Edit tour

Windows Analysis Report
e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip

Overview

General Information

Sample name:	e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip
Analysis ID:	1432146
MD5:	f0f4138e3cbbde2f7c9b32ca21ff351c
SHA1:	37a008e987e1999edc1a2e3205844cc4ca362d12
SHA256:	4b8a0adbeedb6dc41a94d78b55dc2e0db85b53725aa60a44bcfeaf698b5c8b5d
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Found suspicious QR code URL

Allocates memory with a write watch (potentially for evading sandboxes)

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

unarchiver.exe (PID: 6844 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 7036 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nmeqw10e.03i" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7152 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1960,i,12582273665155075133,2497263848660553741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7184 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,15587171962087274700,4709450360019695002,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Found suspicious QR code URL

Source: QR Code extractor	URL: http://
Source: QR Code extractor	URL: http://

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.85
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.85
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIXfrrEGIjAZuMafgKHf7uR1JXgpqjpK6Z2b7SObhQkaGFX3CtQIhkDC1Mq1y2n6uvliGb60JvkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-13; NID=513=dMNnTzt-DddYQCxBpQodMR6PgEEKqclSrWQ7imdCb6OL1RPcQJy-XdPIAKFxHujPXvDsD2gJht2loNQcu0ncgnNsz4kUquCZpD-VdS4x0xgtsu9xdqKtAmPtVwOsZq28vL2INTpCgaM7anbX-PMFnL9TSqKBy7-fT4EcTctQi4Y
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIXfrrEGIjAdKFZA6B8LUpBZRiNhr8FJpy1yvW5vqYo1ClOK6dWNHDtcaSKK-xlwd9CyEsnqRasyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-13; NID=513=CqrBFwJtEU5vGegZ5BwjS3ty7Wbut5H01-ucOBxdsz0bIpJvA2ZupvoVreBonI4KwAUhYprf0ellFbBWmHPHJmJ1nua6Fb5VXWfvC6f1_VdHGKvzbTgzjlAbcb6mjNDtZLiaHNz9bTj5E6cTXu5OlMxlTWkzY3FZAWJEbwzh9e0
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FuUZcZ+yhgEgN+o&MD=K+OVTngD HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FuUZcZ+yhgEgN+o&MD=K+OVTngD HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: classification engine

Classification label: sus23.phis.winZIP@24/3@4/7

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nmeqw10e.03i" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1960,i,12582273665155075133,2497263848660553741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,15587171962087274700,4709450360019695002,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nmeqw10e.03i" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1960,i,12582273665155075133,2497263848660553741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,15587171962087274700,4709450360019695002,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4C80000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 1859			Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Window / User API: threadDelayed 8105			Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5968	Thread sleep count: 1859 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5968	Thread sleep time: -929500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5968	Thread sleep count: 8105 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 5968	Thread sleep time: -4052500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 0_2_00F0B1D6 GetSystemInfo,

0_2_00F0B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nmeqw10e.03i" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip"

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.217.196	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIXfrrEGIjAdKFZA6B8LUpBZRiNhr8FJpy1yvW5vqYo1ClOK6dWNHDtcaSKK-xlwd9CyEsnqRasyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIXfrrEGIjAZuMafgKHf7uR1JXgpqjpK6Z2b7SObhQkaGFX3CtQIhkDC1Mq1y2n6uvliGb60JvkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.217.196	www.google.com	United States	15169	GOOGLEUS	false
142.250.64.196	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.7
192.168.2.4
192.168.2.6
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432146
Start date and time:	2024-04-26 15:42:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip
Detection:	SUS
Classification:	sus23.phis.winZIP@24/3@4/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .zip Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.217.195, 142.250.189.142, 173.194.216.84, 34.104.35.123, 199.232.214.172, 192.229.211.108, 172.217.3.67, 192.178.50.78
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:44:08	API Interceptor	3343876x Sleep call for process: unarchiver.exe modified

QR Codes

Source	URL
Screenshot	http://
Screenshot	http://

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	http://svif-venezuela.com/	Get hash	malicious	Unknown	Browse
	http://www.alserhgroup.com/	Get hash	malicious	Unknown	Browse
	Packing List PDF.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse
	ePI4igo4y1.exe	Get hash	malicious	AsyncRAT	Browse
	POattach.html	Get hash	malicious	HTMLPhisher	Browse
	http://www.ensp.fiocruz.br/portal-ensp/entrevista/counter.php?content=http://owens-minor.com&contentid=32190&link=https://nabbeton.com/!	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Packing List PDF.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.204.76.112 20.114.59.183
	ePI4igo4y1.exe	Get hash	malicious	AsyncRAT	Browse	23.204.76.112 20.114.59.183
	POattach.html	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
	http://www.ensp.fiocruz.br/portal-ensp/entrevista/counter.php?content=http://owens-minor.com&contentid=32190&link=https://nabbeton.com/!	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
	https://exploredrinks.com	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	23.204.76.112 20.114.59.183
	https://survey.zohopublic.eu/zs/GzDXvp	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3865
Entropy (8bit):	5.014429614485222
Encrypted:	false
SSDEEP:	48:ll1gGoGboGoGpCG07GoGpH6GoGB7GSGoGbmGU6GQGB7GSGcGoGoGmHoGoGBGoGYn:ll5wimcYi5CpV6
MD5:	97E5B86C52AED7D6918B2DB8DA76189E
SHA1:	075EE6E644DC53E9518452D15EDA1C667797DF2B
SHA-256:	7AC63F0818E899FB4F91A73342F4EE5A51E99C6F8714A6A1F4A7BE55B891661A
SHA-512:	265C7D3AE90FAA4651DAA4C2CFD438218CFC27A435B590F2236DF8FFB5FC1D115831F767A7A8962314B710247C014EAB08DD430459B9E027C958AE9EAAACBE6A
Malicious:	false
Reputation:	low
Preview:	04/26/2024 3:43 PM: Unpack: C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip..04/26/2024 3:43 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\nmeqw10e.03i..04/26/2024 3:43 PM: Received from standard out: ..04/26/2024 3:43 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/26/2024 3:43 PM: Received from standard out: ..04/26/2024 3:43 PM: Received from standard out: Scanning the drive for archives:..04/26/2024 3:43 PM: Received from standard out: 1 file, 22522 bytes (22 KiB)..04/26/2024 3:43 PM: Received from standard out: ..04/26/2024 3:43 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip..04/26/2024 3:43 PM: Received from standard out: ..04/26/2024 3:43 PM: Received from standard out: WARNINGS:..04/26/2024 3:43 PM: Received from standard out: Headers Error..04/26/2024 3:43 PM: Received from standar

Chrome Cache Entry: 56

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (7423)
Category:	downloaded
Size (bytes):	7428
Entropy (8bit):	5.759436945131515
Encrypted:	false
SSDEEP:	192:NgH66668b/umJvTNH6666nWylkR0tK0Gc89Sc:NgH66668D1RTNH6666nWyl+0tKhd4c
MD5:	34F0300B2D866E7D12909D45D3BC7535
SHA1:	617B6A4ED68E645E18E98FD4099972282F9C42A0
SHA-256:	3B1A0367F9D09D0EB50495CB8B1E75588080EC78E167F57BDF98B9416C4265ED
SHA-512:	874CE53A8F810B94393FCB5D7F757E4E1993DC2744FD583FB00394EC31E3C132F7272D2992DF20F77EF4B156CD97F8A7DA97087E24E9E398FB1A92B6F59DF3F6
Malicious:	false
Reputation:	low
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["challengers movies","nasa mars spiders","usc student protests","frank csorba death","lego milky way galaxy","express stores closing list","south carolina cicadas","nicholas chavez general hospital"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"google:entityinfo":"Cg0vZy8xMXEzeWJ3M2tqEhlDaGFsbGVuZ2VycyDigJQgMjAyNCBmaWxtMv8QZGF0YTppbWFnZS9qcGVnO2Jhc2U2NCwvOWovNEFBUVNrWkpSZ0FCQVFBQUFRQUJBQUQvMndDRUFBa0dCd2dIQmdrSUJ3Z0tDZ2tMRFJZUERRd01EUnNVRlJBV0lCMGlJaUFkSHg4a0tEUXNKQ1l4Sng4ZkxUMHRNVFUzT2pvNkl5cy9SRDg0UXpRNU9qY0JDZ29LRFF3TkdnOFBHamNsSHlVM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOLy9BQUJFSUFFQUFRQU1CSWdBQ0VRRURFUUgveEFBYUFBQUNBd0VCQUFBQUFBQUFBQUFBQUFBRkJnSURCQWNCLzhRQU5SQUFBZ0VEQWdRREJRY0VBd0FBQUFBQUFRSURCQVVSQUNFR0VqRkJFeUpoVVhHQm9kRVVGU015VXBHeGNzSFM0UWNXa3YvRUFCZ0JBQU1CQVFBQUFBQUFBQUFBQUFBQUFBRURCQUlBLzhRQUl4RUFB

Static File Info

General

File type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Entropy (8bit):	7.987380504978631
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip
File size:	22'522 bytes
MD5:	f0f4138e3cbbde2f7c9b32ca21ff351c
SHA1:	37a008e987e1999edc1a2e3205844cc4ca362d12
SHA256:	4b8a0adbeedb6dc41a94d78b55dc2e0db85b53725aa60a44bcfeaf698b5c8b5d
SHA512:	8fda050be8ff86f2aa890a610e49ba546f941cf8a026c6f9f418fa391c491b72102523376ece22ed02bac824f6aef51777439dd0b69f1044e64532d7b7b3cd4c
SSDEEP:	384:Nr07oJtSpLYrlO7Ejq2uEkMRswLeb/pO4dGu4AinpGmhAEkIARGHESIXqst:N4cDS5IIl2vRtL2s4j7mh5ARG3gqY
TLSH:	B6A2F1E0E2064D9DCF5AEB321A08156BEF0CFC3BF1E9B19518277C4E0AD5D2B5A4131A
File Content Preview:	PK..-..............U.. ...`...C/ProgramData/Sentinel/AFUCache/e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7....................h.!m.+.@..^=....o=FZF.o.f_....?...........s.#.j....&}.....q.H...Y..T.n0<...60F..U....mZ&...=..sP.....(~t9....

File Icon


Icon Hash:	90cececece8e8eb0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 15:43:18.815629005 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 15:43:28.424992085 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 15:43:32.928033113 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928090096 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.928160906 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928297043 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928343058 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.928412914 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928451061 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928469896 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.928517103 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928582907 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928616047 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.928658962 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928824902 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928867102 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.928972006 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.928998947 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.929167032 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.929182053 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:32.929344893 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:32.929367065 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.259202003 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.259251118 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.259524107 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.259572029 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.259691000 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.259718895 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.260870934 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.260879993 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.260946989 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.261116982 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.261877060 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.261945963 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.262237072 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.262310028 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.262357950 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.262375116 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.262430906 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.262453079 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.318353891 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.318856001 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.318896055 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.320369959 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.320522070 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.320751905 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.320835114 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.320970058 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.320979118 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.322638988 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.322871923 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.322884083 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.326436996 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.326499939 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.326867104 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.326965094 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.327040911 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.439145088 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.439155102 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.439220905 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.470386028 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.470403910 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.579349995 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.619573116 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.619610071 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.619702101 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.619746923 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.621536016 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.621567011 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.621639013 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.621840954 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.621850967 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.625746965 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.625808954 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.625920057 CEST	49733	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.625951052 CEST	443	49733	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.635643005 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.635699987 CEST	443	49734	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.635829926 CEST	49734	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.987333059 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.987404108 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.987555027 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.987735033 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.987884045 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.988209963 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.988229990 CEST	443	49735	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.988240004 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.988555908 CEST	49735	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.990201950 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.990262032 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:33.990340948 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.990590096 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:33.990617037 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.014029980 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.014250040 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.014261007 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.014714003 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.015149117 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.015227079 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.015321970 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.056127071 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.131469965 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.131546021 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.131939888 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.132142067 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.132142067 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.132158995 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.132172108 CEST	443	49736	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.132220984 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.132220984 CEST	49736	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.135094881 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.135128975 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.135289907 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.135554075 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.135571003 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.378578901 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.378840923 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.378901005 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.379386902 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.379715919 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.379802942 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.379885912 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.420130014 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.461266994 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.461334944 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.461380005 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.461388111 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.461402893 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.461596966 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.473798990 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.473855019 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.486696959 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.486749887 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.486757994 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.490459919 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.492149115 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.492230892 CEST	49739	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.492248058 CEST	443	49739	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.529632092 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.529920101 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.529953003 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.530416965 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.530714989 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.530800104 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.530838966 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.572153091 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.579876900 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.579901934 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.768074989 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.768157959 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.768213987 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.768229961 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.768244982 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.768294096 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.768317938 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.768348932 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.768903017 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.770386934 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.770386934 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.770422935 CEST	443	49740	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.772896051 CEST	49740	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.918865919 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.918987989 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.919080973 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:34.919131994 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.919301033 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:34.920881033 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:36.100239038 CEST	49741	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:43:36.100281000 CEST	443	49741	142.250.217.196	192.168.2.4
Apr 26, 2024 15:43:41.993443966 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:41.993509054 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:41.993607998 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.000386000 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.000425100 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.163685083 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:42.163713932 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:42.163789988 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:42.165584087 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:42.165596008 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:42.267473936 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.267641068 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.271641970 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.271666050 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.272074938 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.329183102 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.376112938 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.532839060 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.533071041 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.533076048 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.533129930 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.533164024 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.533164024 CEST	49744	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.533200979 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.533226013 CEST	443	49744	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.569025993 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.569065094 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.569148064 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.569394112 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.569406986 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.781424046 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:42.781562090 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:42.784408092 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:42.784415960 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:42.784936905 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:42.831180096 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.831254959 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.839876890 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.839895964 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.840673923 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.843214035 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:42.888128996 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:42.992124081 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:42.992181063 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:43.077651978 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:43.077923059 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:43.077976942 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:43.078880072 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:43.078897953 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:43.078907967 CEST	49746	443	192.168.2.4	23.204.76.112
Apr 26, 2024 15:43:43.078915119 CEST	443	49746	23.204.76.112	192.168.2.4
Apr 26, 2024 15:43:43.283281088 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:43.324131012 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:43.686239958 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:43.686265945 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:43.686280012 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:43.686420918 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:43.686439991 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:43.686564922 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:43.994261980 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:43.994261980 CEST	49745	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:43:43.994283915 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:43:43.994293928 CEST	443	49745	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:22.611332893 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:22.611413956 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:22.611490965 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:22.611907005 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:22.611938953 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.254911900 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.255033970 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.260176897 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.260209084 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.260443926 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.272751093 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.320159912 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.858820915 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.858839989 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.858855963 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.859004021 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.859070063 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.859148026 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.859258890 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.859303951 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.859322071 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.859339952 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.859381914 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.864795923 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.864829063 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:23.864856005 CEST	49752	443	192.168.2.4	20.114.59.183
Apr 26, 2024 15:44:23.864871025 CEST	443	49752	20.114.59.183	192.168.2.4
Apr 26, 2024 15:44:34.188827991 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:34.188939095 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:34.189080000 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:34.189353943 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:34.189388037 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:34.582874060 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:34.583133936 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:34.583193064 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:34.584336996 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:34.584681034 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:34.584868908 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:34.627363920 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:35.002479076 CEST	49723	80	192.168.2.4	23.45.182.85
Apr 26, 2024 15:44:35.127901077 CEST	80	49723	23.45.182.85	192.168.2.4
Apr 26, 2024 15:44:35.127969027 CEST	49723	80	192.168.2.4	23.45.182.85
Apr 26, 2024 15:44:44.567179918 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:44.567342043 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:44:44.567404032 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:45.119075060 CEST	49754	443	192.168.2.4	142.250.217.196
Apr 26, 2024 15:44:45.119122982 CEST	443	49754	142.250.217.196	192.168.2.4
Apr 26, 2024 15:45:34.381875038 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:34.381915092 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:34.381973982 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:34.382184029 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:34.382198095 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:34.768439054 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:34.769300938 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:34.769325972 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:34.769747972 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:34.773260117 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:34.773360968 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:34.892440081 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:44.758940935 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:44.759017944 CEST	443	49756	142.250.64.196	192.168.2.4
Apr 26, 2024 15:45:44.759077072 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:46.066443920 CEST	49756	443	192.168.2.4	142.250.64.196
Apr 26, 2024 15:45:46.066473961 CEST	443	49756	142.250.64.196	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 15:43:30.618048906 CEST	53	63301	1.1.1.1	192.168.2.4
Apr 26, 2024 15:43:32.104033947 CEST	53	63314	1.1.1.1	192.168.2.4
Apr 26, 2024 15:43:32.801381111 CEST	61718	53	192.168.2.4	1.1.1.1
Apr 26, 2024 15:43:32.801568985 CEST	52873	53	192.168.2.4	1.1.1.1
Apr 26, 2024 15:43:32.889039040 CEST	53	59727	1.1.1.1	192.168.2.4
Apr 26, 2024 15:43:32.926724911 CEST	53	61718	1.1.1.1	192.168.2.4
Apr 26, 2024 15:43:32.927537918 CEST	53	52873	1.1.1.1	192.168.2.4
Apr 26, 2024 15:43:33.818567991 CEST	53	54429	1.1.1.1	192.168.2.4
Apr 26, 2024 15:43:47.396579981 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 15:43:53.508157015 CEST	53	59587	1.1.1.1	192.168.2.4
Apr 26, 2024 15:44:12.753875017 CEST	53	61823	1.1.1.1	192.168.2.4
Apr 26, 2024 15:44:29.630532980 CEST	53	59810	1.1.1.1	192.168.2.4
Apr 26, 2024 15:44:35.553025007 CEST	53	51038	1.1.1.1	192.168.2.4
Apr 26, 2024 15:44:58.020154953 CEST	53	62030	1.1.1.1	192.168.2.4
Apr 26, 2024 15:45:34.254801989 CEST	60978	53	192.168.2.4	1.1.1.1
Apr 26, 2024 15:45:34.255145073 CEST	57016	53	192.168.2.4	1.1.1.1
Apr 26, 2024 15:45:34.380312920 CEST	53	57016	1.1.1.1	192.168.2.4
Apr 26, 2024 15:45:34.380870104 CEST	53	60978	1.1.1.1	192.168.2.4
Apr 26, 2024 15:45:46.192662001 CEST	53	54613	1.1.1.1	192.168.2.4
Apr 26, 2024 15:46:59.770958900 CEST	53	58474	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 15:43:32.801381111 CEST	192.168.2.4	1.1.1.1	0xbd0a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 15:43:32.801568985 CEST	192.168.2.4	1.1.1.1	0x4b91	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 26, 2024 15:45:34.254801989 CEST	192.168.2.4	1.1.1.1	0x45e7	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 15:45:34.255145073 CEST	192.168.2.4	1.1.1.1	0x93d8	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 15:43:32.926724911 CEST	1.1.1.1	192.168.2.4	0xbd0a	No error (0)	www.google.com	142.250.217.196	A (IP address)	IN (0x0001)	false
Apr 26, 2024 15:43:32.927537918 CEST	1.1.1.1	192.168.2.4	0x4b91	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 26, 2024 15:45:34.380312920 CEST	1.1.1.1	192.168.2.4	0x93d8	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 26, 2024 15:45:34.380870104 CEST	1.1.1.1	192.168.2.4	0x45e7	No error (0)	www.google.com	142.250.64.196	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:33 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 13:43:33 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 13:43:33 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-hk13gJMyNG-etyfogvcymQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 13:43:33 UTC	781	IN	Data Raw: 33 30 36 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6e 65 77 20 79 6f 72 6b 20 6a 65 74 73 20 6e 66 6c 20 64 72 61 66 74 22 2c 22 6a 65 6f 70 61 72 64 79 20 61 70 72 69 6c 20 32 35 22 2c 22 6e 69 6e 74 65 6e 64 6f 20 67 61 72 72 79 20 6d 6f 64 22 2c 22 77 65 61 74 68 65 72 20 73 74 6f 72 6d 73 20 74 6f 72 6e 61 64 6f 65 73 22 2c 22 6b 61 6e 73 61 73 20 63 69 74 79 20 72 6f 79 61 6c 73 20 64 65 74 72 6f 69 74 20 74 69 67 65 72 73 22 2c 22 6e 65 74 66 6c 69 78 20 6d 69 6e 64 68 75 6e 74 65 72 20 73 65 61 73 6f 6e 20 33 22 2c 22 6d 6f 72 74 67 61 67 65 20 72 61 74 65 73 20 74 6f 64 61 79 22 2c 22 73 74 65 6c 6c 61 72 20 62 6c 61 64 65 20 70 72 65 20 6f 72 64 65 72 20 62 6f 6e 75 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 Data Ascii: 306)]}'["",["new york jets nfl draft","jeopardy april 25","nintendo garry mod","weather storms tornadoes","kansas city royals detroit tigers","netflix mindhunter season 3","mortgage rates today","stellar blade pre order bonus"],["","","","","","","",""
2024-04-26 13:43:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:33 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:33 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 13:43:34 UTC	1842	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIXfrrEGIjAdKFZA6B8LUpBZRiNhr8FJpy1yvW5vqYo1ClOK6dWNHDtcaSKK-xlwd9CyEsnqRasyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIht-usQYQ7pC1CxIEZoGY3A Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 13:43:34 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-13; expires=Sun, 26-May-2024 13:43:34 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=CqrBFwJtEU5vGegZ5BwjS3ty7Wbut5H01-ucOBxdsz0bIpJvA2ZupvoVreBonI4KwAUhYprf0ellFbBWmHPHJmJ1nua6Fb5VXWfvC6f1_VdHGKvzbTgzjlAbcb6mjNDtZLiaHNz9bTj5E6cTXu5OlMxlTWkzY3FZAWJEbwzh9e0; expires=Sat, 26-Oct-2024 13:43:33 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 13:43:34 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:33 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 13:43:33 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIXfrrEGIjAZuMafgKHf7uR1JXgpqjpK6Z2b7SObhQkaGFX3CtQIhkDC1Mq1y2n6uvliGb60JvkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIhd-usQYQpOjpowMSBGaBmNw Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 13:43:33 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-13; expires=Sun, 26-May-2024 13:43:33 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=dMNnTzt-DddYQCxBpQodMR6PgEEKqclSrWQ7imdCb6OL1RPcQJy-XdPIAKFxHujPXvDsD2gJht2loNQcu0ncgnNsz4kUquCZpD-VdS4x0xgtsu9xdqKtAmPtVwOsZq28vL2INTpCgaM7anbX-PMFnL9TSqKBy7-fT4EcTctQi4Y; expires=Sat, 26-Oct-2024 13:43:33 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 13:43:33 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:34 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 13:43:34 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 13:43:34 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-liXWO2B1TchHOMcqummi5Q' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 13:43:34 UTC	1703	IN	Data Raw: 31 64 30 34 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 63 68 61 6c 6c 65 6e 67 65 72 73 20 6d 6f 76 69 65 73 22 2c 22 6e 61 73 61 20 6d 61 72 73 20 73 70 69 64 65 72 73 22 2c 22 75 73 63 20 73 74 75 64 65 6e 74 20 70 72 6f 74 65 73 74 73 22 2c 22 66 72 61 6e 6b 20 63 73 6f 72 62 61 20 64 65 61 74 68 22 2c 22 6c 65 67 6f 20 6d 69 6c 6b 79 20 77 61 79 20 67 61 6c 61 78 79 22 2c 22 65 78 70 72 65 73 73 20 73 74 6f 72 65 73 20 63 6c 6f 73 69 6e 67 20 6c 69 73 74 22 2c 22 73 6f 75 74 68 20 63 61 72 6f 6c 69 6e 61 20 63 69 63 61 64 61 73 22 2c 22 6e 69 63 68 6f 6c 61 73 20 63 68 61 76 65 7a 20 67 65 6e 65 72 61 6c 20 68 6f 73 70 69 74 61 6c 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 Data Ascii: 1d04)]}'["",["challengers movies","nasa mars spiders","usc student protests","frank csorba death","lego milky way galaxy","express stores closing list","south carolina cicadas","nicholas chavez general hospital"],["","","","","","","",""],[],{"google:c
2024-04-26 13:43:34 UTC	1703	IN	Data Raw: 55 52 4d 52 57 5a 4a 56 33 64 6c 4d 30 6c 4e 4b 7a 64 50 61 6e 51 34 64 54 46 35 63 6e 4a 71 52 6c 42 69 53 6b 74 78 5a 55 59 30 56 6d 46 56 53 6b 56 6d 53 57 4e 72 5a 30 31 4e 59 6b 56 6e 61 47 64 45 4d 6b 6b 79 65 47 38 35 53 6e 5a 74 52 58 4e 73 57 46 56 46 56 6b 68 45 54 6b 78 45 4e 46 6b 31 4d 6d 70 52 5a 30 4a 77 61 6d 78 7a 63 56 4e 52 51 30 46 43 4b 31 6c 75 51 54 6c 74 4b 33 46 4d 4d 56 52 4f 57 6e 49 30 57 57 46 55 62 55 39 33 61 32 68 52 52 58 4e 57 65 57 56 74 56 6b 38 76 64 7a 42 52 63 58 41 33 65 46 46 35 54 46 56 57 53 7a 46 54 64 45 64 52 5a 57 56 54 52 6c 64 44 62 6d 4a 48 4e 56 42 31 4e 6d 64 6c 4e 31 4a 55 5a 31 64 70 62 6e 46 79 62 32 4a 30 56 6b 52 36 63 30 46 7a 55 6b 6b 7a 51 79 73 7a 4e 43 39 33 51 57 46 4a 5a 6e 6c 34 5a 6b 31 61 Data Ascii: URMRWZJV3dlM0lNKzdPanQ4dTF5cnJqRlBiSktxZUY0VmFVSkVmSWNrZ01NYkVnaGdEMkkyeG85SnZtRXNsWFVFVkhETkxENFk1MmpRZ0JwamxzcVNRQ0FCK1luQTltK3FMMVROWnI0WWFUbU93a2hRRXNWeWVtVk8vdzBRcXA3eFF5TFVWSzFTdEdRZWVTRldDbmJHNVB1NmdlN1JUZ1dpbnFyb2J0VkR6c0FzUkkzQyszNC93QWFJZnl4Zk1a
2024-04-26 13:43:34 UTC	1703	IN	Data Raw: 58 33 4e 7a 63 44 31 6c 53 6e 70 71 4e 48 52 57 55 44 46 36 59 7a 42 4d 52 46 4e 31 56 45 4e 76 4d 33 70 7a 4e 48 6c 5a 55 46 46 54 55 33 4d 31 53 58 70 4e 62 45 70 36 56 58 52 51 54 46 4e 77 56 33 6c 4e 4d 48 5a 35 4d 48 64 30 51 6d 64 45 53 57 64 6e 64 30 5a 77 46 41 5c 75 30 30 33 64 5c 75 30 30 33 64 22 2c 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 67 6f 6f 67 6c 65 3a 65 6e 74 69 74 79 69 6e 66 6f 22 3a 22 43 67 30 76 5a 79 38 78 4d 58 45 30 62 46 39 78 4d 57 78 7a 45 68 6c 4f 61 57 4e 6f 62 32 78 68 63 79 42 44 61 47 46 Data Ascii: X3NzcD1lSnpqNHRWUDF6YzBMRFN1VENvM3pzNHlZUFFTU3M1SXpNbEp6VXRQTFNwV3lNMHZ5MHd0QmdESWdnd0ZwFA\u003d\u003d","zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMXE0bF9xMWxzEhlOaWNob2xhcyBDaGF
2024-04-26 13:43:34 UTC	1703	IN	Data Raw: 61 53 58 46 69 54 45 6f 32 63 56 56 43 56 55 52 6e 52 57 70 78 5a 6a 56 69 52 48 5a 54 57 6e 46 71 63 55 63 34 53 32 39 53 56 43 74 79 64 33 4a 6e 5a 6d 5a 44 4d 58 63 7a 62 45 6c 35 56 33 52 74 62 30 74 30 51 54 42 55 55 32 31 68 53 6d 51 33 59 56 52 31 62 7a 4d 31 61 31 64 48 52 30 64 51 54 45 56 4f 56 54 6c 56 57 6a 5a 31 56 31 46 79 63 46 5a 45 53 56 4a 46 64 54 6b 35 61 30 63 78 4b 32 77 72 4d 6b 52 71 55 6b 70 4e 57 55 6c 48 51 32 64 44 52 6b 73 79 59 55 64 74 62 33 70 4d 54 45 74 36 63 57 51 78 52 57 46 72 61 7a 52 53 5a 55 6f 31 4d 33 49 34 64 48 46 46 52 6b 78 4c 63 30 78 4c 55 56 4d 31 56 57 78 55 4d 45 35 6e 56 44 46 33 64 31 52 36 52 6d 39 5a 53 45 6f 78 65 46 4a 35 4d 6b 34 35 65 46 6b 33 57 48 68 34 63 57 4e 76 62 7a 68 32 63 47 35 47 54 6c Data Ascii: aSXFiTEo2cVVCVURnRWpxZjViRHZTWnFqcUc4S29SVCtyd3JnZmZDMXczbEl5V3Rtb0t0QTBUU21hSmQ3YVR1bzM1a1dHR0dQTEVOVTlVWjZ1V1FycFZESVJFdTk5a0cxK2wrMkRqUkpNWUlHQ2dDRksyYUdtb3pMTEt6cWQxRWFrazRSZUo1M3I4dHFFRkxLc0xLUVM1VWxUME5nVDF3d1R6Rm9ZSEoxeFJ5Mk45eFk3WHh4cWNvbzh2cG5GTl
2024-04-26 13:43:34 UTC	624	IN	Data Raw: 42 71 54 6c 46 61 53 6b 68 58 56 55 5a 53 4e 54 42 44 51 56 46 30 63 56 46 70 4d 6e 42 57 57 58 52 6a 57 44 56 6b 63 6d 34 32 4e 46 52 6c 53 45 39 4b 62 6e 6b 32 64 48 5a 59 53 6b 6b 32 5a 6b 73 33 55 6a 4a 43 64 44 64 71 61 31 49 72 55 48 5a 70 61 54 56 43 62 54 6c 47 56 6c 56 30 56 46 5a 44 55 30 5a 6e 5a 6c 64 46 55 6d 64 6d 52 45 68 4d 5a 47 49 7a 57 47 4e 75 63 47 68 57 62 6a 51 72 57 47 70 70 5a 30 35 6d 59 30 4a 48 61 6d 4d 76 4c 31 6f 36 49 47 35 70 59 32 68 76 62 47 46 7a 49 47 4e 6f 59 58 5a 6c 65 69 42 6e 5a 57 35 6c 63 6d 46 73 49 47 68 76 63 33 42 70 64 47 46 73 53 67 63 6a 4e 7a 51 33 59 7a 4d 77 55 6c 5a 6e 63 31 39 7a 63 33 41 39 5a 55 70 36 61 6a 52 30 56 6c 41 78 65 6d 4d 77 54 45 52 55 53 6d 6c 54 4f 44 42 36 51 32 73 79 57 56 42 53 55 Data Ascii: BqTlFaSkhXVUZSNTBDQVF0cVFpMnBWWXRjWDVkcm42NFRlSE9Kbnk2dHZYSkk2Zks3UjJCdDdqa1IrUHZpaTVCbTlGVlV0VFZDU0ZnZldFUmdmREhMZGIzWGNucGhWbjQrWGppZ05mY0JHamMvL1o6IG5pY2hvbGFzIGNoYXZleiBnZW5lcmFsIGhvc3BpdGFsSgcjNzQ3YzMwUlZnc19zc3A9ZUp6ajR0VlAxemMwTERUSmlTODB6Q2syWVBSU
2024-04-26 13:43:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:34 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIXfrrEGIjAZuMafgKHf7uR1JXgpqjpK6Z2b7SObhQkaGFX3CtQIhkDC1Mq1y2n6uvliGb60JvkyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-13; NID=513=dMNnTzt-DddYQCxBpQodMR6PgEEKqclSrWQ7imdCb6OL1RPcQJy-XdPIAKFxHujPXvDsD2gJht2loNQcu0ncgnNsz4kUquCZpD-VdS4x0xgtsu9xdqKtAmPtVwOsZq28vL2INTpCgaM7anbX-PMFnL9TSqKBy7-fT4EcTctQi4Y
2024-04-26 13:43:34 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 13:43:34 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 13:43:34 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 13:43:34 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 66 34 49 49 35 4b 35 30 31 68 6e 52 49 6b 44 4b 6e 4f 6b 4a 54 61 4d 68 6a 75 74 58 33 4f 63 76 51 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="f4II5K501hnRIkDKnOkJTaMhjutX3OcvQ
2024-04-26 13:43:34 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49741	142.250.217.196	443	7540	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:34 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIXfrrEGIjAdKFZA6B8LUpBZRiNhr8FJpy1yvW5vqYo1ClOK6dWNHDtcaSKK-xlwd9CyEsnqRasyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-13; NID=513=CqrBFwJtEU5vGegZ5BwjS3ty7Wbut5H01-ucOBxdsz0bIpJvA2ZupvoVreBonI4KwAUhYprf0ellFbBWmHPHJmJ1nua6Fb5VXWfvC6f1_VdHGKvzbTgzjlAbcb6mjNDtZLiaHNz9bTj5E6cTXu5OlMxlTWkzY3FZAWJEbwzh9e0
2024-04-26 13:43:34 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 13:43:34 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 13:43:34 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 13:43:34 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 42 34 55 37 33 44 66 49 73 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="B4U73DfIs
2024-04-26 13:43:34 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:42 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 13:43:42 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=62403 Date: Fri, 26 Apr 2024 13:43:42 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:42 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 13:43:43 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DZ+oYgAAAABSxwJpMgMuSLkfS640ajfFQVRBRURHRTEyMTkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=62396 Date: Fri, 26 Apr 2024 13:43:43 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-26 13:43:43 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:43:43 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FuUZcZ+yhgEgN+o&MD=K+OVTngD HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 13:43:43 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: a3f6fe93-fd04-4fbc-88fb-428f34353fbb MS-RequestId: 7322fb2b-e186-4a81-9365-6be12d5c5f14 MS-CV: ILXNyliVbEKDbkHa.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 13:43:42 GMT Connection: close Content-Length: 24490
2024-04-26 13:43:43 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-26 13:43:43 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49752	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 13:44:23 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=FuUZcZ+yhgEgN+o&MD=K+OVTngD HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 13:44:23 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 7734dc7b-5e4f-4aa7-ae65-8be07381cfb0 MS-RequestId: c2e9f982-a910-447b-8abf-318c8bd75d7b MS-CV: XSzluONRDU6r0kjl.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 13:44:23 GMT Connection: close Content-Length: 25457
2024-04-26 13:44:23 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-26 13:44:23 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	15:43:21
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip"
Imagebase:	0x610000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:43:21
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nmeqw10e.03i" "C:\Users\user\Desktop\e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip"
Imagebase:	0x580000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:43:21
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:43:27
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:43:27
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:43:28
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1960,i,12582273665155075133,2497263848660553741,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:43:28
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1980,i,15587171962087274700,4709450360019695002,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00F0B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00F0B208

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 84864b481ef33f16a63d28e4fb5a5f80e2fe44817e0efeeb75647ebefb76579a
Instruction ID: 6d43ea4f5f439f57d0558e63db1e18a8cf9464767ce5f29387bb153c619f825b
Opcode Fuzzy Hash: 84864b481ef33f16a63d28e4fb5a5f80e2fe44817e0efeeb75647ebefb76579a
Instruction Fuzzy Hash: C401A2719042409FDB10CF15D984765FBE4DF44720F18C4EADD489F756D379A504EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F0B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F0B2F3

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 070e7aea62fb576fb5bc6946d19e86ca5a1e717e7fcbc1cdf1911cedec4502b4
Instruction ID: 9a9ec60dc83c8fab6af40e9eec4564c8b637031cb09cc4c345531825b4419074
Opcode Fuzzy Hash: 070e7aea62fb576fb5bc6946d19e86ca5a1e717e7fcbc1cdf1911cedec4502b4
Instruction Fuzzy Hash: 3031A172404344AFEB228B61CC44FA6BFBCEF15320F04889AE985DB562D324E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F0ADA7

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eac41533c3b1e75c8ff46f5ebc19f8143219e5398cb9f64268542cada23edb06
Instruction ID: 9ca970741b4b807106fee235025c8822401725d0295432fe4df287ec26bd7dbb
Opcode Fuzzy Hash: eac41533c3b1e75c8ff46f5ebc19f8143219e5398cb9f64268542cada23edb06
Instruction Fuzzy Hash: EF31B371504344BFEB228B61DC44FA7BFBCEF15220F04889AF985DB562D224E919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00F0AC36

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 15500d20405a368c89ed039a14423c7b1feba1418eb92f4896e68c769f3e27cc
Instruction ID: bcc87fc0d5195c03bd66bee6acd09baa78297c86bd6c964fa797225ec9f45973
Opcode Fuzzy Hash: 15500d20405a368c89ed039a14423c7b1feba1418eb92f4896e68c769f3e27cc
Instruction Fuzzy Hash: D931A17150D3C06FD3138B758C65A65BFB4AF47210F1A84CBD8C4DF5A3D228A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F0A67D

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 70ad321d946152e3d04c0cd962269bf97cbc74d5aa544a2a747f3589b577aab2
Instruction ID: ff100d8082712e59f792ff58bdf71b70c23a820e582d6504632473a18a085445
Opcode Fuzzy Hash: 70ad321d946152e3d04c0cd962269bf97cbc74d5aa544a2a747f3589b577aab2
Instruction Fuzzy Hash: 18318D71504340AFE721CF65DC44F66BBF8EF09220F08889EE9859B692D375E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00F0A1C2

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 5b9ece2f30e9483a02ebb75145673e68f808909c95df1d07a07db8e7f43d0e0c
Instruction ID: 1d63781ba6820e8c066e9d5c649cb33b03e6348b7ad6aa074b2c24d602785314
Opcode Fuzzy Hash: 5b9ece2f30e9483a02ebb75145673e68f808909c95df1d07a07db8e7f43d0e0c
Instruction Fuzzy Hash: 0721C47150D3C06FD3128B258C51BA6BFB4EF87610F1985CBD884DF693D225AA1AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A40C

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f47c09a0dbd784035045ee9b2045e4e6b937f554f961d368f7d7dcf69cee8db0
Instruction ID: 0495a4345e4e6c338cec981caee34e3804e89da017e0a4b0d547efeb03b100a9
Opcode Fuzzy Hash: f47c09a0dbd784035045ee9b2045e4e6b937f554f961d368f7d7dcf69cee8db0
Instruction Fuzzy Hash: 22218D75504740AFD721CF51CC84FA2BBFCEF05720F08849AE945DB292D364E908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F0B2F3

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef4d5093a44fa4d573b1327178d7e62401c2e8b15ede6a712066beed490fcaea
Instruction ID: 8975dbe4ca6f205d49b96b8ed9b82a781134e963f4cd43bd6ce7517f721eedd6
Opcode Fuzzy Hash: ef4d5093a44fa4d573b1327178d7e62401c2e8b15ede6a712066beed490fcaea
Instruction Fuzzy Hash: E321BD72500204AFEB218F65DC44FABBBACEF14324F14886AE945DB651D734E508ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00F0ADA7

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 803064ed2059d00387188eef33163a53b5b0a7cf50a1abe487398bc5200f42ca
Instruction ID: c9fe35c179003366fcddf7c3e3f4758f46310e1cf215cf83b7e32bf37c4a9026
Opcode Fuzzy Hash: 803064ed2059d00387188eef33163a53b5b0a7cf50a1abe487398bc5200f42ca
Instruction Fuzzy Hash: 8E21BD72500304AFEB218F65DC44FABFBACEF14324F04886AF945DBA51D734E508ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A8DE

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c7f44fde033994ab594666485d302d017466a3dac009bcf0dc04d4d39c203f6e
Instruction ID: 9b699df23bf944b51d046f797c5624e71e80c13cc902807061c2c91df412147c
Opcode Fuzzy Hash: c7f44fde033994ab594666485d302d017466a3dac009bcf0dc04d4d39c203f6e
Instruction Fuzzy Hash: 0721D3715083806FEB228F50DC44FA2BFB8EF46724F0984DBE984DF592C224A909D772

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A9C1

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9039a37baadba1856e918ff899dbe1ff685eee471a2388b0d9e477c96453ebb4
Instruction ID: 1e9830ee4658c8690fb4bd7707a07ea8b9345481e5eb9a7582d396cd5c50f495
Opcode Fuzzy Hash: 9039a37baadba1856e918ff899dbe1ff685eee471a2388b0d9e477c96453ebb4
Instruction Fuzzy Hash: AA219271509380AFDB22CF61DC44F96BFB8EF56314F08849AE9849F152C275A548DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00F0A67D

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9c659fa6334b59919989cdfde97dfbe8713e3e9e002ea402e626fd64c22a0baf
Instruction ID: 2c9b30e4dde02d1c09049cc3a3c4615872f9a60216a92a4e88590341cd3ba5a2
Opcode Fuzzy Hash: 9c659fa6334b59919989cdfde97dfbe8713e3e9e002ea402e626fd64c22a0baf
Instruction Fuzzy Hash: 0421A371500300AFE720CF65DD44F66FBE8EF04320F088469E9458B691D376E508DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A815

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 33017b6d4a6d1d91d2160f8fe4e77eee79f840dafdf543444bad5b71bbc939b3
Instruction ID: a717989be3e7f5aeee9d6287eef3634a68ae462888ab6b9299a6f9a6b9680ee4
Opcode Fuzzy Hash: 33017b6d4a6d1d91d2160f8fe4e77eee79f840dafdf543444bad5b71bbc939b3
Instruction Fuzzy Hash: D321D5B54083806FE7128B51DC40BA2BFB8DF56324F08C0DBE984DB293D268A909D772

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F0A748

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5b69a3aca2db1cffd8d41c303ff48d72eb03fad7c34c189d29a919fe983d1776
Instruction ID: f07642adb30a03e2660cf759fa75484ba706305852bd74607d5481ee8c0d98ed
Opcode Fuzzy Hash: 5b69a3aca2db1cffd8d41c303ff48d72eb03fad7c34c189d29a919fe983d1776
Instruction Fuzzy Hash: 1321D4B59093C05FDB128F25DC95652BFB8EF07320F0984DBDC858F2A3D2649908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00F0AA8B

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1cb7b70e357cd2cce93dbb24724a945d77e4b641da786326afa28345039255aa
Instruction ID: e5438adb0e367a9b8ef34454224e6a4ad0f5c42a5ba8429e85beb20cf78ff78a
Opcode Fuzzy Hash: 1cb7b70e357cd2cce93dbb24724a945d77e4b641da786326afa28345039255aa
Instruction Fuzzy Hash: 5C2195716083C09FDB12CB25DC55B96BFE8AF06324F0D84EAE884DF193D225D905DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A40C

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dff3ab8cc05d484569a160556afdbe7bf7d89d454978daefc5cda0c9bb1bc4c4
Instruction ID: 81b72bfc758730f5c8c629453d6dba238b565e2f2bbc16aba0e8795009ec8497
Opcode Fuzzy Hash: dff3ab8cc05d484569a160556afdbe7bf7d89d454978daefc5cda0c9bb1bc4c4
Instruction Fuzzy Hash: 5721AE7A600300AFE720CF55CC84FA6B7ECEF14720F04C46AE945CB691D364E908EA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A9C1

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bf0e94be25d1d85b6f1b7bdeaccea7720f36d37c4f261814f5504a1e54dd4125
Instruction ID: 203b16647d2fd0499a3024e14be7d68435e09839d040164aa1614b446818846d
Opcode Fuzzy Hash: bf0e94be25d1d85b6f1b7bdeaccea7720f36d37c4f261814f5504a1e54dd4125
Instruction Fuzzy Hash: 2E11E272500300AFEB21CF55DC40FA6FBA8EF14324F14846AE9459B681C334E508DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A8DE

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: bcfe8c8af6007fb7fea14ecbe915a27fe77792ed33dbce64d3d662b0bbb316ea
Instruction ID: 809749feea30c410958ff006336cdce752f7c41f207393c7580361feecd8228f
Opcode Fuzzy Hash: bcfe8c8af6007fb7fea14ecbe915a27fe77792ed33dbce64d3d662b0bbb316ea
Instruction Fuzzy Hash: 1C11C172500300AFEB21CF55DC44BA6FBE8EF54324F14C8AAE9499B681C374E5089BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F0A30C

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6d17625e6263fc2f2e0fe6080bb4cfa0e3cf94ecbb8c541d6bbdbdba6edbf125
Instruction ID: 7e2d3502f172081bef3b610ac3d5d94822bb4b008fb2a5d133420256306f4750
Opcode Fuzzy Hash: 6d17625e6263fc2f2e0fe6080bb4cfa0e3cf94ecbb8c541d6bbdbdba6edbf125
Instruction Fuzzy Hash: DC11A3758093C0AFDB228B25DC54A52BFB4DF17320F0980DBDD848F2A3D265A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,FC9BC1E4,00000000,00000000,00000000,00000000), ref: 00F0A815

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 85d9f17046f741d9e9de395558dedd94eec28721dfd1451d9803af32ec370880
Instruction ID: a032c36afb05905e9442edb3a8775ea01c8b5d1dcb964ff911cab1e69eddad5b
Opcode Fuzzy Hash: 85d9f17046f741d9e9de395558dedd94eec28721dfd1451d9803af32ec370880
Instruction Fuzzy Hash: 7601D276504300AFE720CB45DC84BA6FBE8DF54724F14C0A6ED059B781D378E9089BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00F0AA8B

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: dcbc0ec7d85650a7e88a271357318440edcb498c85cd5188c6cf2db5803d8217
Instruction ID: 45604c8f71b468310136151184615272d7c71ec3cc4d25dfa16274df98881980
Opcode Fuzzy Hash: dcbc0ec7d85650a7e88a271357318440edcb498c85cd5188c6cf2db5803d8217
Instruction Fuzzy Hash: D9115271A042409FEB10CF19D985756FBD8EF04720F08C4AAED49DB681E678E904EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00F0B208

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3989c87aa1a0e71cc599c7aa3bec0c94e634455a3e89bafbedcf3691114e5bb6
Instruction ID: e7e45112bae82ad8a7922d5902933babf5258981fde7007c7c78d0ede732da38
Opcode Fuzzy Hash: 3989c87aa1a0e71cc599c7aa3bec0c94e634455a3e89bafbedcf3691114e5bb6
Instruction Fuzzy Hash: AB117071909380AFDB12CF15DD44B56BFB4DF56220F0884DBED849F252D279A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00F0AFE4

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 5e6075169b43c684f62ad6fca7b066d8f9ff4469ab74c70b45813f9c712dad1a
Instruction ID: e0284b289869062f8e9f0f0625ba30623d6ad1189db384deb313418217e9f1d4
Opcode Fuzzy Hash: 5e6075169b43c684f62ad6fca7b066d8f9ff4469ab74c70b45813f9c712dad1a
Instruction Fuzzy Hash: 5811A0715093C0AFDB128B25DC45A52BFF4EF06220F0984DBED858B2A2D278A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00F0A1C2

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 3edc3b2cf70a61779cf2bc9881112adbf914b8f43ba02c0b1bbd430fe4813b67
Instruction ID: 13127458b442a38a31218a46c58171940c7787fb52e08a217f2db962d6d52ea6
Opcode Fuzzy Hash: 3edc3b2cf70a61779cf2bc9881112adbf914b8f43ba02c0b1bbd430fe4813b67
Instruction Fuzzy Hash: F20171B1600200ABD710DF16DC45B76FBE8EB88A20F14855AED08ABB41D735FA55CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F0ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00F0AC36

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 29d8cdd136918ab84b8ee38c4fda199c95dec99177e80ec35259bcecdda1d7f1
Instruction ID: e4cf08b17049350f6f50f3b68f67f8756cb9e37605d5702b006721c041d78237
Opcode Fuzzy Hash: 29d8cdd136918ab84b8ee38c4fda199c95dec99177e80ec35259bcecdda1d7f1
Instruction Fuzzy Hash: 51015EB1600200ABD310DF16DC45B66FBA8EB88A20F14855AED48ABB41D635FA55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A716 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00F0A748

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b6dbd180a4c3603794e042638bb833785f8ef3c93febf084a1f61a982fd4f8e8
Instruction ID: 7802e2f9a10d1efb0e21954688925e3a27ddba92338b3365ea29bc08668d3722
Opcode Fuzzy Hash: b6dbd180a4c3603794e042638bb833785f8ef3c93febf084a1f61a982fd4f8e8
Instruction Fuzzy Hash: FD01D4759003409FDB10CF15D984765FBE4DF04320F18C4EADC09CB682D278E904EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00F0AFE4

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9900e3d36b9af05a29e09cb64f5c0441fed0b2c57521a240f724e9fb4f54f97c
Instruction ID: 4a8ce56f662853e8c1e79808d11a3c6e0873ef2a4ea24715807f91ce41337084
Opcode Fuzzy Hash: 9900e3d36b9af05a29e09cb64f5c0441fed0b2c57521a240f724e9fb4f54f97c
Instruction Fuzzy Hash: B901D6755002409FDB108F15D884762FBE4EF04330F08C4AADD158B791D375E948EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F0A30C

Memory Dump Source

Source File: 00000000.00000002.4120881049.0000000000F0A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bdefa3471b5b2bf321ffb9fcd67c449b48fbb2eaf90df6ba3c2f6a171bd9be6f
Instruction ID: 85900fcf358b3021dced8878561bd916a3ea13d51c7da44f0bd3c60b2a9efad8
Opcode Fuzzy Hash: bdefa3471b5b2bf321ffb9fcd67c449b48fbb2eaf90df6ba3c2f6a171bd9be6f
Instruction Fuzzy Hash: 99F08C759043409FDB208F06D985761FBA0EF04734F18C0AADD094B796D37AA918EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011D0C99 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

[M+, xrefs: 011D0D43, 011D0D48

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID: [M+
API String ID: 0-2732394543
Opcode ID: 76248e82e9f39864917bea23e04f22f55dded0287a42b9be6ffcde55587963db
Instruction ID: 52f8d86bf13623db2e6680d08e6173d57dd564d00842841312e77a6267f7c962
Opcode Fuzzy Hash: 76248e82e9f39864917bea23e04f22f55dded0287a42b9be6ffcde55587963db
Instruction Fuzzy Hash: 46212730B046508FCB59EB3988417AE7BD69FC9208F44883DD485DB341DF3A9D079796

Uniqueness

Uniqueness Score: -1.00%

Function 011D0CA8 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

[M+, xrefs: 011D0D43, 011D0D48

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID: [M+
API String ID: 0-2732394543
Opcode ID: 8fcb54c8c65cb96388a8372f3e765fed4aacdc7fea0d887fae0eee65d9bb6776
Instruction ID: 110a25913ab2131ea6b90f217f0b4e10439f2f95afe8269ca6cb0e544f0794e1
Opcode Fuzzy Hash: 8fcb54c8c65cb96388a8372f3e765fed4aacdc7fea0d887fae0eee65d9bb6776
Instruction Fuzzy Hash: 6421D630B007148FCB59EB3985416AEB7D69FC9204B44883DD486DB341DF79AD069796

Uniqueness

Uniqueness Score: -1.00%

Function 011D02C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a33e8c91d3c647d7f5f642c68fac65f490aed50baad52f7eb8e97d5613f921
Instruction ID: 66e8bf4dfdd0290905cce5f8d73e84c613b16f31c9cc11f7325aa8f291230694
Opcode Fuzzy Hash: b4a33e8c91d3c647d7f5f642c68fac65f490aed50baad52f7eb8e97d5613f921
Instruction Fuzzy Hash: 6EB13E39701114CFCB18EB78E958B5A7BF2EF8C344B518429E906DB368DB359E01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 011D0799 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2397d0db08a8648b1ee9b1d574733a1128c40da1b6e6b40cd6a5d0b4842f6d54
Instruction ID: 47bd07b5afa22aba86859e2e4f4c591bc9f544ab984c11cc5f78a4c8a91f7862
Opcode Fuzzy Hash: 2397d0db08a8648b1ee9b1d574733a1128c40da1b6e6b40cd6a5d0b4842f6d54
Instruction Fuzzy Hash: 96A16E34B002058FDB19EB78D85976E77F3AB88308F258429E906D7394DF799D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01220648 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121230759.0000000001220000.00000040.00000020.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9566fea8b4504ba17de895ec41c1d24a75f32bbdada2ad6936967c59269524
Instruction ID: d7d860087bdfde8b641d5a3742cf64080209a77b2d4567cba596fdf039c27ab9
Opcode Fuzzy Hash: 8e9566fea8b4504ba17de895ec41c1d24a75f32bbdada2ad6936967c59269524
Instruction Fuzzy Hash: 8311E9B240D3C06FC713CB11AC50896BFB8EF5722071984DBE889DB593D225A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 011D0B8F Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14e49649ed4fad3da7eee694866a83ed6d5f22e53d9e2cc823b6a256484d41c
Instruction ID: b3018cc65c80213640ef65de9fa55b67e3794e3d74377213ce73afab613d30ab
Opcode Fuzzy Hash: a14e49649ed4fad3da7eee694866a83ed6d5f22e53d9e2cc823b6a256484d41c
Instruction Fuzzy Hash: B211E635A101186FCF04DFB4D845DDE7BF2AF88304B254579E605E7275EB759D0A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 011D0BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fe4ef4a50e93e531bb3f63cfca79c9c14bce4a1d0868d81e55a335ec783d2d
Instruction ID: 8b866d39bd9d34237e91b95d6a08eebda2b6bc7264af86965dbf57ac53ff6e4a
Opcode Fuzzy Hash: a0fe4ef4a50e93e531bb3f63cfca79c9c14bce4a1d0868d81e55a335ec783d2d
Instruction Fuzzy Hash: 07119132A10118AFCB049BB4D845D9E7BF6BB88214B254979E605EB274DB35AD0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 01220808 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121230759.0000000001220000.00000040.00000020.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71112f32b4b16233625f29c7aebcd8a6d4f02ba1e70338faa8d65c72da0d7f20
Instruction ID: a28472cfce734e028225a2d73aa98a02a6ada5247173c95fa4dea80ae3524e48
Opcode Fuzzy Hash: 71112f32b4b16233625f29c7aebcd8a6d4f02ba1e70338faa8d65c72da0d7f20
Instruction Fuzzy Hash: 950184B24097447FD301CB55AC41C57BFECDFA6524B09C8AAED48DB601D235B918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012205E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121230759.0000000001220000.00000040.00000020.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443215b475533a8a626b06ddff21eabbc828c927b89e355b1cac41d9c5ed97a0
Instruction ID: dc616799d750380621074a9c5382dd177fe17a4b72940556d8139dbff7f0b6bc
Opcode Fuzzy Hash: 443215b475533a8a626b06ddff21eabbc828c927b89e355b1cac41d9c5ed97a0
Instruction Fuzzy Hash: ED0186B65097806FC7118B15AC40853FFE9DF86220B1984ABE8899B612D225B918CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0122082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121230759.0000000001220000.00000040.00000020.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dbae34a8fa4524b66cce14f597c48c41d485a7d7dfa94cb3a26fe735a5be6a
Instruction ID: d2b13f55aa2484a2c4d63fb320e32118ca9aa1457592a7466cc07fe40d832ccf
Opcode Fuzzy Hash: 35dbae34a8fa4524b66cce14f597c48c41d485a7d7dfa94cb3a26fe735a5be6a
Instruction Fuzzy Hash: 1CF082B2805204ABD300DF45ED45856FBECEFA4521F14C56AED089B700E276AA198AE2

Uniqueness

Uniqueness Score: -1.00%

Function 01220606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121230759.0000000001220000.00000040.00000020.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1790d19e6d563485fbdfbb6ece8610349b5db2a612d1e3a82ca570a44cd1f70
Instruction ID: 0e093dbe7f77bf5b63f218c634d07976be1586a26d55c4183e6c454854523ec3
Opcode Fuzzy Hash: a1790d19e6d563485fbdfbb6ece8610349b5db2a612d1e3a82ca570a44cd1f70
Instruction Fuzzy Hash: 62E092B66046045BD650CF0AEC41452F7D8EB88630718C47FDC0D9B701D635B608CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 011D0C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123059fe15a781dd1c1f2f4328a38f0920b417140780610b651cb40250f3beb1
Instruction ID: 3062f9613d17e3a93f22d4319df3063acc9e0b520e05eed7851b353cf89babaa
Opcode Fuzzy Hash: 123059fe15a781dd1c1f2f4328a38f0920b417140780610b651cb40250f3beb1
Instruction Fuzzy Hash: 2EE0D831F182541FCB08DBF844511ED7FA19B89154FA444BED004D7351EB3989038B81

Uniqueness

Uniqueness Score: -1.00%

Function 011D0C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc7288fc5ac2dd817083cf7a534d28094fbac32e01e2b46e7db99e677f87ffc
Instruction ID: ab95dd52d3dd4fd55b2081d1dfdcb449587db466250439db0c99f3ce8d592564
Opcode Fuzzy Hash: 8bc7288fc5ac2dd817083cf7a534d28094fbac32e01e2b46e7db99e677f87ffc
Instruction Fuzzy Hash: F3D01232F142282B8B48DFF9584159E7AEA9B88164B64847DD109D7340EF3999028BC0

Uniqueness

Uniqueness Score: -1.00%

Function 011D0E09 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948514b7637a773371cc2ff191e260c5ad537f910f8128d2340a304e3abcadc2
Instruction ID: a82968f96cc3d1be17058467c3e99d397b61c8b3030a7fed1cb6e24da8f1f13d
Opcode Fuzzy Hash: 948514b7637a773371cc2ff191e260c5ad537f910f8128d2340a304e3abcadc2
Instruction Fuzzy Hash: CBD05B201583504FC7096778945A5983FE15B9B104F99D1F6D4449F1B7D769CC46C741

Uniqueness

Uniqueness Score: -1.00%

Function 011D0DD1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2b7fa9a001463d6c297a9d00dd15f883e1df0efefce329af67e1bf8168a7c1
Instruction ID: 174d276fef696c69beb81d4e227d00e551c0387119a75abd0e45032b4d3f648d
Opcode Fuzzy Hash: db2b7fa9a001463d6c297a9d00dd15f883e1df0efefce329af67e1bf8168a7c1
Instruction Fuzzy Hash: B0E02B3024C3804FC70AD7388829A997F611FD2104F99C1FED484DB1A7D3A8CC85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F023F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120864516.0000000000F02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f02000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b430fa73c0cb4f3631d56a40f08ce62759570299010af8185ec26f2044080f5b
Instruction ID: 9c8a4bbe501cd7a5dbf259aafa91c8e068fd3eb8d0c2b294cc0a5c8f495d7022
Opcode Fuzzy Hash: b430fa73c0cb4f3631d56a40f08ce62759570299010af8185ec26f2044080f5b
Instruction Fuzzy Hash: 06D05E796056C14FD316DE1CC1A8B9537D4BB61724F4A44FDAC008B7A3C768D981E610

Uniqueness

Uniqueness Score: -1.00%

Function 00F023BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4120864516.0000000000F02000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f02000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747af43a617b2105687b954301e38bf97b3d3c83453ffaa53ba7eaace13c980e
Instruction ID: c25bc63910f7c0473426381fc18ffd942f58c9466574f478a5440e8fe0e8abdc
Opcode Fuzzy Hash: 747af43a617b2105687b954301e38bf97b3d3c83453ffaa53ba7eaace13c980e
Instruction Fuzzy Hash: 35D05E357402814BCB15DE0CD6D9F5937D8AB50B25F0644ECAC108B7A2C7B8D9C0EA10

Uniqueness

Uniqueness Score: -1.00%

Function 011D0E18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b15315e4e9eea7a2737aa977a495cfea5dfd6e0f47035d8e89c02714914d1d3
Instruction ID: 5e71b457b84a0b27e438abd324fcc8e9d49bceb889a6b4afc385090c1be81079
Opcode Fuzzy Hash: 0b15315e4e9eea7a2737aa977a495cfea5dfd6e0f47035d8e89c02714914d1d3
Instruction Fuzzy Hash: 88C012302002048FD708A778D519A29779557D9209F94C56459485B255CB79EC41C784

Uniqueness

Uniqueness Score: -1.00%

Function 011D0DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4121209563.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11d0000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fdef7b72848c25acebe07d9765c24cc404f76b341828fd31d698a99298eee7
Instruction ID: 7df39f66cc204ba4f59c546d0d5379290ae745995627d0d196e3457b6607618f
Opcode Fuzzy Hash: c7fdef7b72848c25acebe07d9765c24cc404f76b341828fd31d698a99298eee7
Instruction Fuzzy Hash: 1DC012302002148FD708A778D419A2A779657D4208F55C56495484B255CB79EC80C7C4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

QR Codes

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\unarchiver.log

Chrome Cache Entry: 56

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: unarchiver.exePID: 6844, Parent PID: 2580

General

Chronological Activities

Windows Analysis Report
e8056c3dc4b573b95de1d3e68c4bfce889d7ec9824ea4a2f3873d19c309d09e7.zip

Function 00F0B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00F0AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00F0AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Function 00F0A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 00F0A120 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Function 00F0A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 00F0B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00F0AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00F0A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 00F0A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 00F0A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 00F0A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 00F0A6D4 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 00F0AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 00F0A392 Relevance: 1.6, APIs: 1, Instructions: 69
registryCOMMON