1 eb 81 98 85 7b b2 38 13 ae 59 e9 1e f4 00 4b 25 8f Data Ascii: I4vn%!1ddwG~u=A\|.hp~Y'e%u+?[k'-Y5Ktz-+d-vcNM_(YbJkYO(_aaMp8h,)_kPFXsul$g%e1fBY(#,Mq\|6{8YK%
2025-04-02 22:54:20 UTC	1369	IN	Data Raw: 05 a3 2d 56 12 59 d2 20 6f 87 c0 3a 49 93 45 93 59 28 9e 85 32 c2 1a 68 b1 a7 dc da 16 a8 1b fe 86 8d 24 28 b0 91 d4 db c3 62 16 ec 61 d5 82 df 03 2c 8b fb a4 de 34 4e 0e b8 7b 60 63 55 bb bc eb 75 7a 81 ec ab 11 59 eb bb 9e a7 3a b3 60 0f ab 66 56 27 fc f0 e9 f2 16 ed 4d 14 0c 9c 70 70 9b fc f2 b8 0f 21 9f bc 09 86 a1 99 2a 2a 96 9c ef 5e 2c 70 35 f9 44 1d 4f 75 66 e1 9e 2c 94 11 96 f4 0a 0d a9 d6 7a 1d dc 2e 69 90 17 00 16 45 c5 f4 66 0c d3 c2 c9 3a 1a 09 b3 70 4f 16 ea 08 ab e5 2a 34 b4 d6 8a fe ff df 48 c4 3c d5 8f e6 8d ba 0e 1f 65 16 ee c9 42 19 61 c9 ae d0 b0 b3 d5 2a 34 48 6c 24 cb 05 8d 55 d6 7b 02 0c b3 70 4f 16 4a 08 ab dd a7 61 61 9b bc 41 4f cb b2 1c 3d 25 27 a2 03 4b 63 f2 16 29 ce 94 4d 8c 66 0d 29 df dd 17 d6 91 10 74 84 56 3d 8d 84 59 b8 Data Ascii: -VY o:IEY(2h$(ba,4N{`cUuzY:`fV'Mpp!*^,p5DOuf,z.iEf:pO4H<eBa*4Hl$U{pOJaaAO=%'Kc)Mf)tV=Y
2025-04-02 22:54:20 UTC	1369	IN	Data Raw: d8 ab 31 0b 97 64 a1 8c b0 12 01 b9 c2 ca 09 9c 86 5d 97 f4 e3 b6 35 ed ae 0a 51 f4 df 7b 43 77 00 1f 12 b8 4f 2d 53 31 f1 cd 3d e9 86 7c 56 40 d7 98 85 4b b2 50 46 58 21 c9 37 8d 69 8b 11 56 7f 58 c7 bd 1b 3a 5d f3 2a 78 9a d5 02 37 fa f6 04 3d b8 f3 b2 79 f0 08 ac 6b f6 ed fd 33 98 ae 34 26 b3 80 47 63 16 2e c9 42 19 61 05 25 0b ab dd df f8 cb 8a fb 34 3c b0 b1 4b d8 8a e2 b9 70 51 87 1f 3e 01 7f f2 a0 07 b8 77 83 d8 6b 3e 96 ab e2 3b 43 8d 5b 49 6d d8 cc c2 2d 59 28 23 2c bf 64 61 9d df e0 6d 41 71 9f 86 07 37 76 09 1d 37 98 53 8f d6 a7 e3 ba 73 1a bb 3d c8 ab d9 b8 e7 ca 4e ac 12 bc 2f ef 0b bf 4f a1 91 45 61 4b a6 c5 2c 5c 92 85 32 c2 32 2c b9 8f b9 2b ba 83 f0 37 c8 99 0b c2 3a 1e d9 d4 83 81 8e a0 ab 83 bc 75 65 1c 8d 9a 9c f5 7b 80 7b ae e8 c2 55 Data Ascii: 1d]5Q{CwO-S1=\|V@KPFX!7iVX:]*x7=yk34&Gc.Ba%4<KpQ>wk>;C[Im-Y(#,damAq7v7Ss=N/OEaK,\22,+7:ue{{U
2025-04-02 22:54:20 UTC	749	IN	Data Raw: 79 dc 8b 6f be a5 13 e7 48 3e 85 26 5f 35 f1 1f 07 b2 b8 6f 7f 06 39 87 ce 87 ba a6 3f 84 2f 5d 98 44 c2 85 c7 85 bd 96 67 c6 8b b8 6f df 0c 9e 1e 6f ce d7 0d 66 41 61 cd 9a a0 07 f8 ec 05 09 5c bf 24 2a f4 60 c8 37 62 bc 60 e0 bf 46 72 78 e8 60 06 29 09 b5 ac 13 7e 0d 1f 5f d5 8e eb 97 44 11 70 59 29 e6 92 61 e1 7f 5f 2e e0 3b 43 19 ec 4e 37 7f c5 0d 66 41 61 d5 c4 ea 84 0f 5f b8 20 29 bc d8 fe e9 32 c9 5b 46 72 78 fc e5 82 2b f6 55 cd 0f eb b8 69 79 0c ef 59 14 41 4c e2 0c 6a c9 38 f5 b7 f9 c5 cb 05 fc ec 68 1e 39 a3 f5 1a 02 b3 a0 b0 6a e2 92 ce 00 6e 5c de 86 8d 3d 21 f8 f4 c6 3c e9 d2 65 13 bf 3d 51 c4 2f 8f 17 f1 c4 f1 a2 63 af 7d f5 f4 36 af 59 18 c1 d5 0b c2 b8 bc 2b 20 bc 1e 79 c9 b0 b0 37 5d c1 0b 93 65 3c 37 51 c2 73 13 25 94 2c 36 06 66 41 61 Data Ascii: yoH>&_5o9?/]DgoofAa\$*`7b`Frx`)~_DpY)a_.;CN7fAa_ )2[Frx+UiyYALj8h9jn\=!<e=Q/c}6Y+ y7]e<7Qs%,6fAa

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	18:53:50
Start date:	02/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	18:53:50
Start date:	02/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2056,i,7512422396215173747,8855882059684338427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2096 /prefetch:3
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	18:53:56
Start date:	02/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Payment copy.HTML"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Source: Payment copy.HTML	HTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: No favicon
Source: https://i.ibb.co/nBXYTs4/wrong-details.jpg	HTTP Parser: No favicon

Source: global traffic	HTTP traffic detected: GET /nBXYTs4/wrong-details.jpg HTTP/1.1Host: i.ibb.coConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: i.ibb.coConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://i.ibb.co/nBXYTs4/wrong-details.jpgAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/favicon.png HTTP/1.1Host: simgbb.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://i.ibb.co/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/favicon.png HTTP/1.1Host: simgbb.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: thynkfinance.co.za
Source: global traffic	DNS traffic detected: DNS query: i.ibb.co
Source: global traffic	DNS traffic detected: DNS query: simgbb.com

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: Payment copy.HTML	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: Number of links: 0

Source: Payment copy.HTML	HTTP Parser: Title: REMITTANCE does not match URL
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: Title: REMITTANCE does not match URL

Source: Payment copy.HTML	HTTP Parser: Form action: https://thynkfinance.co.za/admin/save/mer.php
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: Form action: https://thynkfinance.co.za/admin/save/mer.php

Source: Payment copy.HTML	HTTP Parser: <input type="password" .../> found
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: <input type="password" .../> found

Source: Payment copy.HTML	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: No <meta name="author".. found

Source: Payment copy.HTML	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/Payment%20copy.HTML	HTTP Parser: No <meta name="copyright".. found

Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.41.3
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 104.70.121.145
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.148
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.148
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment copy.HTML

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 57

Chrome Cache Entry: 58

Chrome Cache Entry: 59

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 7396, Parent PID: 5280

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Windows Analysis Report
Payment copy.HTML