Edit tour

Windows Analysis Report
File-11F_385347.exe

Overview

General Information

Sample name:	File-11F_385347.exe
Analysis ID:	1432286
MD5:	08ea1813d6b205c446e6ae655c4e6715
SHA1:	76f4d2af1c04ec157fc8a270da5980ee6bcb5def
SHA256:	12288224d26607b30d026a32faf2ac7b49fc32acc8950eeaf60b933f2e39f48f
Tags:	Artemisexe
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	47
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

File-11F_385347.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\File-11F_385347.exe" MD5: 08EA1813D6B205C446E6AE655C4E6715)

chrome.exe (PID: 3716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: File-11F_385347.exe

Virustotal: Detection: 8%

Perma Link

Cryptography

Source: File-11F_385347.exe, 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5626c899-d

Compliance

Uses 32bit PE files

Source: File-11F_385347.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: File-11F_385347.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: File-11F_385347.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.93
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 208.111.136.0
Source: unknown	TCP traffic detected without corresponding DNS query: 208.111.136.0
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112

Source: global traffic	HTTP traffic detected: GET /9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424 HTTP/1.1Host: contentworldinc.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=nnNvhDpc2wNur5rZ2GPGFYYW98DsoxA86Ww61SxrQhbN75bLgvGv66xto5kBou_BZhKvAQUkIJHuNQWnDyPOWmD2cDFR-PV6p_69ua1MuHp3KdSQzVdxG3lFb7byaUXTatUSMGCpLe3XoQ4DJntYUwZfNBnE2izQ4aeaz0zlO2U
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-17; NID=513=l_QNb-B5hpXOC8bBQtAnRM5M-JbSLPNITwf3h_zzOX-4tA7Uizy-BaeugZBG7UohQDR3Tb4z0cNNuel3fvNX5P-fJCml_L9vq2TTwKMYH4Rrj4_7jsYQ6-e9F0ZevySaj64gEML3uSW9TC_9wzv4XbwIZ6hlgXjNPVLsnuorypY
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: contentworldinc.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: File-11F_385347.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: File-11F_385347.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: File-11F_385347.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: File-11F_385347.exe	String found in binary or memory: http://ocsp.sectigo.com0M
Source: MPC-HC.1.9.13.x86.exe.0.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: File-11F_385347.exe, 00000000.00000003.1873509339.0000000001507000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000002.1875482614.000000000152C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: File-11F_385347.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: File-11F_385347.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.26.5.9:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49757 version: TLS 1.2

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_00AB1380

0_2_00AB1380

Uses 32bit PE files

Source: File-11F_385347.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@15/3@3/5

Source: C:\Users\user\Desktop\File-11F_385347.exe

File created: C:\Users\user\AppData\Local\MPC-HC

Jump to behavior

Source: File-11F_385347.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\File-11F_385347.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: File-11F_385347.exe

Virustotal: Detection: 8%

Source: File-11F_385347.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s %u %s %s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: C:\Users\user\Desktop\File-11F_385347.exe

File read: C:\Users\user\Desktop\File-11F_385347.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\File-11F_385347.exe "C:\Users\user\Desktop\File-11F_385347.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: File-11F_385347.exe

Static PE information: certificate valid

PE file has a big code size

Source: File-11F_385347.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: File-11F_385347.exe

Static file information: File size 23731296 > 1048576

PE file has a big raw section

Source: File-11F_385347.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6afe00

PE file contains a mix of data directories often seen in goodware

Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: File-11F_385347.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: File-11F_385347.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: File-11F_385347.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: File-11F_385347.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_010CB853 push ecx; ret

0_2_010CB866

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\File-11F_385347.exe

File created: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Jump to dropped file

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\File-11F_385347.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Jump to dropped file

Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtual PCI Bus
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: File-11F_385347.exe, 00000000.00000003.1699127735.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Driver
Source: File-11F_385347.exe, 00000000.00000003.1708572666.000000000152C000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000003.1708752786.000000000152D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\File-11F_385347.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_011223FD

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_0113553C mov eax, dword ptr fs:[00000030h]	0_2_0113553C
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_01126779 mov ecx, dword ptr fs:[00000030h]	0_2_01126779
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_011354F8 mov eax, dword ptr fs:[00000030h]	0_2_011354F8

Enables debug privileges

Source: C:\Users\user\Desktop\File-11F_385347.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\File-11F_385347.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_010CB057 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_010CB057
Source: C:\Users\user\Desktop\File-11F_385347.exe	Code function: 0_2_011223FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_011223FD

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\File-11F_385347.exe

Code function: 0_2_010CC06B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_010CC06B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
File-11F_385347.exe	4%	ReversingLabs	Win32.Malware.Snackarcin
File-11F_385347.exe	9%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
contentworldinc.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0M	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3	0%	Avira URL Cloud	safe
https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
https://curl.se/docs/http-cookies.html	0%	Virustotal		Browse
https://curl.se/docs/alt-svc.html	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
contentworldinc.com	104.26.5.9	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.250.217.164	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	File-11F_385347.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://curl.se/docs/hsts.html	File-11F_385347.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	File-11F_385347.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	File-11F_385347.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0M	File-11F_385347.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	File-11F_385347.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	File-11F_385347.exe	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html	File-11F_385347.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	File-11F_385347.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	MPC-HC.1.9.13.x86.exe.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	File-11F_385347.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	File-11F_385347.exe	false	URL Reputation: safe	unknown
https://curl.se/docs/alt-svc.html	File-11F_385347.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contentworldinc.com/9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3	File-11F_385347.exe, 00000000.00000003.1873509339.0000000001507000.00000004.00000020.00020000.00000000.sdmp, File-11F_385347.exe, 00000000.00000002.1875482614.000000000152C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.217.164	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.26.5.9	contentworldinc.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432286
Start date and time:	2024-04-26 19:26:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	File-11F_385347.exe
Detection:	SUS
Classification:	sus36.winEXE@15/3@3/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 72.21.81.240, 192.229.211.108, 142.250.217.195, 142.251.107.84, 142.250.189.142, 34.104.35.123
Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	https://cgigroup.blob.core.windows.net/cgi-protective-monitoring-service/tools/get-stinger.html	Get hash	malicious	Unknown	Browse
	https://unilever3.demdex.net/firstevent?d_event=click&d_bu=317196&c_medium=display&c_destination=Retailer&c_country=BD&c_campaignname=L-LifebuoyHandsanitizerLaunchComm&c_prodcat=CH1097&c_brandcode=BH0300&d_adgroup=All_KV&c_contenttype=display&c_source=Dhaka%20Tribune&d_rd=https://campaign-statistics.com/link_click/PidJvkyg2S_O4JTm/159dfdb0ade49a7c5597d3c1d9bd3d8a	Get hash	malicious	Unknown	Browse
	z55NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse
	Housecallpro Chase Bank ACH.htm	Get hash	malicious	Unknown	Browse
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTAxOTIyLCJtZXNzYWdlX2lkIjoiMGd4d3poYXc3czloeGZoZWNuNjNuYnFwIzg0YjRlN2VjLTdhZjUtNDU5Yi1hNTYxLWE1ZmVlMTE3NTllNiIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjM3OTIyLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGphbWVzLmZheUBjb3VudHluYXRpb25hbGJhbmsuY29tJnBhdGhzPWFib3ZlJmxpbms9RmF4X091dGxvb2siLCJpbmRpdmlkdWFsX2lkIjoiNDA4YWI4OGRlY2JmNDFjMjRhYTZhMDRlOWU1OWMzZDAifQ.i-tkK1Lnys-MM487ot1MrSYQb6ExLgZNRQbgsH8B2K0	Get hash	malicious	Captcha Phish	Browse
	http://relevanteduofficelogin.relevantedu.xyz	Get hash	malicious	HTMLPhisher	Browse
	Settlement DOL 08262024 - Victoria Brignon - Reference #27224675-2722934.html	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe	Get hash	malicious	Unknown	Browse
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTM3MzAwLCJtZXNzYWdlX2lkIjoiMGd5MGJnNjBqOTJwcmNuZjhhNHNxYWpwIzZjY2RmYjMyLWJiNzgtNGQwNC1hYWYwLTg3MjdkMTg4MjZlMyIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjczMzAwLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGhiYXJ0aGxvd0BzZWN1cnVzdGVjaG5vbG9naWVzLmNvbSZwYXRocz1hYm92ZSZsaW5rPUZheF9PdXRsb29rIiwiaW5kaXZpZHVhbF9pZCI6IjQ0NDY4NzI5YzA1N2Q5ZDJjYzNiYjZlOTc3NDg3MzUyIn0.AryFGbNWOut6hGg1x_WBQ4QL5QU_wggDk6q2PUj7rNI	Get hash	malicious	Captcha Phish	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://unilever3.demdex.net/firstevent?d_event=click&d_bu=317196&c_medium=display&c_destination=Retailer&c_country=BD&c_campaignname=L-LifebuoyHandsanitizerLaunchComm&c_prodcat=CH1097&c_brandcode=BH0300&d_adgroup=All_KV&c_contenttype=display&c_source=Dhaka%20Tribune&d_rd=https://campaign-statistics.com/link_click/PidJvkyg2S_O4JTm/159dfdb0ade49a7c5597d3c1d9bd3d8a	Get hash	malicious	Unknown	Browse	104.17.2.184
	WAdE7vk6kk.exe	Get hash	malicious	Unknown	Browse	104.21.65.101
	Housecallpro Chase Bank ACH.htm	Get hash	malicious	Unknown	Browse	104.17.24.14
	Settlement DOL 08262024 - Victoria Brignon - Reference #27224675-2722934.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://url9212.charteredarena.org/ls/click?upn=u001.kjyKVeM-2Fb1rGOGHOnr1jOBOY3L3JqbNTsl6-2FG2Q28FBbMvScULOdn5hj4fYmOT1gSvNV_eFFQU5nW4TX33oYM-2FvMZ4H4nrQnEbWOt7nYb46lhhradIe8kQ30nH41Yux5-2ByqjXVzNOeRGeH70TSwGBG-2FsCyfS-2BqFuy7r7yA-2BMVhshonhVyPepAGojJAWOStPfHQEXVhS9QapMz6-2FLiLkIDitr77rwl6cV3-2BOVbi0qMHcpubANPDna-2BAJRWKHhsn2J-2BHsm2h-2B1n0PvhIvECyeSGKW-2FdmoYnwMnfXv-2F0VHDQdAF4JyTklFAWOdWvqmq9QaL29M0Lqvm9PdkAaDucmiv1yWhzGJ-2FSlIlic4yMaUzKSM2tXbVKRT-2BcTJHrLGjV82z-2BxMi-2FPWDvS9vQSeDz0xjN0gvzYnMQqfZiJ7fdvgXYvIvcGvziknMmHkQ7sUHmtLIGr6gsv-2FI2qInnZxnaJ1Ow7w3sMmgc-2FLcAEaJe5QnWJ5qez1H3mc7J1f4VLI4PyjCxv7syUPC13rDkwMklRiABfKztYQ3n9LW3FeH4hgMGYJgJovBs-2FKlVUipIzO24iLrfZpg-2FS6-2Fvp-2BRnBXh4Gim5LY7NxdelnIZomgKJ8r1gxfM163jd5ekCcUFZcZJn8BUr-2FrBOq6vvyf5Ut44ln9oAHSsmy2ecvwUHxQ-2Bo0mJA2r9a8FeSV3APNVBZowUa1ZGpOSvbZRLc6uZxrFl3fSWY774fhm-2Fl3qG7s-2BRWj2lGIHB3NEqH1X520Diu5Le7soeKgWoeaLCSrT5v7lt-2B7XayjukGYP4Yz5jSqZD2gXDxl443sgS6brqBQ3LKHfRN7s2NZ-2F6nWblHw6-2BLG-2FTduGCq0lMfhnVz7mFWLyKhJHvoE3C2dN6qv1-2FpHnRcIGopoYVEdZ-2F182c7Ll7OsxlzgTKemGKriHFjxwOhwkIoHVdgcJWnLS8-3D	Get hash	malicious	Unknown	Browse	1.1.1.1
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	104.21.85.118
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	104.21.85.118
	https://gelw.nalverd.com/AvGEoxV/	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Packing List PDF.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	POattach.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://unilever3.demdex.net/firstevent?d_event=click&d_bu=317196&c_medium=display&c_destination=Retailer&c_country=BD&c_campaignname=L-LifebuoyHandsanitizerLaunchComm&c_prodcat=CH1097&c_brandcode=BH0300&d_adgroup=All_KV&c_contenttype=display&c_source=Dhaka%20Tribune&d_rd=https://campaign-statistics.com/link_click/PidJvkyg2S_O4JTm/159dfdb0ade49a7c5597d3c1d9bd3d8a	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	z55NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	23.204.76.112 20.114.59.183
	Housecallpro Chase Bank ACH.htm	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTAxOTIyLCJtZXNzYWdlX2lkIjoiMGd4d3poYXc3czloeGZoZWNuNjNuYnFwIzg0YjRlN2VjLTdhZjUtNDU5Yi1hNTYxLWE1ZmVlMTE3NTllNiIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjM3OTIyLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGphbWVzLmZheUBjb3VudHluYXRpb25hbGJhbmsuY29tJnBhdGhzPWFib3ZlJmxpbms9RmF4X091dGxvb2siLCJpbmRpdmlkdWFsX2lkIjoiNDA4YWI4OGRlY2JmNDFjMjRhYTZhMDRlOWU1OWMzZDAifQ.i-tkK1Lnys-MM487ot1MrSYQb6ExLgZNRQbgsH8B2K0	Get hash	malicious	Captcha Phish	Browse	23.204.76.112 20.114.59.183
	http://relevanteduofficelogin.relevantedu.xyz	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
	Settlement DOL 08262024 - Victoria Brignon - Reference #27224675-2722934.html	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	23.204.76.112 20.114.59.183
	https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe	Get hash	malicious	Unknown	Browse	23.204.76.112 20.114.59.183
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MTM3MzAwLCJtZXNzYWdlX2lkIjoiMGd5MGJnNjBqOTJwcmNuZjhhNHNxYWpwIzZjY2RmYjMyLWJiNzgtNGQwNC1hYWYwLTg3MjdkMTg4MjZlMyIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjczMzAwLCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtbWVzc2FuZ2VyLnJkb2NtZ2xvYmFsLmNvbS9kb2NzL2luZGV4LnBocD9tYWlsPSUyMGhiYXJ0aGxvd0BzZWN1cnVzdGVjaG5vbG9naWVzLmNvbSZwYXRocz1hYm92ZSZsaW5rPUZheF9PdXRsb29rIiwiaW5kaXZpZHVhbF9pZCI6IjQ0NDY4NzI5YzA1N2Q5ZDJjYzNiYjZlOTc3NDg3MzUyIn0.AryFGbNWOut6hGg1x_WBQ4QL5QU_wggDk6q2PUj7rNI	Get hash	malicious	Captcha Phish	Browse	23.204.76.112 20.114.59.183
	https://srmcorp.tecuidoc.com/?PSZlk=ViP	Get hash	malicious	HTMLPhisher	Browse	23.204.76.112 20.114.59.183
74954a0c86284d0d6e1c4efefe92b521	23-April-24-ACH-29be82ea.jar	Get hash	malicious	Unknown	Browse	104.26.5.9
	https://upd100.appspot.com/update/u.bat	Get hash	malicious	Unknown	Browse	104.26.5.9
	knfV5IVjEV.lnk	Get hash	malicious	Unknown	Browse	104.26.5.9
	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	104.26.5.9
	23-April-24-ACH-7fa67756.jar	Get hash	malicious	Unknown	Browse	104.26.5.9
	23-April-24-ACH-7fa67756.jar	Get hash	malicious	Unknown	Browse	104.26.5.9
	New Soft Update.exe	Get hash	malicious	Unknown	Browse	104.26.5.9
	u2.bat	Get hash	malicious	Bazar Loader, Qbot	Browse	104.26.5.9
	SecuriteInfo.com.Python.Stealer.1447.10844.3562.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	104.26.5.9
	4PPlLk8IT5.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	104.26.5.9

Process:	C:\Users\user\Desktop\File-11F_385347.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16392237
Entropy (8bit):	7.99861209953994
Encrypted:	true
SSDEEP:	393216:gE8nxnfUcXAbCaUQawechoJTIhxlpJYBAe:gvfAb2QnexshxlpKBp
MD5:	08A6FBB57D5B456414B71B260F749C9E
SHA1:	4F9ED2014C8E01C07ED922681A7D3A666CA0940D
SHA-256:	37037553E81DE20E2D0869388D4AAEEEC8D807EA0447DC4C822FE9C4A6FADA1F
SHA-512:	4AA932E363E1C42964CC887A723C10AB78F6D8CFBB5676B567525D57534FF4F3E4D14BA0263EA37BB2E32F1E4B8AF1E59C1B75626396F2DC705F77F13D4B8524
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W..................................... ....@..........................p............@......@......................................p............................................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc...p............(..............@..@....................................@..@........................................................................................................................................

Chrome Cache Entry: 39

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (745)
Category:	downloaded
Size (bytes):	750
Entropy (8bit):	5.113927133166416
Encrypted:	false
SSDEEP:	12:uB3B0FZyBmTp73OerBHslriFTAYsSw7sZAnIIIIIII5wuCPXIwuGHHHHHHHYZw4w:O+IBmt7eMBHslgT9lCuABuoB7HHHHHHp
MD5:	FAD0A0F879371633AAC0778F553F96D8
SHA1:	2F29A3F84142CAB6A544ADCC4AD9BFB9327924AF
SHA-256:	39ABB2F7967F9BF2B7C5E2071C5AC3AE20E8B0E9D87D333DE5E2C94AB6DE386D
SHA-512:	D4F79DC3E2BC7BB4DCC3524384AE50AAF4628EAD9A09ED576FE803421D13C92017E1C3CB445F7C5C4F6D82E3B2BA029C47C44991D143FC1980DD77E32EBBD68B
Malicious:	false
Reputation:	low
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["chicago bears stadium","meta stocks","laguardia airport","daily horoscope today libra","fallout 4 next gen update","nasa mars spiders","los angeles rams draft picks","velma season 2 review"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.686122497274493
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	File-11F_385347.exe
File size:	23'731'296 bytes
MD5:	08ea1813d6b205c446e6ae655c4e6715
SHA1:	76f4d2af1c04ec157fc8a270da5980ee6bcb5def
SHA256:	12288224d26607b30d026a32faf2ac7b49fc32acc8950eeaf60b933f2e39f48f
SHA512:	a900bd2c4f33dc915fa27911620fafad76139da7c3d58ce3f40b7c2a1dcb11e893dc5b0cde7a74f93d6f1f5dc2ff949141b20f9c7d09a8bc3b9517f861c361e1
SSDEEP:	393216:m8bMktzgHgxUv/1n6b121UnyuecRZndSk9bGWqCgu5op+wiCYCr2sfqisfU:m8bMkM1n6b121UnyuLEkTqA5a+Nc2sf6
TLSH:	A737AEC99266F984E3E108B1161973D04A5319353B25CAE97F8317DE173818AFEB0F7A
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......W..s... ... ... 4$. ... ..' ... ..! ... ..7 ... 4$. ... ... 9.. ..0 ... ..> ... ..& ... .. ... ..% ... Rich... ...............

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0xa1bbf0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6622A3B2 [Fri Apr 19 17:02:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	54fd1bf9eef8b65eee1ffc42a5a83e2c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	18/08/2023 01:00:00 18/08/2024 00:59:59
Subject Chain	CN=Cyber Holding Partners LLC, O=Cyber Holding Partners LLC, S=New Jersey, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=New Jersey, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=0450768115
Version:	3
Thumbprint MD5:	9F6024222A122AF737C6E696FF357C9E
Thumbprint SHA-1:	F08E233859A8F79ADD05BA4A96FF5FFB1FD28057
Thumbprint SHA-256:	CFB460E5E314F4E6D78210E59B1A00C578395DDEB11CB7EBF5C9671C6C84A189
Serial:	00F14C5E6AB968284264F1B070B99D3C70

Entrypoint Preview

Instruction
call 00007FD148E7492Bh
jmp 00007FD148E74343h
jmp dword ptr [00AB14D0h]
push 00A6DE50h
push dword ptr fs:[00000000h]
mov eax, dword ptr [esp+10h]
mov dword ptr [esp+10h], ebp
lea ebp, dword ptr [esp+10h]
sub esp, eax
push ebx
push esi
push edi
mov eax, dword ptr [00AF7064h]
xor dword ptr [ebp-04h], eax
xor eax, ebp
push eax
mov dword ptr [ebp-18h], esp
push dword ptr [ebp-08h]
mov eax, dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFEh
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
ret
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD1488DEFDCh
mov dword ptr [esi], 00ACCCECh
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00ACCCF4h
mov dword ptr [ecx], 00ACCCECh
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD1488DEFA9h
mov dword ptr [esi], 00ACCD08h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0000CD10h

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[IMP] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[EXP] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6f4e14	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x702000	0x2488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x169f2b0	0x29b0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x705000	0x182e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6e8910	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6e898c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6e8930	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6b1000	0x4d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6afd5d	0x6afe00	22d2826d0587699dec9f84a9a9d09eda	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6b1000	0x456fe	0x45800	d88947d434aa42f6bbdffcb54a83f787	False	0.411585965602518	data	5.608402342408538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6f7000	0x8a88	0x3600	ba799200c79b6fd5e2db1b4354347f21	False	0.2107204861111111	data	4.535916250793366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x700000	0xa7c	0xc00	fdcf7d44757eb126dce8adc72d08e7a6	False	0.3567708333333333	Spectrum .TAP data "\012 " - BASIC program	3.2645031321793825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x701000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x702000	0x2488	0x2600	dba559e0141e4cc974f425e80325c6e2	False	0.31219161184210525	data	3.7691741292226077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x705000	0x182e0	0x18400	3dafa41774725e077f3cd68ed02697aa	False	0.6071701836340206	data	6.579199318519773	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x702820	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0x702b08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_DIALOG	0x7031a8	0x1fc	data	English	United States	0.4704724409448819
RT_DIALOG	0x702c58	0x12e	data	English	United States	0.6225165562913907
RT_DIALOG	0x702d88	0x2f4	data	English	United States	0.48148148148148145
RT_DIALOG	0x703080	0x126	data	English	United States	0.5850340136054422
RT_STRING	0x703a08	0x3e	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.6774193548387096
RT_STRING	0x7039c0	0x42	data	English	United States	0.7121212121212122
RT_STRING	0x703a48	0x60	data	English	United States	0.5625
RT_STRING	0x704458	0x30	data	English	United States	0.5833333333333334
RT_STRING	0x703aa8	0x208	Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0	English	United States	0.4269230769230769
RT_STRING	0x703cb0	0xe2	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.43805309734513276
RT_STRING	0x703d98	0x34	data	English	United States	0.6538461538461539
RT_STRING	0x703dd0	0x30	data	English	United States	0.6041666666666666
RT_STRING	0x703e00	0x6e	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	English	United States	0.6818181818181818
RT_STRING	0x703e70	0x11a	data	English	United States	0.5035460992907801
RT_STRING	0x703f90	0x6a	data	English	United States	0.5471698113207547
RT_STRING	0x703988	0x32	data	English	United States	0.58
RT_STRING	0x704000	0x1ea	data	English	United States	0.363265306122449
RT_STRING	0x7041f0	0x156	Matlab v4 mat-file (little endian) U, numeric, rows 0, columns 0	English	United States	0.5175438596491229
RT_STRING	0x704348	0x56	data	English	United States	0.6162790697674418
RT_STRING	0x7043a0	0xb6	data	English	United States	0.5164835164835165
RT_GROUP_ICON	0x702c30	0x22	data	English	United States	1.0
RT_VERSION	0x702550	0x2d0	data	English	United States	0.44166666666666665
RT_MANIFEST	0x7033a8	0x5de	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.46604527296937415

Imports

DLL	Import
KERNEL32.dll	GetCurrentThread, InitializeCriticalSectionAndSpinCount, GetDateFormatW, SleepEx, DeleteTimerQueueTimer, GetModuleHandleA, GetModuleHandleExW, GetCurrentProcessId, FileTimeToSystemTime, GetVersionExW, GetModuleHandleW, SetFileTime, ReadFile, VirtualProtect, SetFileAttributesW, GlobalMemoryStatus, LocalFree, GetFileAttributesExW, lstrcatA, GetConsoleMode, CreateThread, GetEnvironmentVariableA, LoadLibraryExW, CompareFileTime, EnterCriticalSection, GetCPInfo, CreateEventW, CompareStringW, TlsAlloc, GetTimeZoneInformation, GetSystemDirectoryW, ReadConsoleW, UnregisterWait, DeleteCriticalSection, GetFileType, GetCommandLineW, GetUserDefaultLCID, GetStartupInfoW, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapSize, UnhandledExceptionFilter, WriteConsoleW, WriteFile, RtlUnwind, CreateDirectoryW, GlobalFree, GetSystemTimeAsFileTime, RaiseException, QueryPerformanceCounter, SetFilePointerEx, WaitForMultipleObjects, GetFileSizeEx, UnregisterWaitEx, GetThreadPriority, GetFullPathNameW, FindClose, DeleteFileW, QueryDepthSList, RemoveDirectoryW, GetProcessHeap, TryEnterCriticalSection, MultiByteToWideChar, FreeEnvironmentStringsW, GetACP, WaitForSingleObjectEx, GetFileAttributesW, TerminateProcess, EncodePointer, GetEnvironmentStringsW, VerifyVersionInfoW, DecodePointer, SystemTimeToTzSpecificLocalTime, SetEvent, GetThreadTimes, GetCommandLineA, FormatMessageW, GetLastError, GlobalAlloc, VerSetConditionMask, ReleaseSemaphore, LeaveCriticalSection, DuplicateHandle, InitializeCriticalSection, LoadLibraryW, ExitProcess, GetProcessAffinityMask, InitializeSListHead, GetVersion, GetProcAddress, HeapFree, GetCurrentDirectoryW, GetSystemInfo, SetEnvironmentVariableW, RegisterWaitForSingleObject, FlushFileBuffers, PeekNamedPipe, FreeLibraryAndExitThread, GetTimeFormatW, SetLastError, HeapReAlloc, FindFirstFileExW, Sleep, LCMapStringW, FreeLibrary, SignalObjectAndWait, SetEndOfFile, GetCurrentProcess, CreateFileW, EnumSystemLocalesW, GetDriveTypeW, QueryPerformanceFrequency, InterlockedPopEntrySList, SetThreadPriority, CreateTimerQueueTimer, VirtualAlloc, SetThreadAffinityMask, GetCurrentThreadId, GetStringTypeW, GetLocaleInfoW, SetFilePointer, WideCharToMultiByte, ResetEvent, GetLogicalProcessorInformation, GetNumaHighestNodeNumber, GlobalUnlock, MoveFileExW, IsValidCodePage, AcquireSRWLockExclusive, InterlockedFlushSList, GetConsoleOutputCP, IsValidLocale, CloseHandle, InterlockedPushEntrySList, GetOEMCP, VirtualFree, GetTickCount64, CreateSemaphoreW, CreateTimerQueue, InitializeCriticalSectionEx, SetPriorityClass, ChangeTimerQueueTimer, lstrlenA, TlsSetValue, IsProcessorFeaturePresent, GetFileInformationByHandle, FindNextFileW, GetFileSize, MoveFileW, GlobalLock, FileTimeToLocalFileTime, GetLogicalDriveStringsW, FindFirstFileW, TlsGetValue, WaitForSingleObject, HeapAlloc, GetTickCount, GetStdHandle, ExitThread, SetStdHandle, ReleaseSRWLockExclusive, TlsFree, GetModuleFileNameW, SwitchToThread
USER32.dll	KillTimer, GetWindowRect, IsDlgButtonChecked, SetTimer, MapDialogRect, CheckDlgButton, GetWindowTextLengthW, LoadCursorW, SystemParametersInfoW, SetDlgItemTextW, GetWindowTextW, GetWindowLongW, OpenClipboard, CloseClipboard, MessageBoxA, MonitorFromWindow, EmptyClipboard, GetParent, SetClipboardData, SetFocus, PostMessageW, GetDlgItem, LoadIconW, CharUpperW, LoadStringW, GetKeyState, SetWindowLongW, DialogBoxParamW, ScreenToClient, InvalidateRect, MessageBoxW, EnableWindow, EndDialog, SetWindowTextW, SetCursor, GetFocus, wsprintfA, SendMessageW, GetMonitorInfoA, MoveWindow, ShowWindow
ADVAPI32.dll	CryptAcquireContextW, CryptCreateHash, CryptHashData, CryptGetHashParam, CloseServiceHandle, CryptImportKey, CryptDestroyKey, CryptReleaseContext, CryptDestroyHash, CryptEncrypt
SHELL32.dll	SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderPathW, SHBrowseForFolderW
ole32.dll	OleInitialize, CoUninitialize, CoCreateInstance, CoTaskMemFree, CoInitialize
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear, SysAllocStringLen, SysStringLen
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertAddCertificateContextToStore, CryptDecodeObjectEx, CertOpenStore, CryptStringToBinaryW, CertFindCertificateInStore, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateContext, PFXImportCertStore, CertFreeCertificateChain, CertCloseStore, CertEnumCertificatesInStore, CertGetNameStringW, CryptQueryObject, CertFindExtension
WLDAP32.dll
WS2_32.dll	recvfrom, sendto, getpeername, ioctlsocket, gethostname, WSAWaitForMultipleEvents, getaddrinfo, getsockopt, send, WSAResetEvent, WSAEnumNetworkEvents, WSACreateEvent, socket, WSAEventSelect, WSAIoctl, closesocket, WSAGetLastError, ntohs, WSASetLastError, WSAStartup, WSACleanup, htons, setsockopt, WSACloseEvent, __WSAFDIsSet, select, accept, bind, connect, getsockname, htonl, listen, recv, freeaddrinfo

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 19:26:59.538575888 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:27:05.793345928 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:05.793375969 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:05.793440104 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:05.806127071 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:05.806143999 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.074327946 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.074428082 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:06.078320026 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:06.078334093 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.078635931 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.083605051 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:06.124129057 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.477555037 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.477665901 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:06.477777004 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:06.496902943 CEST	49735	443	192.168.2.4	104.26.5.9
Apr 26, 2024 19:27:06.496939898 CEST	443	49735	104.26.5.9	192.168.2.4
Apr 26, 2024 19:27:09.148166895 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 19:27:23.294423103 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:23.294461966 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:23.294543028 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:23.296345949 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:23.296358109 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:23.931346893 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:23.931443930 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:23.936835051 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:23.936851025 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:23.937268972 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:23.991633892 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.417726994 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.459108114 CEST	49723	80	192.168.2.4	23.45.182.93
Apr 26, 2024 19:27:26.460119963 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.584160089 CEST	80	49723	23.45.182.93	192.168.2.4
Apr 26, 2024 19:27:26.584296942 CEST	49723	80	192.168.2.4	23.45.182.93
Apr 26, 2024 19:27:26.824908972 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.824995041 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825017929 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825035095 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825073957 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825092077 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825112104 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.825146914 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825167894 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.825197935 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.825495958 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825558901 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.825567961 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.825696945 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.829905033 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.901432991 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.901465893 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:26.901484013 CEST	49736	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:27:26.901489973 CEST	443	49736	20.114.59.183	192.168.2.4
Apr 26, 2024 19:27:37.768564939 CEST	80	49724	208.111.136.0	192.168.2.4
Apr 26, 2024 19:27:37.768709898 CEST	49724	80	192.168.2.4	208.111.136.0
Apr 26, 2024 19:27:37.768810987 CEST	49724	80	192.168.2.4	208.111.136.0
Apr 26, 2024 19:27:37.895354033 CEST	80	49724	208.111.136.0	192.168.2.4
Apr 26, 2024 19:27:47.238781929 CEST	49731	80	192.168.2.4	172.64.149.23
Apr 26, 2024 19:27:47.238828897 CEST	49732	80	192.168.2.4	104.18.38.233
Apr 26, 2024 19:27:47.238869905 CEST	49730	80	192.168.2.4	104.18.38.233
Apr 26, 2024 19:27:47.363337994 CEST	80	49732	104.18.38.233	192.168.2.4
Apr 26, 2024 19:27:47.363456964 CEST	49732	80	192.168.2.4	104.18.38.233
Apr 26, 2024 19:27:47.363826990 CEST	80	49731	172.64.149.23	192.168.2.4
Apr 26, 2024 19:27:47.363892078 CEST	49731	80	192.168.2.4	172.64.149.23
Apr 26, 2024 19:27:47.364345074 CEST	80	49730	104.18.38.233	192.168.2.4
Apr 26, 2024 19:27:47.364393950 CEST	49730	80	192.168.2.4	104.18.38.233
Apr 26, 2024 19:28:04.999218941 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:04.999250889 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:04.999315023 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:04.999722004 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:04.999737024 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:05.612243891 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:05.612327099 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:05.616559982 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:05.616573095 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:05.616796970 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:05.625123024 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:05.668133020 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215008974 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215063095 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215105057 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215140104 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.215167046 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215204954 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.215233088 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.215323925 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215362072 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215440035 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.215446949 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215513945 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.215521097 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.215610027 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.223395109 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.223395109 CEST	49741	443	192.168.2.4	20.114.59.183
Apr 26, 2024 19:28:06.223414898 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:06.223424911 CEST	443	49741	20.114.59.183	192.168.2.4
Apr 26, 2024 19:28:48.423017979 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.423098087 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.423193932 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.423219919 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.423238993 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.423552990 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.423579931 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.423593044 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.423937082 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.423963070 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.466087103 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.466105938 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.466171980 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.466412067 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.466428041 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.513073921 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.513118982 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.513463974 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.513885975 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.513916016 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.818263054 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.818614960 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.818631887 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.819684982 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.819786072 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.821146011 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.821249962 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.821427107 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.853456020 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.853727102 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.853739023 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.854768038 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.854827881 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.855823040 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.855887890 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.856198072 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.856206894 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.866661072 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.866679907 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.905495882 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.910548925 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.910581112 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.911722898 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.911794901 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.913820028 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.929441929 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.944864988 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.944977045 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.946069002 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:48.946084023 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:48.991936922 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.222712040 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.222754955 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.222810030 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.222822905 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.225841045 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.225895882 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.539467096 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.539525032 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.539539099 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.540915012 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.540957928 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.556018114 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.556088924 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.556106091 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.559663057 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.559708118 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:49.775712013 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:49.824795961 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.605576038 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.605629921 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.607034922 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.607100964 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.607907057 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.607978106 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.619592905 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.619611979 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.623333931 CEST	49747	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.623351097 CEST	443	49747	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.714802980 CEST	49748	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.714813948 CEST	443	49748	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.716296911 CEST	49746	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.716305971 CEST	443	49746	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.718765974 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.718795061 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.718847990 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.719261885 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:50.719276905 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:50.725224972 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.046986103 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.047775984 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.047791004 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.048261881 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.048593044 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.048672915 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.048676014 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.096133947 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.101496935 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.101573944 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.101612091 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.101655960 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.101713896 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.102775097 CEST	49745	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.102809906 CEST	443	49745	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.104758024 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.104784012 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.104835033 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.105074883 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.105093956 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.105752945 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.402848005 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.402972937 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.403043032 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.403055906 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.403285980 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.403381109 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.404496908 CEST	49749	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.404515982 CEST	443	49749	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.435236931 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.435486078 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.435503960 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.435834885 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.436157942 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.436223984 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.436323881 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.484112024 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763351917 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763386965 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763411045 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763443947 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.763463974 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763520002 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.763638020 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763695002 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:51.763777971 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.765655041 CEST	49753	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:51.765667915 CEST	443	49753	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.481137037 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:52.481185913 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.481271029 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:52.481507063 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:52.481513023 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.874917030 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.875257969 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:52.875274897 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.875729084 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.876077890 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:52.876172066 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:28:52.927851915 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:28:55.285180092 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.285265923 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.285340071 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.286478996 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.286513090 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.545401096 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.545512915 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.547245979 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.547266960 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.547549009 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.586390018 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.628133059 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.790136099 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.790199041 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.790266991 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.790402889 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.790422916 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.790435076 CEST	49756	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.790441036 CEST	443	49756	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.824489117 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.824516058 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:55.824605942 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.825079918 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:55.825092077 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.078519106 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.078710079 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:56.079960108 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:56.079979897 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.080214977 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.081557989 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:56.128113031 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.327789068 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.328382015 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.328464985 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:56.328731060 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:56.328731060 CEST	49757	443	192.168.2.4	23.204.76.112
Apr 26, 2024 19:28:56.328752995 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:28:56.328761101 CEST	443	49757	23.204.76.112	192.168.2.4
Apr 26, 2024 19:29:02.873841047 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:29:02.874026060 CEST	443	49754	142.250.217.164	192.168.2.4
Apr 26, 2024 19:29:02.874095917 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:29:03.387440920 CEST	49754	443	192.168.2.4	142.250.217.164
Apr 26, 2024 19:29:03.387495041 CEST	443	49754	142.250.217.164	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 19:27:05.660631895 CEST	52504	53	192.168.2.4	1.1.1.1
Apr 26, 2024 19:27:05.787477016 CEST	53	52504	1.1.1.1	192.168.2.4
Apr 26, 2024 19:27:25.821840048 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 19:28:48.014345884 CEST	53	61744	1.1.1.1	192.168.2.4
Apr 26, 2024 19:28:48.291964054 CEST	55201	53	192.168.2.4	1.1.1.1
Apr 26, 2024 19:28:48.292228937 CEST	56612	53	192.168.2.4	1.1.1.1
Apr 26, 2024 19:28:48.329982042 CEST	53	51753	1.1.1.1	192.168.2.4
Apr 26, 2024 19:28:48.417093992 CEST	53	56612	1.1.1.1	192.168.2.4
Apr 26, 2024 19:28:48.417182922 CEST	53	55201	1.1.1.1	192.168.2.4
Apr 26, 2024 19:28:50.835720062 CEST	53	63155	1.1.1.1	192.168.2.4
Apr 26, 2024 19:29:09.445820093 CEST	53	64723	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 19:27:05.660631895 CEST	192.168.2.4	1.1.1.1	0x3000	Standard query (0)	contentworldinc.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:28:48.291964054 CEST	192.168.2.4	1.1.1.1	0x2a2a	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:28:48.292228937 CEST	192.168.2.4	1.1.1.1	0xa48	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 19:27:05.787477016 CEST	1.1.1.1	192.168.2.4	0x3000	No error (0)	contentworldinc.com	104.26.5.9	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:05.787477016 CEST	1.1.1.1	192.168.2.4	0x3000	No error (0)	contentworldinc.com	104.26.4.9	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:27:05.787477016 CEST	1.1.1.1	192.168.2.4	0x3000	No error (0)	contentworldinc.com	172.67.71.130	A (IP address)	IN (0x0001)	false
Apr 26, 2024 19:28:48.417093992 CEST	1.1.1.1	192.168.2.4	0xa48	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 26, 2024 19:28:48.417182922 CEST	1.1.1.1	192.168.2.4	0x2a2a	No error (0)	www.google.com	142.250.217.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

contentworldinc.com

slscr.update.microsoft.com

www.google.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	104.26.5.9	443	6404	C:\Users\user\Desktop\File-11F_385347.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:27:06 UTC	179	OUT	GET /9BEC55CF2367EE37/28571844681/59AFA49E14E6A1FD/71415242461?E560AB4B6913F3951714152424 HTTP/1.1 Host: contentworldinc.com User-Agent: NSIS_InetLoad (Mozilla) Accept: /
2024-04-26 17:27:06 UTC	550	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 17:27:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zeQ9dWkAlVG1IknR0n%2FoBjsfT%2F5hX1GX0SnbvXca23WtsQmy2uUuLuqQB8VZMopXzsRunjo7vAXsrwN6Emd%2FmfoYnNntoQkbSlgbOHGp3oxQrDrSxFR%2BbVKTriCC9DIcnT0PFlc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a848185d5831e6-MIA
2024-04-26 17:27:06 UTC	38	IN	Data Raw: 32 30 0d 0a 35 43 42 39 46 42 31 42 33 46 38 30 30 38 42 41 44 33 44 30 38 42 46 37 36 39 32 45 45 41 36 44 0d 0a Data Ascii: 205CB9FB1B3F8008BAD3D08BF7692EEA6D
2024-04-26 17:27:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:27:26 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 17:27:26 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b21a8092-65e6-4a50-af51-30be1d921db5 MS-RequestId: 477bb6cf-dd6f-4dce-8b7b-54852e0e0f9d MS-CV: SsOA15RTuEWPQ5Mq.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 17:27:26 GMT Connection: close Content-Length: 24490
2024-04-26 17:27:26 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-26 17:27:26 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:05 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lKGzUXrWxPethMt&MD=L1MXdGvK HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 17:28:06 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: b7536f40-d703-4ec2-92b6-75b90251f71e MS-RequestId: 05c74f71-c873-44c6-afd8-0a3a5318c3ac MS-CV: sOZr4o1J00+FBwBc.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 17:28:05 GMT Connection: close Content-Length: 25457
2024-04-26 17:28:06 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-26 17:28:06 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	142.250.217.164	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:48 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 17:28:49 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 17:28:49 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-dfPAdCI6YoA9ZIlNqAV9AQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 17:28:49 UTC	757	IN	Data Raw: 32 65 65 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 63 68 69 63 61 67 6f 20 62 65 61 72 73 20 73 74 61 64 69 75 6d 22 2c 22 6d 65 74 61 20 73 74 6f 63 6b 73 22 2c 22 6c 61 67 75 61 72 64 69 61 20 61 69 72 70 6f 72 74 22 2c 22 64 61 69 6c 79 20 68 6f 72 6f 73 63 6f 70 65 20 74 6f 64 61 79 20 6c 69 62 72 61 22 2c 22 66 61 6c 6c 6f 75 74 20 34 20 6e 65 78 74 20 67 65 6e 20 75 70 64 61 74 65 22 2c 22 6e 61 73 61 20 6d 61 72 73 20 73 70 69 64 65 72 73 22 2c 22 6c 6f 73 20 61 6e 67 65 6c 65 73 20 72 61 6d 73 20 64 72 61 66 74 20 70 69 63 6b 73 22 2c 22 76 65 6c 6d 61 20 73 65 61 73 6f 6e 20 32 20 72 65 76 69 65 77 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 Data Ascii: 2ee)]}'["",["chicago bears stadium","meta stocks","laguardia airport","daily horoscope today libra","fallout 4 next gen update","nasa mars spiders","los angeles rams draft picks","velma season 2 review"],["","","","","","","",""],[],{"google:clientdata
2024-04-26 17:28:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	142.250.217.164	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:48 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 17:28:49 UTC	1816	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgRmgZjcGNHIr7EGIjBpXi1bMb_66QlCyN3sgc8JYM6R2OJyHF0CBlRlOmuddW9dcxZmEoP27OdU5HFX4ocyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwI0civsQYQhfrXzQESBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 17:28:49 GMT Server: gws Content-Length: 427 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-17; expires=Sun, 26-May-2024 17:28:49 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=ZfEcm-zOwsJr77wMIUQJPGQjLuije-xPdyFt6xeEszeL3sQ-pNTuXWEtH0_AeNPiMHeoB7d9sKPHameP3t41tSyJFk7-L4y4YhAISIePsLf-23iqSqMjBtxGbk3sRJdBh5bQS2-C61_mCae2w5FQ5ANk2maxZEkU1B8wRiVRQVY; expires=Sat, 26-Oct-2024 17:28:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 17:28:49 UTC	427	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	142.250.217.164	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:48 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 17:28:49 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwI0civsQYQyq3r1QESBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 17:28:49 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-17; expires=Sun, 26-May-2024 17:28:49 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=nnNvhDpc2wNur5rZ2GPGFYYW98DsoxA86Ww61SxrQhbN75bLgvGv66xto5kBou_BZhKvAQUkIJHuNQWnDyPOWmD2cDFR-PV6p_69ua1MuHp3KdSQzVdxG3lFb7byaUXTatUSMGCpLe3XoQ4DJntYUwZfNBnE2izQ4aeaz0zlO2U; expires=Sat, 26-Oct-2024 17:28:49 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 17:28:49 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	142.250.217.164	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:50 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 17:28:51 UTC	1760	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsI08ivsQYQ9vDhCxIEZoGY3A Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 17:28:51 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-17; expires=Sun, 26-May-2024 17:28:51 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=l_QNb-B5hpXOC8bBQtAnRM5M-JbSLPNITwf3h_zzOX-4tA7Uizy-BaeugZBG7UohQDR3Tb4z0cNNuel3fvNX5P-fJCml_L9vq2TTwKMYH4Rrj4_7jsYQ6-e9F0ZevySaj64gEML3uSW9TC_9wzv4XbwIZ6hlgXjNPVLsnuorypY; expires=Sat, 26-Oct-2024 17:28:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 17:28:51 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49749	142.250.217.164	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:51 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGNHIr7EGIjBbcI5gdfmKwCdV__yDFi29L_2EfWEBQ0qVQQiZdNjzBeDdBnmbFvPJWbk3gUOEyDUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-17; NID=513=nnNvhDpc2wNur5rZ2GPGFYYW98DsoxA86Ww61SxrQhbN75bLgvGv66xto5kBou_BZhKvAQUkIJHuNQWnDyPOWmD2cDFR-PV6p_69ua1MuHp3KdSQzVdxG3lFb7byaUXTatUSMGCpLe3XoQ4DJntYUwZfNBnE2izQ4aeaz0zlO2U
2024-04-26 17:28:51 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 17:28:51 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 17:28:51 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 17:28:51 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 4f 6e 31 6b 32 46 64 52 43 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="On1k2FdRC
2024-04-26 17:28:51 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49753	142.250.217.164	443	5304	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:51 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGNLIr7EGIjCTne0bwf48RoRhZuPH4pFklPwwJFOSRYaI2xBpyQCasbMRMkTzYh04Cbc12bYZbG0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-17; NID=513=l_QNb-B5hpXOC8bBQtAnRM5M-JbSLPNITwf3h_zzOX-4tA7Uizy-BaeugZBG7UohQDR3Tb4z0cNNuel3fvNX5P-fJCml_L9vq2TTwKMYH4Rrj4_7jsYQ6-e9F0ZevySaj64gEML3uSW9TC_9wzv4XbwIZ6hlgXjNPVLsnuorypY
2024-04-26 17:28:51 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 17:28:51 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 17:28:51 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 17:28:51 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 5f 49 6e 35 43 6b 35 69 68 50 4f 33 51 6e 56 51 4c 61 32 6f 58 79 49 52 66 6a 39 44 32 74 51 73 65 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="_In5Ck5ihPO3QnVQLa2oXyIRfj9D2tQse
2024-04-26 17:28:51 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49756	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:55 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 17:28:55 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0758) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=48890 Date: Fri, 26 Apr 2024 17:28:55 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49757	23.204.76.112	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 17:28:56 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 17:28:56 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0DZ+oYgAAAABSxwJpMgMuSLkfS640ajfFQVRBRURHRTEyMTkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=48883 Date: Fri, 26 Apr 2024 17:28:56 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-26 17:28:56 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Target ID:	0
Start time:	19:27:04
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\File-11F_385347.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\File-11F_385347.exe"
Imagebase:	0xab0000
File size:	23'731'296 bytes
MD5 hash:	08EA1813D6B205C446E6AE655C4E6715
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:28:46
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	19:28:46
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1724,i,16714932929559567655,4968093527130383925,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x600000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	322
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0112216D Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01134A30: GetLastError.KERNEL32(00000000,?,0112A560,011296D1,?,?,0113492C,00000001,00000364,?,00000006,000000FF,?,011220DD,011A30B8,0000000C), ref: 01134A34
Part of subcall function 01134A30: SetLastError.KERNEL32(00000000), ref: 01134AD6

CloseHandle.KERNEL32(?,?,?,011222A4,?,?,01122116,00000000), ref: 0112219E
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,011222A4,?,?,01122116,00000000), ref: 011221B4
ExitThread.KERNEL32 ref: 011221BD

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 766ef46c98fe8dc8ce8436ed9f91d98890f19884f40d2fe7e01e5f04686de165
Instruction ID: 6d4fda558626b2b17a97b5f9d9f2e1bb50f2510ed1bbc818e95d601f5c240b4b
Opcode Fuzzy Hash: 766ef46c98fe8dc8ce8436ed9f91d98890f19884f40d2fe7e01e5f04686de165
Instruction Fuzzy Hash: 48F05E345006216BEB3D1A7DC808E5E3EA9AF40364B284624FF65C21E4E735D4A1C790

Uniqueness

Uniqueness Score: -1.00%

Function 01126705 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,011266FF,01129ED8,01129ED8,?,00000002,04E3A652,01129ED8,00000002), ref: 01126716
TerminateProcess.KERNEL32(00000000,?,011266FF,01129ED8,01129ED8,?,00000002,04E3A652,01129ED8,00000002), ref: 0112671D
ExitProcess.KERNEL32 ref: 0112672F

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9948ab20894451999db9661833a036dd71ba23a22c8fcd65794bab8598e57c35
Instruction ID: c44c94adefe9c3e1e5234e3cda44d37c13fd70e50451f9913540d6272a1eea4d
Opcode Fuzzy Hash: 9948ab20894451999db9661833a036dd71ba23a22c8fcd65794bab8598e57c35
Instruction Fuzzy Hash: F9D09E75001515BBDF192F70E80D9593F65EF846557504024FD15451B4DB3799A2DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01134E8A Relevance: 3.1, APIs: 2, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a80291055f811188c15df3935e111bd512fa5d1d06248388fc208b8d2a11036
Instruction ID: 7bc34085512f482a1762306d3217e4f2a7bc0f3ec68f6e7fc2e246f788d2fd8f
Opcode Fuzzy Hash: 0a80291055f811188c15df3935e111bd512fa5d1d06248388fc208b8d2a11036
Instruction Fuzzy Hash: 310140377042216FDF2ECD6DEC4095B3BD6ABC52607654130FA14CBA8CEB31D5408791

Uniqueness

Uniqueness Score: -1.00%

Function 011220B8 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(011A30B8,0000000C), ref: 011220CB
ExitThread.KERNEL32 ref: 011220D2

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: cda5b1a99b1e214cb061775e67d86b6533556490e2d0a3bce6752561b74c6ce7
Instruction ID: 6cb11cdfeff0ec0a3a9c921503ba08b824676a684c32d2cc69d26d25b77f46ee
Opcode Fuzzy Hash: cda5b1a99b1e214cb061775e67d86b6533556490e2d0a3bce6752561b74c6ce7
Instruction Fuzzy Hash: 07F0CDB1A4021AAFDB1DBFB4C449EAE3B75FF90A04F200198E4119B2A1CF355951DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112A3A6 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,01139479,?,00000000,?,?,0113971A,?,00000007,?,?,01139CCE,?,?), ref: 0112A3BC
GetLastError.KERNEL32(?,?,01139479,?,00000000,?,?,0113971A,?,00000007,?,?,01139CCE,?,?), ref: 0112A3C7

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 3090c7670400b3b6f480ac8c3a682da7263690f56be227689c1f40afcd40fb9a
Instruction ID: 05c0a7d735e6a70d7d7ac9782565a06993be2550e12d370ee7651da7bd44bb13
Opcode Fuzzy Hash: 3090c7670400b3b6f480ac8c3a682da7263690f56be227689c1f40afcd40fb9a
Instruction Fuzzy Hash: 13E08632540A24FBDB292BE4B90CB853F999F40255F144060FA1887C60DB7584A09BC0

Uniqueness

Uniqueness Score: -1.00%

Function 011348DF Relevance: 2.6, APIs: 2, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,011220DD,011A30B8,0000000C), ref: 011348E3
SetLastError.KERNEL32(00000000), ref: 01134985

Part of subcall function 0112967F: RtlAllocateHeap.NTDLL(00000008,?,?,?,0113492C,00000001,00000364,?,00000006,000000FF,?,011220DD,011A30B8,0000000C), ref: 011296C0

Part of subcall function 0112A3A6: RtlFreeHeap.NTDLL(00000000,00000000,?,01139479,?,00000000,?,?,0113971A,?,00000007,?,?,01139CCE,?,?), ref: 0112A3BC
Part of subcall function 0112A3A6: GetLastError.KERNEL32(?,?,01139479,?,00000000,?,?,0113971A,?,00000007,?,?,01139CCE,?,?), ref: 0112A3C7

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: ErrorLast$Heap$AllocateFree
String ID:
API String ID: 2037364846-0
Opcode ID: 7196deb59b9c10e6bd4aa73a2eabe26ce434d48c3b8612515c1fe61f8807ece4
Instruction ID: 42f638084504c49c5d3e126ca80c0a116e1caba1e92053f16277873c7c5d39cd
Opcode Fuzzy Hash: 7196deb59b9c10e6bd4aa73a2eabe26ce434d48c3b8612515c1fe61f8807ece4
Instruction Fuzzy Hash: 3B315D316042736EE62D367C6C81E3A3E88AFE467CF000230F925E29DCFB41491047A4

Uniqueness

Uniqueness Score: -1.00%

Function 0112967F Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0113492C,00000001,00000364,?,00000006,000000FF,?,011220DD,011A30B8,0000000C), ref: 011296C0

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d15dbc93032e83787a2725f29f9bfca346814f9e0fc442e40a69f6efd3212d7f
Instruction ID: 6041c7133196eb35b253072452b7a42a5793e741d25f3dd19ccf88dcb91114d1
Opcode Fuzzy Hash: d15dbc93032e83787a2725f29f9bfca346814f9e0fc442e40a69f6efd3212d7f
Instruction Fuzzy Hash: E6F02431A0157E6AAB3D2A6ED804A5B3FC9AF4067CF098021ED18E60A0DB20D420C7A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 011223FD Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 011224F5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 011224FF
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0112250C

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: da166ffffaee39ed46b0bb5500fe678efce873e53cbbd7336149268fc5046b9d
Instruction ID: 8955ef946604e84ab233927d07b45bd666dcf5c1e72dd4811eeff7bc0d37c088
Opcode Fuzzy Hash: da166ffffaee39ed46b0bb5500fe678efce873e53cbbd7336149268fc5046b9d
Instruction Fuzzy Hash: EF31C77490122DABCB25DF68D9887CCBBB8BF18710F5041EAF41CA7290E7709B858F44

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1380 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef0dcbdc1dc5df39230816855b486abd1ec2a23265c7c573bf86c0e91c78628
Instruction ID: 3de4cf7e3c9c495b63a747fbc8281349adaf415b0d1be444b3f2233d584e7ff7
Opcode Fuzzy Hash: cef0dcbdc1dc5df39230816855b486abd1ec2a23265c7c573bf86c0e91c78628
Instruction Fuzzy Hash: 4721A1719201269BC31ACE1EC8845FAB7A5FB85305FC1836AED40DB249C639B926D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 011354F8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d9b488c17c31ebf2236f26c421299142bdb8cb0f41ba003848360f95b4033b
Instruction ID: e9b6c463faae937d9e6f4143326b37dc9cffb9180d70af6247dcff8498466305
Opcode Fuzzy Hash: c7d9b488c17c31ebf2236f26c421299142bdb8cb0f41ba003848360f95b4033b
Instruction Fuzzy Hash: 55F03032A51224DBCB2ACA4CD505A6973BEEB89B59F514096F541EB685C770EE40CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0113553C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98aa2269effb25f6d29c70cef816aa12813101f94a5be4698bb5b0718eda6964
Instruction ID: c05161e753293414c10877b0bc7d2ea152c1384dec2b4f9880dbe4a6c7c7d2e9
Opcode Fuzzy Hash: 98aa2269effb25f6d29c70cef816aa12813101f94a5be4698bb5b0718eda6964
Instruction Fuzzy Hash: 44E08C32911278EBCB28DB8CD90498AF7EDEB84E14B590096B601D3144C370EE00CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01126779 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6cd87333b882de54941a995c453e64a30cd084126d26f4752468d0337d8190
Instruction ID: 8b8b76ee6587ee56823d08822588c1c090306369dfc0dd9e0b293635ac3f81ea
Opcode Fuzzy Hash: af6cd87333b882de54941a995c453e64a30cd084126d26f4752468d0337d8190
Instruction Fuzzy Hash: 38C08C38102D1046CE2E8918E2703AC33DAA7D2A92FC00C8CCD064B6C2D71EB882DB00

Uniqueness

Uniqueness Score: -1.00%

Function 0112679B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,04E3A652,?,?,00000000,0115FCD0,000000FF,?,0112672B,00000002,?,011266FF,01129ED8), ref: 011267D0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 011267E2
FreeLibrary.KERNEL32(00000000,?,?,00000000,0115FCD0,000000FF,?,0112672B,00000002,?,011266FF,01129ED8), ref: 01126804

Strings

CorExitProcess, xrefs: 011267DA
mscoree.dll, xrefs: 011267C9

Memory Dump Source

Source File: 00000000.00000002.1873865908.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000000.00000002.1873851287.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874544022.0000000001161000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874587676.00000000011A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874614740.00000000011A8000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874630192.00000000011AA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874647266.00000000011B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1874672596.00000000011B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ab0000_File-11F_385347.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 25d03558541648b8e21a46ff537ebc5a258f6da2ca7bfe0e3d78729fa9a4d3bc
Instruction ID: a1b92b769499e2acfe4708226c6bf1919fb62eb598e3b1e7608098f99499db57
Opcode Fuzzy Hash: 25d03558541648b8e21a46ff537ebc5a258f6da2ca7bfe0e3d78729fa9a4d3bc
Instruction Fuzzy Hash: 7201DF32944629EBDB199B44DC05FAEBBB8FB44B11F000539EC21E22D0DBB59900CB90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report File-11F_385347.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\MPC-HC\MPC-HC.1.9.13.x86.exe

Chrome Cache Entry: 39

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
File-11F_385347.exe

Function 0112216D Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 01126705 Relevance: 4.5, APIs: 3, Instructions: 15
COMMON

Function 01134E8A Relevance: 3.1, APIs: 2, Instructions: 57
COMMONLIBRARYCODE

Function 011220B8 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 0112A3A6 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 011348DF Relevance: 2.6, APIs: 2, Instructions: 125
COMMON

Function 0112967F Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 011223FD Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Function 0112679B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
libraryloaderCOMMON