Edit tour

Windows Analysis Report
xrPfnwOyJZqd.exe

Overview

General Information

Sample name:	xrPfnwOyJZqd.exe
Analysis ID:	1434250
MD5:	b45d6b705ff5e1d95974f680c73edca0
SHA1:	551891b184c060b8aadc3e951c6ec4afce2b4b32
SHA256:	3ea9612dc4f0f0aa8e3bfe877f1c3f7bfd79145f22fb9276f08357479a309592
Tags:	exexworm
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses dynamic DNS services

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

xrPfnwOyJZqd.exe (PID: 3468 cmdline: "C:\Users\user\Desktop\xrPfnwOyJZqd.exe" MD5: B45D6B705FF5E1D95974F680C73EDCA0)

chrome.exe (PID: 6812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 4360 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2064,i,9320462037478548023,11330767766689099081,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["warzones12.duckdns.org"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xrPfnwOyJZqd.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
xrPfnwOyJZqd.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e0b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6f20:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6be0:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6b6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6c0b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6d20:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e0:$cnc4: POST / HTTP/1.1
00000005.00000002.3783913668.0000000002331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: xrPfnwOyJZqd.exe PID: 3468	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.xrPfnwOyJZqd.exe.40000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
5.0.xrPfnwOyJZqd.exe.40000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6d6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6e0b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6f20:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6be0:$cnc4: POST / HTTP/1.1

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 179.13.0.175 - Destination IP: 192.168.2.7

Timestamp:	04/30/24-19:10:16.887076
SID:	2852870
Source Port:	7000
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 179.13.0.175

Timestamp:	04/30/24-19:10:16.887738
SID:	2852923
Source Port:	49714
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 179.13.0.175

Timestamp:	04/30/24-19:08:17.636532
SID:	2853193
Source Port:	49714
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 - Source IP: 179.13.0.175 - Destination IP: 192.168.2.7

Timestamp:	04/30/24-19:10:14.681769
SID:	2852874
Source Port:	7000
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 179.13.0.175

Timestamp:	04/30/24-19:06:40.515254
SID:	2855924
Source Port:	49714
Destination Port:	7000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xrPfnwOyJZqd.exe

Avira: detected

Antivirus detection for URL or domain

Source: warzones12.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: xrPfnwOyJZqd.exe

Malware Configuration Extractor: Xworm {"C2 url": ["warzones12.duckdns.org"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for submitted file

Source: xrPfnwOyJZqd.exe

ReversingLabs: Detection: 76%

Machine Learning detection for sample

Source: xrPfnwOyJZqd.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: xrPfnwOyJZqd.exe	String decryptor: warzones12.duckdns.org
Source: xrPfnwOyJZqd.exe	String decryptor: 7000
Source: xrPfnwOyJZqd.exe	String decryptor: <123456789>
Source: xrPfnwOyJZqd.exe	String decryptor: <Xwormmm>
Source: xrPfnwOyJZqd.exe	String decryptor: XWorm V5.2
Source: xrPfnwOyJZqd.exe	String decryptor: USB.exe

Source: xrPfnwOyJZqd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49728 version: TLS 1.2

Source: xrPfnwOyJZqd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 179.13.0.175:7000 -> 192.168.2.7:49714
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.7:49714 -> 179.13.0.175:7000
Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49714 -> 179.13.0.175:7000
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 179.13.0.175:7000 -> 192.168.2.7:49714
Source: Traffic	Snort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.7:49714 -> 179.13.0.175:7000

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: warzones12.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: warzones12.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.7:49714 -> 179.13.0.175:7000

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 179.13.0.175 179.13.0.175

Source: Joe Sandbox View

ASN Name: ColombiaMovilCO ColombiaMovilCO

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 23.221.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCLnKzQEIitPNARj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tc2PCTAgnFcyOnv&MD=oD+GSurf HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tc2PCTAgnFcyOnv&MD=oD+GSurf HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: warzones12.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: apis.google.com

Source: xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.0000000002331000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chromecache_49.12.dr	String found in binary or memory: http://www.broofa.com
Source: chromecache_55.12.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_55.12.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_55.12.dr, chromecache_49.12.dr	String found in binary or memory: https://apis.google.com
Source: chromecache_55.12.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_55.12.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_55.12.dr	String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_55.12.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_49.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_49.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_49.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_49.12.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_49.12.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_55.12.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_55.12.dr	String found in binary or memory: https://plus.googleapis.com
Source: chromecache_55.12.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_55.12.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_55.12.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_49.12.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_49.12.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_49.12.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.221.246.93:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: xrPfnwOyJZqd.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.0.xrPfnwOyJZqd.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Code function: 5_2_00007FFAAC879D4D	5_2_00007FFAAC879D4D
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Code function: 5_2_00007FFAAC876D92	5_2_00007FFAAC876D92
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Code function: 5_2_00007FFAAC875FE6	5_2_00007FFAAC875FE6

Source: xrPfnwOyJZqd.exe, 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXClient1q.exe4 vs xrPfnwOyJZqd.exe
Source: xrPfnwOyJZqd.exe	Binary or memory string: OriginalFilenameXClient1q.exe4 vs xrPfnwOyJZqd.exe

Source: xrPfnwOyJZqd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xrPfnwOyJZqd.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.0.xrPfnwOyJZqd.exe.40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: xrPfnwOyJZqd.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: xrPfnwOyJZqd.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: xrPfnwOyJZqd.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/14@5/6

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Mutant created: \Sessions\1\BaseNamedObjects\iv9mvoCdSZUsML3p

Source: xrPfnwOyJZqd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xrPfnwOyJZqd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xrPfnwOyJZqd.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\xrPfnwOyJZqd.exe "C:\Users\user\Desktop\xrPfnwOyJZqd.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2064,i,9320462037478548023,11330767766689099081,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2064,i,9320462037478548023,11330767766689099081,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: xrPfnwOyJZqd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xrPfnwOyJZqd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: xrPfnwOyJZqd.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: xrPfnwOyJZqd.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: xrPfnwOyJZqd.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: xrPfnwOyJZqd.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: xrPfnwOyJZqd.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: xrPfnwOyJZqd.exe, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Code function: 5_2_00007FFAAC8750F2 push ecx; iretd

5_2_00007FFAAC8750F3

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Memory allocated: 770000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Memory allocated: 1A330000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Window / User API: threadDelayed 3833			Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	Window / User API: threadDelayed 6012			Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe TID: 8016	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe TID: 8020	Thread sleep count: 3833 > 30	Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe TID: 8020	Thread sleep count: 6012 > 30	Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: xrPfnwOyJZqd.exe, 00000005.00000002.3782553938.0000000000522000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.00000000027E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.00000000027E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.00000000027E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.00000000027E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2[
Source: xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.00000000027E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Queries volume information: C:\Users\user\Desktop\xrPfnwOyJZqd.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: xrPfnwOyJZqd.exe, 00000005.00000002.3782553938.0000000000522000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\xrPfnwOyJZqd.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: xrPfnwOyJZqd.exe, type: SAMPLE
Source: Yara match	File source: 5.0.xrPfnwOyJZqd.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3783913668.0000000002331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrPfnwOyJZqd.exe PID: 3468, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: xrPfnwOyJZqd.exe, type: SAMPLE
Source: Yara match	File source: 5.0.xrPfnwOyJZqd.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3783913668.0000000002331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xrPfnwOyJZqd.exe PID: 3468, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
xrPfnwOyJZqd.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
xrPfnwOyJZqd.exe	100%	Avira	HEUR/AGEN.1305769
xrPfnwOyJZqd.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.broofa.com	0%	URL Reputation	safe
https://csp.withgoogle.com/csp/lcreport/	0%	URL Reputation	safe
warzones12.duckdns.org	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
plus.l.google.com	142.250.191.206	true	false	high
warzones12.duckdns.org	179.13.0.175	true	true	unknown
www.google.com	142.250.190.132	true	false	high
apis.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
warzones12.duckdns.org	true	Avira URL Cloud: malware	unknown
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0	false		high
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/log?format=json&hasfast=true	chromecache_49.12.dr	false		high
http://www.broofa.com	chromecache_49.12.dr	false	URL Reputation: safe	unknown
https://csp.withgoogle.com/csp/lcreport/	chromecache_55.12.dr	false	URL Reputation: safe	unknown
https://apis.google.com	chromecache_55.12.dr, chromecache_49.12.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	xrPfnwOyJZqd.exe, 00000005.00000002.3783913668.0000000002331000.00000004.00000800.00020000.00000000.sdmp	false		high
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1	chromecache_55.12.dr	false		high
https://domains.google.com/suggest/flow	chromecache_55.12.dr	false		high
https://clients6.google.com	chromecache_55.12.dr	false		high
https://plus.google.com	chromecache_55.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.190.132	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.191.206	plus.l.google.com	United States	15169	GOOGLEUS	false
179.13.0.175	warzones12.duckdns.org	Colombia	27831	ColombiaMovilCO	true

Private

IP
192.168.2.7
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1434250
Start date and time:	2024-04-30 19:05:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xrPfnwOyJZqd.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/14@5/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.1.99, 142.251.4.84, 172.217.1.110, 34.104.35.123, 142.250.190.3, 23.35.68.210, 199.232.214.172, 199.232.210.172, 172.217.4.206
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com
Execution Graph export aborted for target xrPfnwOyJZqd.exe, PID 3468 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: xrPfnwOyJZqd.exe

Simulations

Behavior and APIs

Time	Type	Description
19:06:16	API Interceptor	4432515x Sleep call for process: xrPfnwOyJZqd.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	Shipping Details_PDF.bat	Get hash	malicious	AgentTesla, GuLoader	Browse
	http://launch.getgo.com/launcher2/helper?token=e0-JlwZpYnk5RjfhNwQJAWSnycGxuTNEKMFcGUnp8bMbh1HaoP3nxnwmbsPoRN3nHS6IqeGWl2BtZZUCiukZPAadAO_rWBJQKlxiyBmgLzhLL5R1ewSQF5jnb934RWY3OJM4kRqjf_0K6R7ugG8LH4WlOOqPNJSmMAD3RS6UgEzBOJaT4rPu0bb59qQi8o861c7OLxMI07Ibv0hJmk7HIy2a92xS-gyU5pKlOvVQGniMuxPSF1Y2k0dJ7ra2hAUmCxtd7ob9yDXB05la9g0bQ38dMF0kvhP2rIVGwG36NAwouMDXY-2MML1XoElq2qVGdets-czFXiGaDVyOFme0t6cF1YereSTdXIEtXIzFxS1lrYL3AiV4hFsDVKqI1kqih-PHY4ks3RqBBIj3H1iVlVq_2U3M6VZflUvwyNSk_ZcHfCbJHyTQt10oMuj0lOFvXOTuhJST9RLaFmO5ibIH5ghIchA_BWTrCyQVmuuQQoEQ-jWemgg7keHjSvL1bR2V_VwnqgTgcf_VuVAuqEEQIekmsEEzCXev7G-pEchKLy2fT1tAyJJH9VB4Yx_vAKsd_0C38BiMHPEYdOMSboIQg-rfko0GyZWpzeel94gvtGvyMHY-jXpYAwX_2iK2KJpkVnbzstjnbhvopB2XYgkB4GiaV845Xp274vfZNI7_XUn7Ih_SbuB&downloadTrigger=javascript&renameFile=1	Get hash	malicious	Unknown	Browse
	https:/netorgft2170469-my.sharepoint.com:443/:b:/g/personal/rmugford_valiantgrouplink_com/EUg0tSrKqCxPjm6CDhNP3lgB9zXhnMR4L_ltsIAhYTyn8w?e=4%3aOUUdvW&at=9	Get hash	malicious	HTMLPhisher	Browse
	http://macmais.com.br/wp-content/uploads/2012/02/estagio-motorola.jpg	Get hash	malicious	Unknown	Browse
	http://launch.getgo.com/launcher2/helper?token=e0-JlwZpYnk5RjfhNwQJAWSnycGxuTNEKMFcGUnp8bMbh1HaoP3nxnwmbsPoRN3nHS6IqeGWl2BtZZUCiukZPAadAO_rWBJQKlxiyBmgLzhLL5R1ewSQF5jnb934RWY3OJM4kRqjf_0K6R7ugG8LH4WlOOqPNJSmMAD3RS6UgEzBOJaT4rPu0bb59qQi8o861c7OLxMI07Ibv0hJmk7HIy2a92xS-gyU5pKlOvVQGniMuxPSF1Y2k0dJ7ra2hAUmCxtd7ob9yDXB05la9g0bQ38dMF0kvhP2rIVGwG36NAwouMDXY-2MML1XoElq2qVGdets-czFXiGaDVyOFme0t6cF1YereSTdXIEtXIzFxS1lrYL3AiV4hFsDVKqI1kqih-PHY4ks3RqBBIj3H1iVlVq_2U3M6VZflUvwyNSk_ZcHfCbJHyTQt10oMuj0lOFvXOTuhJST9RLaFmO5ibIH5ghIchA_BWTrCyQVmuuQQoEQ-jWemgg7keHjSvL1bR2V_VwnqgTgcf_VuVAuqEEQIekmsEEzCXev7G-pEchKLy2fT1tAyJJH9VB4Yx_vAKsd_0C38BiMHPEYdOMSboIQg-rfko0GyZWpzeel94gvtGvyMHY-jXpYAwX_2iK2KJpkVnbzstjnbhvopB2XYgkB4GiaV845Xp274vfZNI7_XUn7Ih_SbuB&downloadTrigger=javascript&renameFile=1	Get hash	malicious	Unknown	Browse
	https://s3.ca-central-1.amazonaws.com/jasmina-barthmann/jasmina-barthmann.html?ID57006RYEHFQNXSJRFX	Get hash	malicious	Phisher	Browse
	https://s3.ca-central-1.amazonaws.com/jasmina-barthmann/jasmina-barthmann.html?ID57006RYEHFQNXSJRFX	Get hash	malicious	Phisher	Browse
	https://u43929124.ct.sendgrid.net/ls/click?upn=u001.BKOw9lVLtzwM-2Fpv8P6mt6mZmD42BVe4fXoYHy9WdyvCpKGN2pjY-2FBe7PAIoBt-2BfDfWnl0Bikvm2Yiz2InKvJA2ZI4ouIE3s46TZLqgPZ0m27IgZaNrPfjVlk3aUFSF6ntY8QqW0v79-2Bp9pnNxVD-2FVka-2FpzGTdxFwpjGrT9FXYmtEck-2FkMSIuofVBkWTkkgO1DXMnZZNjJ83ydFKFn0h8jW205QEKP-2FBofFiioEnmYb-2FgpmyoDKRkHgps5BhrQW32TImtu5TQZ9gW00dWNnX67A-3D-3DAQDW_wul4of6l-2Bt6qxu4mm80f2zfTEe6G4roxSmYazBYkbwHSPKOVD32yxm5LLG5OFhyVI4fR5-2FjPE40cxLO9qMyDEK99JIMhuvA257Oz4uOO65Jgf3r9QOcHwutL9V8-2FYjUIgS8SzQaMdXdtD-2FH3FxyRfVE9-2Bz6y5e-2B34xHP0E1aZMABq-2FANSK2TTnqnqLX9029ar7vWDWrsf4460z6sPbia-2FQ-3D-3D	Get hash	malicious	Unknown	Browse
	https://brendiet.org?rbshufzw&qrc=dvader@hinckleyallen.com	Get hash	malicious	Unknown	Browse
	https://u44187805.ct.sendgrid.net/ls/click?upn=u001.urN7cScDV6CGimnLAyTDkfHWzKTicJWX7VWST5wP2l5FbkRkAPckYy-2B8RxADRBvmFdREKral1Id8tyBq33oadD29MCKXVJUNLdUMVgHEhQYusfiUE9Rcn0QmgcTbRRq0WX5nd2C0lgIaAujzdyZ6LRwB0UoMRK9AtdjtlXwS97Yxr058cbjmVJpecBgWuiZ6U5I-2BQ80V4AxU8XUeNvDKDrEMpsO3OOpFP4clPX7iDCY-3DjFsx_5xLpiMTNoYC01LKSlW4nRu14aI7tBJGFqxPGe-2BNWWl-2BDxdr3mTXSXNl2QHdNraha6USZkGw-2FcXcq79RnDnpHUKf2QUv9PzNXazqBY05L0l0CVmd7Ut8q-2FyqWgvF1uQpAW2TlVAvzcfsV98HYXrRlN-2BiDMVRMonHv7Qu4aXolREO1UHU0DSUzWMKQAQDfMFFBS7mbBR6vtdxsBFUo3ix5oWgeobPMMx3qqQu3N31fJuA-3D	Get hash	malicious	HTMLPhisher	Browse
179.13.0.175	xSPJ7kxZgyho.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	xPvEDYX7g1YE.exe	Get hash	malicious	AsyncRAT	Browse
	xmo4WvZPV3Q0.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	xXQ39a5f9EJP.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	xmrhZ7VhlJjD.exe	Get hash	malicious	Quasar	Browse
	xBoD1uCJo8Dc.exe	Get hash	malicious	XWorm	Browse
	xffRCvQIkXWb.exe	Get hash	malicious	XWorm	Browse
	xApyUPoAYp9c.exe	Get hash	malicious	AsyncRAT	Browse
	xVDnoXtgbTMW.exe	Get hash	malicious	AsyncRAT	Browse
	xApyUPoAYp9c.exe	Get hash	malicious	AsyncRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
warzones12.duckdns.org	xBoD1uCJo8Dc.exe	Get hash	malicious	XWorm	Browse	179.13.0.175
warzones12.duckdns.org	xffRCvQIkXWb.exe	Get hash	malicious	XWorm	Browse	179.13.0.175

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ColombiaMovilCO	rKBGGJz4TB.exe	Get hash	malicious	AsyncRAT	Browse	179.14.9.152
	eaQvLgUm2Z.elf	Get hash	malicious	Mirai	Browse	186.180.4.147
	xSPJ7kxZgyho.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	179.13.0.175
	xuI8pQHlxExL.exe	Get hash	malicious	Njrat	Browse	179.14.8.182
	YKLjlQEZKY.elf	Get hash	malicious	Mirai	Browse	179.13.242.211
	CxBkzmVHaR.elf	Get hash	malicious	Mirai	Browse	181.204.131.151
	jdsfl.arm.elf	Get hash	malicious	Mirai	Browse	191.92.238.135
	jdsfl.x86.elf	Get hash	malicious	Mirai	Browse	181.204.131.163
	dI3tFWyJ6d.elf	Get hash	malicious	Mirai	Browse	177.254.72.247
	aQvU3QHA3N.elf	Get hash	malicious	Unknown	Browse	179.13.85.216

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Shipping Details_PDF.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	40.68.123.157 23.221.246.93
	http://macmais.com.br/wp-content/uploads/2012/02/estagio-motorola.jpg	Get hash	malicious	Unknown	Browse	40.68.123.157 23.221.246.93
	https://s3.ca-central-1.amazonaws.com/jasmina-barthmann/jasmina-barthmann.html?ID57006RYEHFQNXSJRFX	Get hash	malicious	Phisher	Browse	40.68.123.157 23.221.246.93
	https://brendiet.org?rbshufzw&qrc=dvader@hinckleyallen.com	Get hash	malicious	Unknown	Browse	40.68.123.157 23.221.246.93
	RFQ Webcor Construction MV23932.eml	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 23.221.246.93
	https://set.litecsys.com/newmetro/recap.html	Get hash	malicious	Unknown	Browse	40.68.123.157 23.221.246.93
	https://u44187805.ct.sendgrid.net/ls/click?upn=u001.urN7cScDV6CGimnLAyTDkfHWzKTicJWX7VWST5wP2l5FbkRkAPckYy-2B8RxADRBvmFdREKral1Id8tyBq33oadD29MCKXVJUNLdUMVgHEhQYusfiUE9Rcn0QmgcTbRRq09Jr3r8Sw4wm-2FAeBosgCHh4omUUWn-2FjM4nYngvES7q2-2FO2-2FR7nWydY-2FTJZE4b058tD4W-2BKtPto2G-2Bqw-2BhXJPzjdT0sor90yrF9eRzV97jJgM-3DygQ8_U0X8fcExTrrwKR3-2FLuZoOspxUVBoXB0mR3tLGCCmBT4LRPG3sQjT9oJDFh642gYHiS3bav-2BXr8R2SozgFi5uIrzw3Rhz47rbO7XgsbzbNr5yYdvJep7wwhIpaac9z6CXa8wsp56aYS6fJb5t4nMN8UuPlDMaXoygn73C7I7H-2Bw-2Bx7U9b5tByoGSx8DVFHeVJ5VLhPn6w-2FGKu3Q4PoGvBz-2BOUL0Ni2YggeODnnAf3cS4-3D	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 23.221.246.93
	SecuriteInfo.com.Heur.21069.7002.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.68.123.157 23.221.246.93
	http://sweet-bar-b497.ocdbge2ua93451.workers.dev	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 23.221.246.93
	TRANSFERENCIA.vbs	Get hash	malicious	Unknown	Browse	40.68.123.157 23.221.246.93

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1746)
Category:	downloaded
Size (bytes):	163891
Entropy (8bit):	5.55061820245277
Encrypted:	false
SSDEEP:	3072:S0eiNiuzs8v4HHKWY8s1BgP4IDQ9GURWu8zylA/u8PemUPhDlaY/ADiZ65LpK629:S0eMhzvwHHKWY8s1BgP4IDQ9GURWu8UD
MD5:	0282D5C4C6038FCEB2FF8607EDAC81A4
SHA1:	62EBF05C33F8A3115C208BB4D5CE9B38F6D06447
SHA-256:	AAAF17E8ED9C8DD5D1B69C8BBB617600A768256654C076F760E09C6047973371
SHA-512:	E21D25042E41527B62E80F9D9B82B85B915BA6D0698B2FFA5D8D59115F764770D1DE2108B72D82D57BFB7A8D4406FB53D091C1DC6D8BD03BED3BCA29CEFD0EAD
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.oT1FwJRCVC4.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTvBynad-nWEy1xIb9j1w6LpLOF6IQ"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.nj=function(a,b,c){return c?a\|b:a&~b};_.oj=function(a,b,c,d){a=_.hb(a,b,c,d);return Array.isArray(a)?a:_.lc};_.pj=function(a,b){a=_.nj(a,2,!!(2&b));a=_.nj(a,32,!0);return a=_.nj(a,2048,!1)};_.qj=function(a,b){0===a&&(a=_.pj(a,b));return a=_.nj(a,1,!0)};_.rj=function(a){return!!(2&a)&&!!(4&a)\|\|!!(2048&a)};_.sj=function(a,b,c){32&b&&c\|\|(a=_.nj(a,32,!1));return a};._.tj=function(a,b,c,d,e,f){var g=!!(2&b),h=g?1:2;const k=1===h;h=2===h;e=!!e;f&&(f=!g);g=_.oj(a,b,d);var l=g[_.v]\|0;const n=!!(4&l);if(!n){l=_.qj(l,b);var p=g,r=b,t;(t=!!(2&l))&&(r=_.nj(r,2,!0));let C=!t,X=!0,P=0,H=0;for(;P<p.length;P++){const O=_.Sa(p[P],c,r);if(O instanceof c){if(!t){const Fa=!!((O.ma[_.v]\|0)&2);C&&(C=!Fa);X&&(X=Fa)}p[H++]=O}}H<P&&(p.length=H);l=_.nj(l,4,!0);l=_.nj(l,16,X);l=_.nj(l,8,C);_.wa(p,l);t&&Object.freeze(p)}c=!!(8&l)\|\|k&&!g.length;if(f&&!c){_.rj(l)&&(g=_.va(g),l=_.pj(l,.b),b=_.gb(a,b,d,g));f=g;c=l;for(p=0;p<f.length;p++)l=f[p],r=_.eb(l),l

Chrome Cache Entry: 50

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (771)
Category:	downloaded
Size (bytes):	776
Entropy (8bit):	5.1613564182196505
Encrypted:	false
SSDEEP:	24:YzzqO+O0HSLoBHslgT9lCuABuoB7HHHHHHHYqmffffffo:8eOxcKlgZ01BuSEqmffffffo
MD5:	48D35E1437D2C23B299C5480D48881A3
SHA1:	45A73020DF8CBC4ADFA91B3884934AC65AB18373
SHA-256:	9CDBFE20EDFEE4D32540033A90579104AC31258C312F1F0CE335D969389B8812
SHA-512:	0289876BAA5E6A2055CBCB3CE882626EEE507CC6BFD9E06E943EBA414765311859E0D0B150B68B7C393B722B394A756D6BE5C90CB51499F976B5443240783C63
Malicious:	false
Reputation:	low
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["georgia baseball pitcher caught cheating","billboard top 100 taylor swift","walmart store brand","playstation plus games","winnipeg jets namestnikov injury","$1 bills","tekken 8 1.04 patch notes","gray zone warfare"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Chrome Cache Entry: 51

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 52

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	139819
Entropy (8bit):	5.440905612507296
Encrypted:	false
SSDEEP:	1536:yMRA4atKJXjPInWWt/usD98kiHLnRA0zqevcZb+haV+trbbbhYxvdU:ezKJou8TMyeN0shCO
MD5:	8578F1B6DD7155FFE0498A75B8CBCCE2
SHA1:	EF13E0B931939150054B2A490CCC3B1EF3CF3C83
SHA-256:	717CA9AC8C6A84FB6F87A41FEDDF1CD33F05B35548EFE75A026C1FDF9CE3842E
SHA-512:	80E0A3A2BB70FDB04BE0A80DD3EAE00CA18AEE3F61197A9C26CAC3F8134DDDCA07F93B6D4B1B6D640EF43B0DB2F737EFF7D585D259219E7BF087FB6BF99900BC
Malicious:	false
Reputation:	low
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ra gb_ib gb_Ud gb_od\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Id\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_sd gb_ld gb_yd gb_xd\"\u003e\u003cdiv class\u003d\"gb_rd gb_hd\"\u003e\u003cdiv class\u003d\"gb_Pc gb_r\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Pc gb_Sc gb_r\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 53

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3572), with no line terminators
Category:	downloaded
Size (bytes):	3572
Entropy (8bit):	5.150542995862274
Encrypted:	false
SSDEEP:	96:RJYrcoiktfqqMghOKTEzNx8BSIMw591g8IOl8u8i8DF+Ks:wkktfqqMghxlg8Ig8u78D2
MD5:	88BC8C86A83B9BD8EDA6FDF225CDC8DD
SHA1:	473D84930F027A365278C15282725A69721F4B18
SHA-256:	47D960E93D9E7AB4C760A09DA0AA5E6549A8355AD5C0BA8476D4269F4FBDB354
SHA-512:	3BC486D908160D297AD3028C27177A9C41A1D87EF29A456058265FAF74A1DA069D3B0578F05A79F866C2DB752D5E0E42D179158BD62251D4FDA601A7CBA7CC4D
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.T5bVtXo12IQ.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTssrVR1lBtzoy_MObv1DSp-vWG36A"
Preview:	.gb_3e{background:rgba(60,64,67,.9);-webkit-border-radius:4px;border-radius:4px;color:#fff;font:500 12px "Roboto",arial,sans-serif;letter-spacing:.8px;line-height:16px;margin-top:4px;min-height:14px;padding:4px 8px;position:absolute;z-index:1000;-webkit-font-smoothing:antialiased}.gb_Hc{text-align:left}.gb_Hc>*{color:#bdc1c6;line-height:16px}.gb_Hc div:first-child{color:white}.gb_qa{background:none;border:1px solid transparent;-webkit-border-radius:50%;border-radius:50%;-webkit-box-sizing:border-box;box-sizing:border-box;cursor:pointer;height:40px;margin:8px;outline:none;padding:1px;position:absolute;right:0;top:0;width:40px}.gb_qa:hover{background-color:rgba(68,71,70,.08)}.gb_qa:focus,.gb_qa:active{background-color:rgba(68,71,70,.12)}.gb_qa:focus-visible{border-color:#0b57d0;outline:1px solid transparent;outline-offset:-1px}.gb_i .gb_qa:hover,.gb_i .gb_qa:focus,.gb_i .gb_qa:active{background-color:rgba(227,227,227,.08)}.gb_i .gb_qa:focus-visible{border-color:#a8c7fa}.gb_ra{-webkit-box

Chrome Cache Entry: 54

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1660
Entropy (8bit):	4.301517070642596
Encrypted:	false
SSDEEP:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
MD5:	554640F465EB3ED903B543DAE0A1BCAC
SHA1:	E0E6E2C8939008217EB76A3B3282CA75F3DC401A
SHA-256:	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
SHA-512:	462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

Chrome Cache Entry: 55

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2124)
Category:	downloaded
Size (bytes):	121628
Entropy (8bit):	5.506662476672723
Encrypted:	false
SSDEEP:	3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
MD5:	F46ACD807A10216E6EEE8EA51E0F14D6
SHA1:	4702F47070F7046689432DCF605F11364BC0FBED
SHA-256:	D6B84873D27E7E83CF5184AAEF778F1CCB896467576CD8AF2CAD09B31B3C6086
SHA-512:	811263DC85C8DAA3A6E5D8A002CCCB953CD01E6A77797109835FE8B07CABE0DEE7EB126274E84266229880A90782B3B016BA034E31F0E3B259BF9E66CA797028
Malicious:	false
URL:	"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0"
Preview:	gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x20000, ]);.var ba,ca,da,na,pa,va,wa,za;ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.ma=da(this);na=function(a,b){if(b)a:{var c=_.ma;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&ca(c,a,{configurable:!0,writable:!0,value:b})}};.na("Symbol",function(a){if(a)re

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.549698702116996
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	xrPfnwOyJZqd.exe
File size:	33'792 bytes
MD5:	b45d6b705ff5e1d95974f680c73edca0
SHA1:	551891b184c060b8aadc3e951c6ec4afce2b4b32
SHA256:	3ea9612dc4f0f0aa8e3bfe877f1c3f7bfd79145f22fb9276f08357479a309592
SHA512:	8e8f3c0becb83bfce4f8f388c2d7625f31ad338bf7482c4f6ea69de1fd8447d157bb6e8f4252969abbd3c597b9ad0fe6d0dd51c8474395468336e45bbd155400
SSDEEP:	384:Ql+PkjD9+E5MFs7iui8L7zoM42pfL3iB7OxVqWDRApkFXBLTsOZwpGN2v99Ikuik:k+CD93W03F42JiB70FVF49jzOjhebo
TLSH:	BAE24A4877A44626DAEEAFF52CF351050270D917C923EFAE0CD485EA2B67AC187407F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G!1f.................z..........N.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40984e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66312147 [Tue Apr 30 16:50:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9800	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x4e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7854	0x7a00	e450526d94203fb1b7c4a787a8aed32e	False	0.49385245901639346	data	5.695440308886532	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x4e0	0x600	9110edfaced0149a5db9869a2d737c75	False	0.3782552083333333	data	3.738453778976393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0xc	0x200	e3c94233c0923efafaefbe180fa5cdc6	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa0a0	0x24c	data			0.47278911564625853
RT_MANIFEST	0xa2f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/30/24-19:10:16.887076	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49714	179.13.0.175	192.168.2.7
04/30/24-19:10:16.887738	TCP	2852923	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49714	7000	192.168.2.7	179.13.0.175
04/30/24-19:08:17.636532	TCP	2853193	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49714	7000	192.168.2.7	179.13.0.175
04/30/24-19:10:14.681769	TCP	2852874	ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2	7000	49714	179.13.0.175	192.168.2.7
04/30/24-19:06:40.515254	TCP	2855924	ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound	49714	7000	192.168.2.7	179.13.0.175

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 30, 2024 19:06:02.515026093 CEST	49674	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:02.515033960 CEST	49675	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:02.671252012 CEST	49672	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:02.734056950 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:03.108781099 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:03.530828953 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 30, 2024 19:06:03.858777046 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:05.358793020 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:08.343168020 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:12.124385118 CEST	49674	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:12.124401093 CEST	49675	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:12.280649900 CEST	49672	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:13.140062094 CEST	49671	443	192.168.2.7	204.79.197.203
Apr 30, 2024 19:06:13.662019968 CEST	443	49702	104.98.116.138	192.168.2.7
Apr 30, 2024 19:06:13.662118912 CEST	49702	443	192.168.2.7	104.98.116.138
Apr 30, 2024 19:06:14.296315908 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:14.777441025 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.777472019 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.777539015 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.777746916 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.777777910 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.777848959 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.778436899 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.778450966 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.778608084 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.778631926 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.780180931 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.780215979 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.780270100 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.781142950 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.781157017 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.830549955 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.830595970 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:14.830661058 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.830907106 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:14.830915928 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.005074978 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.005901098 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.005918026 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.006222010 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.006406069 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.006423950 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.006982088 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.007061005 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.008059025 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.008136034 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.009032965 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.009321928 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.009392977 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.009896994 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.009915113 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.010670900 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.010679007 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.010993004 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.011147022 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.011192083 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.011327982 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.011396885 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.012742043 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.012820005 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.012924910 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.012933969 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.052114010 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.057773113 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.061759949 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.061798096 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.062861919 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.062942028 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.063564062 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.063638926 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.063740015 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.095534086 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.095541000 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.095541000 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.095571995 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.104130983 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.205739021 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.205826044 CEST	443	49707	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.205868959 CEST	49707	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.239089012 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.239132881 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.239244938 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.239258051 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.240123034 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.240175009 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.245924950 CEST	49706	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.245940924 CEST	443	49706	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.255299091 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.255342007 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.255369902 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.255386114 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.255412102 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.255482912 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.262294054 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.262331009 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.262348890 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.262362003 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.262470961 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.269469976 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.269504070 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.269565105 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.269573927 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.269751072 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.272115946 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.272186041 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.276647091 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.276724100 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.283804893 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.283838987 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.283854961 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.283869982 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.283950090 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.299323082 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.299628973 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.299674034 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.300335884 CEST	49709	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.300355911 CEST	443	49709	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.357458115 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.357496023 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.357516050 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.357542992 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.357693911 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.360743999 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.360791922 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.367829084 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.367860079 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.367892981 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.367904902 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.367938042 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.374984980 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.375015020 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.375119925 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.375128984 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.375287056 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.382226944 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.382256031 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.382302046 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.382323027 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.382359028 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.389347076 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.389398098 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.396537066 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.396567106 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.396591902 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.396619081 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.396657944 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.403830051 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.403882980 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.403906107 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.403915882 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.403965950 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.410312891 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.416827917 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.416861057 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.416908979 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.416919947 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.416951895 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.423422098 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.429970026 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.430020094 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.430032969 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.433305979 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.433355093 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.433372021 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.439867020 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.440181971 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.440197945 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.459919930 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.459969997 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.459991932 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.462641001 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.462717056 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.462727070 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.467241049 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.467284918 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.467293024 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.471930027 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.471976995 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.471987963 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.476555109 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.476619005 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.476630926 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.481251955 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.481344938 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.481357098 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.485965014 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.486016035 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.486027956 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.495207071 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.495243073 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.495270967 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.495296001 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.495336056 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.499937057 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.504484892 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.505516052 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.505530119 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.506778955 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.509515047 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.509532928 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.511502981 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.513063908 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.513072968 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.516067982 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.516202927 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.516217947 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.520807028 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.521517992 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.521532059 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.525401115 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.525518894 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.525540113 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.530109882 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.533520937 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.533538103 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.534765959 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.537508011 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.537518024 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.539105892 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.539267063 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.539274931 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.543589115 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.545511007 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.545527935 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.548201084 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.549508095 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.549518108 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.552887917 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.553522110 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.553529978 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.557039976 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.557518005 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.557538033 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.563829899 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.563863039 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.563889980 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.563900948 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.563935041 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.567250967 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.571427107 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.571460009 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.571511030 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.571520090 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.571556091 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.574387074 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.576808929 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.576839924 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.576891899 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.576901913 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.576947927 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.579514027 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.582063913 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.582096100 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.582160950 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.582170963 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.582206964 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.584667921 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.587527990 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.587557077 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.587610006 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.587616920 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.587649107 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.589818001 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.592267990 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.592314959 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.592327118 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.592336893 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.592369080 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.594708920 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.597125053 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.597198963 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.597204924 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.598354101 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.598392010 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:15.598398924 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.600888968 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:15.600950956 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:16.867695093 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:17.025913954 CEST	49708	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:17.025938988 CEST	443	49708	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:17.524378061 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:17.870719910 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:17.870810986 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:18.122109890 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:18.376513004 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:18.440327883 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.440376043 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.440534115 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.440702915 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.440716028 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.665374041 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.665775061 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.665803909 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.666877031 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.666940928 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.668629885 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.668629885 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.668646097 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.668711901 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.781632900 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.781673908 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.869863033 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.869915009 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.869949102 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.869983912 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.869983912 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.870011091 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.870034933 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.870115042 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.870120049 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.872570038 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:18.872611046 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:18.873126030 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:18.873300076 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:18.873320103 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:18.876730919 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.876990080 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.877005100 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.884083033 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.884421110 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.884429932 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.896249056 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.896378994 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.896392107 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.971596003 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.971640110 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.971813917 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.971837997 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.972227097 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.975080013 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.982352972 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.982388973 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.982636929 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.982665062 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.982804060 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.989619017 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.996823072 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.996855021 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.996941090 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:18.996957064 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:18.997061968 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.004046917 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.011272907 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.011312008 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.011461020 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.011477947 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.011621952 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.017978907 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.024610996 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.024647951 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.024966002 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.024983883 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.025608063 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.031270027 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.037885904 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.037921906 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.038721085 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.038736105 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.038949966 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.044569016 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.051208019 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.051254988 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.051604033 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.051615953 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.052017927 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.057972908 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.073452950 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.073517084 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.073532104 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.073561907 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.075337887 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.076781988 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.083378077 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.083417892 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.083616018 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.083641052 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.083755970 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.090010881 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.090202093 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:19.090920925 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:19.090939999 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:19.091275930 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:19.093938112 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:19.094007969 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:19.096728086 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.096771002 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.096905947 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.096923113 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.097052097 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.103291988 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.109359026 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.109405041 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.109498024 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.109523058 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.109622002 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.114913940 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.120563030 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.120605946 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.120635033 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.120651007 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.121119022 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.126169920 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.131867886 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.131953001 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.131977081 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.134355068 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.134773016 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.134792089 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.139636040 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.139724970 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.139746904 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.144834042 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.144980907 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.145001888 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.149697065 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.149807930 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.149831057 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.154186010 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.154351950 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.154375076 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.158691883 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.159106016 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.159121037 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.163021088 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.163101912 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.163111925 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.167140961 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.167366982 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.167388916 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.175216913 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.175256968 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.175282001 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.175298929 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.175415993 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.179199934 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.183208942 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.183248043 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.183273077 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.183298111 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.183537006 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.185724020 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.186964035 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.187081099 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.187105894 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.189483881 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.189615011 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.189632893 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.191880941 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.192336082 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.192349911 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.194307089 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.194552898 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.194569111 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.196779013 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.197580099 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.197603941 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.199229002 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.199316978 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.199453115 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.199625015 CEST	49718	443	192.168.2.7	142.250.191.206
Apr 30, 2024 19:06:19.199639082 CEST	443	49718	142.250.191.206	192.168.2.7
Apr 30, 2024 19:06:19.280797958 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:21.425308943 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.425374031 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.425503969 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.427299976 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.427328110 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.640068054 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.640199900 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.642585039 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.642591953 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.642867088 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.677613974 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.724107027 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.861855030 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.861941099 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.861994028 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.862242937 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.862261057 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.862272024 CEST	49720	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.862277985 CEST	443	49720	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.894859076 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.894900084 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:21.894969940 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.895493984 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:21.895513058 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.103712082 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.103780985 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:22.105015993 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:22.105051041 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.105261087 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.107013941 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:22.148123026 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.315330982 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.315413952 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.315610886 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:22.316845894 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:22.316870928 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:22.316899061 CEST	49721	443	192.168.2.7	23.221.246.93
Apr 30, 2024 19:06:22.316905975 CEST	443	49721	23.221.246.93	192.168.2.7
Apr 30, 2024 19:06:23.161709070 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:23.161739111 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:23.161814928 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:23.163482904 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:23.163491964 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:23.793239117 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:23.793318033 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:23.822516918 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:23.822556973 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:23.822858095 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:23.874233007 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:24.900197983 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:24.931325912 CEST	49726	80	192.168.2.7	192.229.211.108
Apr 30, 2024 19:06:24.948113918 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.032989979 CEST	80	49726	192.229.211.108	192.168.2.7
Apr 30, 2024 19:06:25.033036947 CEST	49726	80	192.168.2.7	192.229.211.108
Apr 30, 2024 19:06:25.312289953 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312313080 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312321901 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312330961 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312360048 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312381983 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:25.312410116 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312431097 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:25.312436104 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312467098 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:25.312482119 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:25.312516928 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:25.997493982 CEST	49726	80	192.168.2.7	192.229.211.108
Apr 30, 2024 19:06:26.099263906 CEST	80	49726	192.229.211.108	192.168.2.7
Apr 30, 2024 19:06:26.104130983 CEST	49726	80	192.168.2.7	192.229.211.108
Apr 30, 2024 19:06:26.295531988 CEST	49677	443	192.168.2.7	20.50.201.200
Apr 30, 2024 19:06:26.857450008 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:26.857486010 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:26.857503891 CEST	49722	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:06:26.857511044 CEST	443	49722	40.68.123.157	192.168.2.7
Apr 30, 2024 19:06:29.105115891 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:29.105192900 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:29.105237961 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:29.321108103 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:29.418081999 CEST	49719	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:06:29.418114901 CEST	443	49719	142.250.190.132	192.168.2.7
Apr 30, 2024 19:06:29.524519920 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:29.592811108 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:30.930447102 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:31.159907103 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:40.515254021 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:40.712671041 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:40.714514971 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:40.952483892 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:44.346851110 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:44.390455961 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:45.340048075 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:45.340262890 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:51.703385115 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:51.909944057 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:06:51.953020096 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:52.194214106 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:06:52.469877958 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:02.905906916 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:03.215013027 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:03.216396093 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:03.692161083 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:03.692240000 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:03.749247074 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:03.977202892 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:05.815033913 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:05.815152884 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:05.815247059 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:05.815602064 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:05.815639019 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:06.467298985 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:06.467416048 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:06.474960089 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:06.475007057 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:06.475213051 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:06.515467882 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:06.804805994 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:06.848162889 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.233875990 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.233894110 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.233900070 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.233942032 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.233993053 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.234087944 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:07.234107971 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.234138012 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.234227896 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:07.455416918 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:07.455470085 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:07.455502033 CEST	49728	443	192.168.2.7	40.68.123.157
Apr 30, 2024 19:07:07.455521107 CEST	443	49728	40.68.123.157	192.168.2.7
Apr 30, 2024 19:07:14.100569010 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:14.639944077 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:14.717339993 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:14.764918089 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:15.171118975 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:15.262064934 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:15.262234926 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:16.233520985 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:16.832513094 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:16.840720892 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:17.082767010 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:18.925043106 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:18.925092936 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:18.925168991 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:18.925374985 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:18.925403118 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:19.145795107 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:19.146183014 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:19.146200895 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:19.146467924 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:19.146712065 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:19.146759987 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:19.189295053 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:23.093975067 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:23.285600901 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:23.288317919 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:23.576172113 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:26.589380026 CEST	80	49726	192.229.211.108	192.168.2.7
Apr 30, 2024 19:07:26.589529991 CEST	49726	80	192.168.2.7	192.229.211.108
Apr 30, 2024 19:07:29.150039911 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:29.150113106 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:29.150182962 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:29.202066898 CEST	49732	443	192.168.2.7	142.250.190.132
Apr 30, 2024 19:07:29.202111006 CEST	443	49732	142.250.190.132	192.168.2.7
Apr 30, 2024 19:07:34.285012007 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:34.614476919 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:34.630939960 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:35.124838114 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:35.305628061 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:35.313098907 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:35.544929028 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:44.645229101 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:44.715399027 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:45.160255909 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:45.160310030 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:45.967891932 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:46.624245882 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:47.139842033 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:47.147351980 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:47.342983007 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:48.388426065 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:48.649996042 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:50.489440918 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:50.728144884 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:50.735805988 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:51.223562002 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:51.349539042 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:51.349674940 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:51.469964027 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:56.157135010 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:56.472096920 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:56.515353918 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:56.520370007 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:57.015402079 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:57.209846973 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:58.718704939 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:58.937135935 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:07:58.943895102 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:07:59.179441929 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:04.984695911 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:05.289460897 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:05.291301966 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:05.813502073 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:06.040416002 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:14.595251083 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:14.827883959 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:16.177485943 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:16.627650023 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:17.127681017 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:17.636418104 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:17.636532068 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:18.608321905 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:18.608382940 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:18.835093975 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:18.835154057 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:19.075361967 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:28.759193897 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:28.947005033 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:28.949361086 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:29.195369959 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:30.862636089 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:31.056255102 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:31.060803890 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:31.297081947 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:42.062786102 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:42.297465086 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:42.302809954 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:43.015583992 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:43.250329971 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:44.197696924 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:44.327585936 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:44.791106939 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:44.791343927 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:53.265441895 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:53.452538013 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:53.463177919 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:53.715035915 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:55.720890999 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:55.905128002 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:08:55.909359932 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:08:56.151554108 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:02.952759027 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:03.130628109 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:03.149456024 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:03.387065887 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:04.049242020 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:04.235986948 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:04.248317003 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:04.474793911 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:14.615840912 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:14.724376917 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:15.237679958 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:15.624736071 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:15.806301117 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:15.815695047 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:16.219980001 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:16.597367048 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:16.807677031 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:19.359447956 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:19.675499916 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:19.677561998 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:19.944890022 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:30.935767889 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:31.136569977 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:31.140850067 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:31.624897957 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:31.810427904 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:33.702934027 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:33.909450054 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:33.934906006 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:34.169950962 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:37.531954050 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:37.715084076 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:37.716962099 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:37.960803986 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:44.496452093 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:44.617384911 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:48.734273911 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:48.922935009 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:48.929289103 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:09:49.180350065 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:09:59.922147989 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:00.110106945 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:10:00.123281956 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:00.351736069 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:10:11.109846115 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:11.430118084 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:10:11.451738119 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:11.699986935 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:10:14.681768894 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:10:14.813395977 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:15.533472061 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:15.922739029 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:16.313605070 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:16.887075901 CEST	7000	49714	179.13.0.175	192.168.2.7
Apr 30, 2024 19:10:16.887737989 CEST	49714	7000	192.168.2.7	179.13.0.175
Apr 30, 2024 19:10:17.016078949 CEST	7000	49714	179.13.0.175	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 30, 2024 19:06:09.350136042 CEST	123	123	192.168.2.7	168.61.215.74
Apr 30, 2024 19:06:09.476762056 CEST	123	123	168.61.215.74	192.168.2.7
Apr 30, 2024 19:06:14.478410959 CEST	53	63193	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:14.606251955 CEST	53	59657	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:14.635935068 CEST	49324	53	192.168.2.7	1.1.1.1
Apr 30, 2024 19:06:14.636106014 CEST	51935	53	192.168.2.7	1.1.1.1
Apr 30, 2024 19:06:14.739945889 CEST	53	49324	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:14.740114927 CEST	53	51935	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:15.266571999 CEST	53	53295	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:17.361845016 CEST	57097	53	192.168.2.7	1.1.1.1
Apr 30, 2024 19:06:17.504951000 CEST	53	57097	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:17.527620077 CEST	53	51095	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:18.335504055 CEST	57965	53	192.168.2.7	1.1.1.1
Apr 30, 2024 19:06:18.335895061 CEST	57825	53	192.168.2.7	1.1.1.1
Apr 30, 2024 19:06:18.438831091 CEST	53	57825	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:18.439373970 CEST	53	57965	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:33.901194096 CEST	53	51657	1.1.1.1	192.168.2.7
Apr 30, 2024 19:06:53.151213884 CEST	53	58588	1.1.1.1	192.168.2.7
Apr 30, 2024 19:07:03.223860979 CEST	138	138	192.168.2.7	192.168.2.255
Apr 30, 2024 19:07:14.270847082 CEST	53	51680	1.1.1.1	192.168.2.7
Apr 30, 2024 19:07:17.557472944 CEST	53	54116	1.1.1.1	192.168.2.7
Apr 30, 2024 19:07:42.405476093 CEST	53	58908	1.1.1.1	192.168.2.7
Apr 30, 2024 19:08:29.777445078 CEST	53	54084	1.1.1.1	192.168.2.7
Apr 30, 2024 19:09:45.167814970 CEST	53	60453	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 30, 2024 19:06:14.635935068 CEST	192.168.2.7	1.1.1.1	0x6472	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 30, 2024 19:06:14.636106014 CEST	192.168.2.7	1.1.1.1	0xf6ca	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 30, 2024 19:06:17.361845016 CEST	192.168.2.7	1.1.1.1	0x831c	Standard query (0)	warzones12.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 30, 2024 19:06:18.335504055 CEST	192.168.2.7	1.1.1.1	0x37f6	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
Apr 30, 2024 19:06:18.335895061 CEST	192.168.2.7	1.1.1.1	0x674a	Standard query (0)	apis.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 30, 2024 19:06:14.739945889 CEST	1.1.1.1	192.168.2.7	0x6472	No error (0)	www.google.com		142.250.190.132	A (IP address)	IN (0x0001)	false
Apr 30, 2024 19:06:14.740114927 CEST	1.1.1.1	192.168.2.7	0xf6ca	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 30, 2024 19:06:17.504951000 CEST	1.1.1.1	192.168.2.7	0x831c	No error (0)	warzones12.duckdns.org		179.13.0.175	A (IP address)	IN (0x0001)	false
Apr 30, 2024 19:06:18.438831091 CEST	1.1.1.1	192.168.2.7	0x674a	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 30, 2024 19:06:18.439373970 CEST	1.1.1.1	192.168.2.7	0x37f6	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 30, 2024 19:06:18.439373970 CEST	1.1.1.1	192.168.2.7	0x37f6	No error (0)	plus.l.google.com		142.250.191.206	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

apis.google.com

fs.microsoft.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	142.250.190.132	443	4360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:15 UTC	595	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-30 17:06:15 UTC	1703	IN	HTTP/1.1 200 OK Date: Tue, 30 Apr 2024 17:06:15 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-HfpKijsVASm9_EzGNO0zVA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-30 17:06:15 UTC	783	IN	Data Raw: 33 30 38 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 67 65 6f 72 67 69 61 20 62 61 73 65 62 61 6c 6c 20 70 69 74 63 68 65 72 20 63 61 75 67 68 74 20 63 68 65 61 74 69 6e 67 22 2c 22 62 69 6c 6c 62 6f 61 72 64 20 74 6f 70 20 31 30 30 20 74 61 79 6c 6f 72 20 73 77 69 66 74 22 2c 22 77 61 6c 6d 61 72 74 20 73 74 6f 72 65 20 62 72 61 6e 64 22 2c 22 70 6c 61 79 73 74 61 74 69 6f 6e 20 70 6c 75 73 20 67 61 6d 65 73 22 2c 22 77 69 6e 6e 69 70 65 67 20 6a 65 74 73 20 6e 61 6d 65 73 74 6e 69 6b 6f 76 20 69 6e 6a 75 72 79 22 2c 22 24 31 20 62 69 6c 6c 73 22 2c 22 74 65 6b 6b 65 6e 20 38 20 31 2e 30 34 20 70 61 74 63 68 20 6e 6f 74 65 73 22 2c 22 67 72 61 79 20 7a 6f 6e 65 20 77 61 72 66 61 72 65 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c Data Ascii: 308)]}'["",["georgia baseball pitcher caught cheating","billboard top 100 taylor swift","walmart store brand","playstation plus games","winnipeg jets namestnikov injury","$1 bills","tekken 8 1.04 patch notes","gray zone warfare"],["","","","","","","",
2024-04-30 17:06:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49707	142.250.190.132	443	4360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:15 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49708	142.250.190.132	443	4360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:15 UTC	498	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-30 17:06:15 UTC	1479	IN	HTTP/1.1 200 OK Version: 628208672 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Date: Tue, 30 Apr 2024 17:06:15 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 38 30 30 30 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 52 61 20 67 62 5f 69 62 20 67 62 5f 55 64 20 67 62 5f 6f 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 8000)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ra gb_ib gb_Ud gb_od\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 30 33 64 5c 22 67 62 5f 4a 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 39 64 20 67 62 5f 4b 63 20 67 62 5f 37 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4f 63 20 67 62 5f 36 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c Data Ascii: 03d\"gb_Jc\"\u003e\u003ca class\u003d\"gb_9d gb_Kc gb_7d\" aria-label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Oc gb_6d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 53 65 61 72 63 68 20 4c 61 62 73 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 68 74 74 70 73 3a 2f 2f 6c 61 62 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 61 72 63 68 3f 73 6f 75 72 63 65 5c 75 30 30 33 64 6e 74 70 5c 22 20 74 61 72 67 65 74 5c 75 30 30 33 64 5c 22 5f 74 6f 70 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 67 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 Data Ascii: aria-label\u003d\"Search Labs\" href\u003d\"https://labs.google.com/search?source\u003dntp\" target\u003d\"_top\" role\u003d\"button\" tabindex\u003d\"0\"\u003e \u003csvg class\u003d\"gb_g\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 36 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 Data Ascii: 9 -2,2 0.9,2 2,2zM6,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 31 33 30 30 31 30 32 2c 33 37 30 30 32 34 34 2c 33 37 30 30 39 34 39 2c 33 37 30 31 33 31 30 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 Data Ascii: u-content","metadata":{"bar_height":60,"experiment_id":[1300102,3700244,3700949,3701310],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_\|\|{};(function(_){var wi
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 63 7b 7d 3b 5f 2e 73 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 69 66 28 62 20 69 6e 20 61 2e 69 29 72 65 74 75 72 6e 20 61 2e 69 5b 62 5d 3b 74 68 72 6f 77 20 6e 65 77 20 72 64 3b 7d 3b 5f 2e 74 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 5f 2e 73 64 28 5f 2e 57 63 2e 69 28 29 2c 61 29 7d 3b 5c 6e 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 2f 2a 5c 6e 5c 6e 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 5c 6e 2a 2f 5c 6e 76 61 72 20 7a 64 2c 49 64 2c 4b 64 3b 5f 2e 75 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 6e 75 6c 6c 5c 75 30 30 33 64 5c 75 30 Data Ascii: c{};_.sd\u003dfunction(a,b){if(b in a.i)return a.i[b];throw new rd;};_.td\u003dfunction(a){return _.sd(_.Wc.i(),a)};\n}catch(e){_._DumpException(e)}\ntry{\n/\n\n SPDX-License-Identifier: Apache-2.0\n/\nvar zd,Id,Kd;_.ud\u003dfunction(a){if(null\u003d\u0
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 3b 5f 2e 4a 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 61 2c 5f 2e 76 62 29 5c 75 30 30 32 36 5c 75 30 30 32 36 61 5b 5f 2e 76 62 5d 7c 7c 28 61 5b 5f 2e 76 62 5d 5c 75 30 30 33 64 2b 2b 49 64 29 7d 3b 4b 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 4c 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 5c 75 30 30 33 64 6e 75 6c 6c 2c 63 5c 75 30 30 33 64 5f 2e 71 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 69 66 28 21 63 7c 7c 21 63 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 72 65 74 75 72 6e 20 62 3b 74 72 79 7b 62 5c 75 30 30 33 64 63 2e 63 72 Data Ascii: ;_.Jd\u003dfunction(a){return Object.prototype.hasOwnProperty.call(a,_.vb)\u0026\u0026a[_.vb]\|\|(a[_.vb]\u003d++Id)};Kd\u003dfunction(a){return a};_.Ld\u003dfunction(a){var b\u003dnull,c\u003d_.q.trustedTypes;if(!c\|\|!c.createPolicy)return b;try{b\u003dc.cr
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 74 6f 53 74 72 69 6e 67 28 29 7d 7d 3b 5f 2e 58 64 5c 75 30 30 33 64 6e 65 77 20 5f 2e 57 64 28 5c 22 5c 22 2c 5f 2e 56 64 29 3b 5f 2e 59 64 5c 75 30 30 33 64 52 65 67 45 78 70 28 5c 22 5e 5b 2d 2b 2c 2e 5c 5c 5c 22 5c 75 30 30 32 37 25 5f 21 23 2f 20 61 2d 7a 41 2d 5a 30 2d 39 5c 5c 5c 5c 5b 5c 5c 5c 5c 5d 5d 2b 24 5c 22 29 3b 5f 2e 5a 64 5c 75 30 30 33 64 52 65 67 45 78 70 28 5c 22 5c 5c 5c 5c 62 28 75 72 6c 5c 5c 5c 5c 28 5b 20 5c 5c 74 5c 5c 6e 5d 2a 29 28 5c 75 30 30 32 37 5b 20 2d 5c 75 30 30 32 36 28 2d 5c 5c 5c 5c 5b 5c 5c 5c 5c 5d 2d 7e 5d 2a 5c 75 30 30 32 37 7c 5c 5c 5c 22 5b 20 21 23 2d 5c 5c 5c 5c 5b 5c 5c 5c 5c 5d 2d 7e 5d 2a 5c 5c 5c 22 7c 5b 21 23 2d 5c 75 30 30 32 36 2a 2d 5c 5c 5c 5c 5b 5c 5c 5c 5c 5d 2d 7e 5d 2a 29 28 5b 20 5c 5c 74 5c Data Ascii: toString()}};_.Xd\u003dnew _.Wd(\"\",_.Vd);_.Yd\u003dRegExp(\"^[-+,.\\\"\u0027%_!#/ a-zA-Z0-9\\\\[\\\\]]+$\");_.Zd\u003dRegExp(\"\\\\b(url\\\\([ \\t\\n])(\u0027[ -\u0026(-\\\\[\\\\]-~]\u0027\|\\\"[ !#-\\\\[\\\\]-~]\\\"\|[!#-\u0026-\\\\[\\\\]-~]*)([ \\t\
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 32 36 28 61 5c 75 30 30 33 64 61 2e 6e 6f 6e 63 65 7c 7c 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 5c 22 6e 6f 6e 63 65 5c 22 29 29 5c 75 30 30 32 36 5c 75 30 30 32 36 68 65 2e 74 65 73 74 28 61 29 3f 61 3a 5c 22 5c 22 3a 5c 22 5c 22 7d 3b 5f 2e 6a 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 68 69 73 2e 77 69 64 74 68 5c 75 30 30 33 64 61 3b 74 68 69 73 2e 68 65 69 67 68 74 5c 75 30 30 33 64 62 7d 3b 5f 2e 6d 5c 75 30 30 33 64 5f 2e 6a 65 2e 70 72 6f 74 6f 74 79 70 65 3b 5f 2e 6d 2e 61 73 70 65 63 74 52 61 74 69 6f 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 77 69 64 74 68 2f 74 68 69 73 2e 68 65 69 67 68 74 7d 3b 5f 2e 6d 2e 45 62 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 Data Ascii: 26(a\u003da.nonce\|\|a.getAttribute(\"nonce\"))\u0026\u0026he.test(a)?a:\"\":\"\"};_.je\u003dfunction(a,b){this.width\u003da;this.height\u003db};_.m\u003d_.je.prototype;_.m.aspectRatio\u003dfunction(){return this.width/this.height};_.m.Eb\u003dfunction(){re
2024-04-30 17:06:15 UTC	1479	IN	Data Raw: 63 74 69 6f 6e 28 61 2c 62 29 7b 62 5c 75 30 30 33 64 53 74 72 69 6e 67 28 62 29 3b 5c 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 5c 22 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2e 63 6f 6e 74 65 6e 74 54 79 70 65 5c 75 30 30 32 36 5c 75 30 30 32 36 28 62 5c 75 30 30 33 64 62 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 29 3b 72 65 74 75 72 6e 20 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 62 29 7d 3b 5f 2e 6e 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 62 5c 75 30 30 33 64 61 2e 66 69 72 73 74 43 68 69 6c 64 3b 29 61 2e 72 65 6d 6f 76 65 43 68 69 6c 64 28 62 29 7d 3b 5f 2e 6f 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 39 5c 75 30 30 33 64 Data Ascii: ction(a,b){b\u003dString(b);\"application/xhtml+xml\"\u003d\u003d\u003da.contentType\u0026\u0026(b\u003db.toLowerCase());return a.createElement(b)};_.ne\u003dfunction(a){for(var b;b\u003da.firstChild;)a.removeChild(b)};_.oe\u003dfunction(a){return 9\u003d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49709	142.250.190.132	443	4360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:15 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-30 17:06:15 UTC	1434	IN	HTTP/1.1 200 OK Version: 628208672 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Date: Tue, 30 Apr 2024 17:06:15 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-30 17:06:15 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-04-30 17:06:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49718	142.250.191.206	443	4360	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:18 UTC	729	OUT	GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1 Host: apis.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCLnKzQEIitPNARj1yc0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-30 17:06:18 UTC	914	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Access-Control-Allow-Origin: * Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/social-frontend-mpm-access Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="social-frontend-mpm-access" Report-To: {"group":"social-frontend-mpm-access","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/social-frontend-mpm-access"}]} Content-Length: 121628 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 30 Apr 2024 16:15:10 GMT Expires: Wed, 30 Apr 2025 16:15:10 GMT Cache-Control: public, max-age=31536000 Last-Modified: Mon, 15 Apr 2024 17:34:54 GMT Content-Type: text/javascript; charset=UTF-8 Vary: Accept-Encoding Age: 3068 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-30 17:06:18 UTC	341	IN	Data Raw: 67 61 70 69 2e 6c 6f 61 64 65 64 5f 30 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 73 65 6c 66 3f 73 65 6c 66 3a 74 68 69 73 29 2e 5f 46 5f 74 6f 67 67 6c 65 73 3d 61 7c 7c 5b 5d 7d 3b 28 30 2c 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 29 28 5b 30 78 32 30 30 30 30 2c 20 5d 29 3b 0a 76 61 72 20 62 61 2c 63 61 2c 64 61 2c 6e 61 2c 70 61 2c 76 61 2c 77 61 2c 7a 61 3b 62 61 3d 66 75 6e 63 Data Ascii: gapi.loaded_0(function(_){var window=this;_._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x20000, ]);var ba,ca,da,na,pa,va,wa,za;ba=func
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 3b 63 61 3d 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 3f 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 79 3a 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 61 3d 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 7c 7c 61 3d 3d 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 29 72 65 74 75 72 6e 20 61 3b 61 5b 62 5d 3d 63 2e 76 61 6c 75 65 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 64 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 5b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 26 26 67 6c 6f 62 61 6c 54 68 69 73 2c 61 2c 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2c 22 6f Data Ascii: ;ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"o
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 22 3d 3d 3d 74 79 70 65 6f 66 20 64 26 26 22 66 75 6e 63 74 69 6f 6e 22 21 3d 74 79 70 65 6f 66 20 64 2e 70 72 6f 74 6f 74 79 70 65 5b 61 5d 26 26 63 61 28 64 2e 70 72 6f 74 6f 74 79 70 65 2c 61 2c 7b 63 6f 6e 66 69 67 75 72 61 62 6c 65 3a 21 30 2c 77 72 69 74 61 62 6c 65 3a 21 30 2c 76 61 6c 75 65 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 70 61 28 62 61 28 74 68 69 73 29 29 7d 7d 29 7d 72 65 74 75 72 6e 20 61 7d 29 3b 70 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 7b 6e 65 78 74 3a 61 7d 3b 61 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 7d 3b 72 65 74 75 72 6e 20 61 7d 3b 0a 5f 2e 75 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 22 75 6e 64 65 66 Data Ascii: "===typeof d&&"function"!=typeof d.prototype[a]&&ca(d.prototype,a,{configurable:!0,writable:!0,value:function(){return pa(ba(this))}})}return a});pa=function(a){a={next:a};a[Symbol.iterator]=function(){return this};return a};_.ua=function(a){var b="undef
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 66 29 7b 74 68 69 73 2e 50 66 3d 5b 5d 3b 76 61 72 20 6b 3d 74 68 69 73 3b 74 68 69 73 2e 74 50 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6b 2e 45 37 28 29 7d 29 7d 74 68 69 73 2e 50 66 2e 70 75 73 68 28 68 29 7d 3b 76 61 72 20 64 3d 5f 2e 6d 61 2e 73 65 74 54 69 6d 65 6f 75 74 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 74 50 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 64 28 68 2c 30 29 7d 3b 62 2e 70 72 6f 74 6f 74 79 70 65 2e 45 37 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 3b 74 68 69 73 2e 50 66 26 26 74 68 69 73 2e 50 66 2e 6c 65 6e 67 74 68 3b 29 7b 76 61 72 20 68 3d 74 68 69 73 2e 50 66 3b 74 68 69 73 2e 50 66 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 6b 3d 30 3b 6b 3c 68 2e 6c 65 6e 67 74 68 3b 2b 2b 6b 29 7b 76 61 72 20 6c 3d 68 5b 6b 5d 3b 68 5b 6b 5d 3d 6e 75 Data Ascii: f){this.Pf=[];var k=this;this.tP(function(){k.E7()})}this.Pf.push(h)};var d=_.ma.setTimeout;b.prototype.tP=function(h){d(h,0)};b.prototype.E7=function(){for(;this.Pf&&this.Pf.length;){var h=this.Pf;this.Pf=[];for(var k=0;k<h.length;++k){var l=h[k];h[k]=nu
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 74 79 70 65 2e 6e 65 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 68 3d 74 68 69 73 3b 64 28 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 68 2e 67 63 61 28 29 29 7b 76 61 72 20 6b 3d 5f 2e 6d 61 2e 63 6f 6e 73 6f 6c 65 3b 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 3d 74 79 70 65 6f 66 20 6b 26 26 6b 2e 65 72 72 6f 72 28 68 2e 46 66 29 7d 7d 2c 0a 31 29 7d 3b 65 2e 70 72 6f 74 6f 74 79 70 65 2e 67 63 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 68 69 73 2e 73 56 29 72 65 74 75 72 6e 21 31 3b 76 61 72 20 68 3d 5f 2e 6d 61 2e 43 75 73 74 6f 6d 45 76 65 6e 74 2c 6b 3d 5f 2e 6d 61 2e 45 76 65 6e 74 2c 6c 3d 5f 2e 6d 61 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 3b 69 66 28 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 3d 74 79 70 65 6f 66 20 6c 29 72 65 74 75 72 Data Ascii: type.nea=function(){var h=this;d(function(){if(h.gca()){var k=_.ma.console;"undefined"!==typeof k&&k.error(h.Ff)}},1)};e.prototype.gca=function(){if(this.sV)return!1;var h=_.ma.CustomEvent,k=_.ma.Event,l=_.ma.dispatchEvent;if("undefined"===typeof l)retur
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 68 69 73 2e 73 56 3d 21 30 7d 3b 65 2e 72 65 73 6f 6c 76 65 3d 63 3b 65 2e 72 65 6a 65 63 74 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 65 28 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 6c 28 68 29 7d 29 7d 3b 65 2e 72 61 63 65 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 65 28 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 66 6f 72 28 76 61 72 20 6d 3d 5f 2e 75 61 28 68 29 2c 6e 3d 6d 2e 6e 65 78 74 28 29 3b 21 6e 2e 64 6f 6e 65 3b 6e 3d 6d 2e 6e 65 78 74 28 29 29 63 28 6e 2e 76 61 6c 75 65 29 2e 42 79 28 6b 2c 6c 29 7d 29 7d 3b 65 2e 61 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 6b 3d 5f 2e 75 61 28 68 29 2c 6c 3d 6b 2e 6e 65 78 74 28 29 3b 72 65 74 75 72 6e 20 6c 2e 64 6f 6e 65 3f 63 28 5b Data Ascii: his.sV=!0};e.resolve=c;e.reject=function(h){return new e(function(k,l){l(h)})};e.race=function(h){return new e(function(k,l){for(var m=_.ua(h),n=m.next();!n.done;n=m.next())c(n.value).By(k,l)})};e.all=function(h){var k=_.ua(h),l=k.next();return l.done?c([
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 2e 73 65 61 6c 29 72 65 74 75 72 6e 21 31 3b 74 72 79 7b 76 61 72 20 6c 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 7d 29 2c 6d 3d 4f 62 6a 65 63 74 2e 73 65 61 6c 28 7b 7d 29 2c 6e 3d 6e 65 77 20 61 28 5b 5b 6c 2c 32 5d 2c 5b 6d 2c 33 5d 5d 29 3b 69 66 28 32 21 3d 6e 2e 67 65 74 28 6c 29 7c 7c 33 21 3d 6e 2e 67 65 74 28 6d 29 29 72 65 74 75 72 6e 21 31 3b 6e 2e 64 65 6c 65 74 65 28 6c 29 3b 6e 2e 73 65 74 28 6d 2c 34 29 3b 72 65 74 75 72 6e 21 6e 2e 68 61 73 28 6c 29 26 26 34 3d 3d 6e 2e 67 65 74 28 6d 29 7d 63 61 74 63 68 28 70 29 7b 72 65 74 75 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 0a 76 61 72 20 66 3d 22 24 6a 73 63 6f 6d 70 5f 68 69 64 64 65 6e 5f 22 2b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 Data Ascii: .seal)return!1;try{var l=Object.seal({}),m=Object.seal({}),n=new a([[l,2],[m,3]]);if(2!=n.get(l)\|\|3!=n.get(m))return!1;n.delete(l);n.set(m,4);return!n.has(l)&&4==n.get(m)}catch(p){return!1}}())return a;var f="$jscomp_hidden_"+Math.random();e("freeze");e(
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 3d 6e 65 77 20 57 65 61 6b 4d 61 70 2c 63 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 5b 30 5d 3d 7b 7d 3b 74 68 69 73 5b 31 5d 3d 0a 66 28 29 3b 74 68 69 73 2e 73 69 7a 65 3d 30 3b 69 66 28 6b 29 7b 6b 3d 5f 2e 75 61 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 6b 3d 30 3d 3d 3d 6b 3f 30 3a 6b 3b 76 61 72 20 6d 3d 64 28 74 68 69 73 2c 6b 29 3b 6d 2e 6c 69 73 74 7c 7c 28 6d 2e 6c 69 73 74 3d 74 68 69 73 5b 30 5d 5b 6d 2e 69 64 5d 3d 5b 5d 29 3b 6d 2e 6e 66 3f 6d 2e 6e 66 2e 76 61 6c 75 65 3d 6c 3a 28 6d 2e 6e Data Ascii: =new WeakMap,c=function(k){this[0]={};this[1]=f();this.size=0;if(k){k=_.ua(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};c.prototype.set=function(k,l){k=0===k?0:k;var m=d(this,k);m.list\|\|(m.list=this[0][m.id]=[]);m.nf?m.nf.value=l:(m.n
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 62 2e 67 65 74 28 6c 29 3a 28 6d 3d 22 22 2b 20 2b 2b 68 2c 62 2e 73 65 74 28 6c 2c 6d 29 29 3a 6d 3d 22 70 5f 22 2b 6c 3b 76 61 72 20 6e 3d 6b 5b 30 5d 5b 6d 5d 3b 69 66 28 6e 26 26 76 61 28 6b 5b 30 5d 2c 6d 29 29 66 6f 72 28 6b 3d 30 3b 6b 3c 6e 2e 6c 65 6e 67 74 68 3b 6b 2b 2b 29 7b 76 61 72 20 70 3d 6e 5b 6b 5d 3b 69 66 28 6c 21 3d 3d 6c 26 26 70 2e 6b 65 79 21 3d 3d 70 2e 6b 65 79 7c 7c 6c 3d 3d 3d 70 2e 6b 65 79 29 72 65 74 75 72 6e 7b 69 64 3a 6d 2c 6c 69 73 74 3a 6e 2c 69 6e 64 65 78 3a 6b 2c 6e 66 3a 70 7d 7d 72 65 74 75 72 6e 7b 69 64 3a 6d 2c 6c 69 73 74 3a 6e 2c 69 6e 64 65 78 3a 2d 31 2c 6e 66 3a 76 6f 69 64 20 30 7d 7d 2c 65 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 76 61 72 20 6d 3d 6b 5b 31 5d 3b 72 65 74 75 72 6e 20 70 61 28 66 75 6e Data Ascii: b.get(l):(m=""+ ++h,b.set(l,m)):m="p_"+l;var n=k[0][m];if(n&&va(k[0],m))for(k=0;k<n.length;k++){var p=n[k];if(l!==l&&p.key!==p.key\|\|l===p.key)return{id:m,list:n,index:k,nf:p}}return{id:m,list:n,index:-1,nf:void 0}},e=function(k,l){var m=k[1];return pa(fun
2024-04-30 17:06:18 UTC	1255	IN	Data Raw: 6e 21 31 3b 76 61 72 20 65 3d 64 2e 65 6e 74 72 69 65 73 28 29 2c 66 3d 65 2e 6e 65 78 74 28 29 3b 69 66 28 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 21 3d 63 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 63 29 72 65 74 75 72 6e 21 31 3b 66 3d 65 2e 6e 65 78 74 28 29 3b 72 65 74 75 72 6e 20 66 2e 64 6f 6e 65 7c 7c 66 2e 76 61 6c 75 65 5b 30 5d 3d 3d 63 7c 7c 34 21 3d 66 2e 76 61 6c 75 65 5b 30 5d 2e 78 7c 7c 66 2e 76 61 6c 75 65 5b 31 5d 21 3d 66 2e 76 61 6c 75 65 5b 30 5d 3f 21 31 3a 65 2e 6e 65 78 74 28 29 2e 64 6f 6e 65 7d 63 61 74 63 68 28 68 29 7b 72 65 74 75 72 6e 21 31 7d 7d 28 29 29 72 65 74 75 72 6e 20 61 3b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 74 68 69 73 2e 44 61 3d 6e 65 77 20 4d 61 70 3b 69 66 28 63 29 7b 63 3d 0a 5f Data Ascii: n!1;var e=d.entries(),f=e.next();if(f.done\|\|f.value[0]!=c\|\|f.value[1]!=c)return!1;f=e.next();return f.done\|\|f.value[0]==c\|\|4!=f.value[0].x\|\|f.value[1]!=f.value[0]?!1:e.next().done}catch(h){return!1}}())return a;var b=function(c){this.Da=new Map;if(c){c=_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49720	23.221.246.93	443

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:21 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-30 17:06:21 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0790) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=223031 Date: Tue, 30 Apr 2024 17:06:21 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49721	23.221.246.93	443

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:22 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-30 17:06:22 UTC	870	IN	HTTP/1.1 206 Partial Content Accept-Ranges: bytes ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 X-CCC: US X-Azure-Ref-OriginShield: Ref A: 52EA27DBDE0C4533B819423583F6692E Ref B: CH1AA2040902052 Ref C: 2023-07-09T23:10:08Z X-MSEdge-Ref: Ref A: 528BB8D443C042AA9AEA4EC3F75C7762 Ref B: CHI30EDGE0111 Ref C: 2023-07-09T23:11:11Z Content-Type: application/octet-stream X-Azure-Ref: 01uvbYwAAAACkqWtaEMjWQL/4cpisZkorTUVNMzBFREdFMDgxMQBjZWZjMjU4My1hOWIyLTQ0YTctOTc1NS1iNzZkMTdlMDVmN2Y= Cache-Control: public, max-age=222913 Date: Tue, 30 Apr 2024 17:06:22 GMT Content-Range: bytes 0-54/55 Content-Length: 55 Connection: close X-CID: 2
2024-04-30 17:06:22 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49722	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:06:24 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tc2PCTAgnFcyOnv&MD=oD+GSurf HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-30 17:06:25 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 0b1d9846-7bca-445a-9151-9403a00e7b8d MS-RequestId: 2c390d58-3670-488d-9eb7-c1725c302ee3 MS-CV: tDYYxYq1BkuoHL2U.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 30 Apr 2024 17:06:24 GMT Connection: close Content-Length: 24490
2024-04-30 17:06:25 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-30 17:06:25 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49728	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-04-30 17:07:06 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tc2PCTAgnFcyOnv&MD=oD+GSurf HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-30 17:07:07 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 82c8eba0-4d6a-4555-93cb-96e123368df6 MS-RequestId: e7d93162-66bd-48c6-a40f-095540968d6b MS-CV: mNRR5udagEuHVZnb.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 30 Apr 2024 17:07:06 GMT Connection: close Content-Length: 25457
2024-04-30 17:07:07 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-30 17:07:07 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	5
Start time:	19:06:07
Start date:	30/04/2024
Path:	C:\Users\user\Desktop\xrPfnwOyJZqd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xrPfnwOyJZqd.exe"
Imagebase:	0x40000
File size:	33'792 bytes
MD5 hash:	B45D6B705FF5E1D95974F680C73EDCA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000000.1321318210.0000000000042000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3783913668.0000000002331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	19:06:12
Start date:	30/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	19:06:12
Start date:	30/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2064,i,9320462037478548023,11330767766689099081,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FFAAC879D4D Relevance: 3.6, Strings: 2, Instructions: 1118COMMON

Download Yara Rule

Strings

'T_L, xrefs: 00007FFAAC87A872
, xrefs: 00007FFAAC87A82A

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: $'T_L
API String ID: 0-2520150170
Opcode ID: 7b1344ffd2acf36e408701c6d057b95593dbd769e54b025889ede5a72e1a0a60
Instruction ID: 1a12c925a7480798450bc8fb36cc9f05ee4d19b952ad3c1bffcdfd04396d0b71
Opcode Fuzzy Hash: 7b1344ffd2acf36e408701c6d057b95593dbd769e54b025889ede5a72e1a0a60
Instruction Fuzzy Hash: 97728165B1D9198FFB94E7388495AB972D2FF9D300F5085B8D01ED72D2EE28F8468780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC875FE6 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01706a7dd1f4a43fb7fcc8d6899eb52cb2c77a0e4b406f1da2aa1b98c537397
Instruction ID: aa3183576675b4689075fe8c777ca92722c9a0222462c1bf09e29fc8eb4258be
Opcode Fuzzy Hash: e01706a7dd1f4a43fb7fcc8d6899eb52cb2c77a0e4b406f1da2aa1b98c537397
Instruction Fuzzy Hash: B2026E30919A4D8FFBA8DF28C855BF937D1FB59310F44827AD80DC7691DB38A9498B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC876D92 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c607793251c1ae2ce2fb69a587f2aed9517f7d98f716e0ad1cba097f18863e
Instruction ID: 71fc3500ef4adcbb30850323416e6b0b6391e2452d59ad46f3614047e72f8f0a
Opcode Fuzzy Hash: 65c607793251c1ae2ce2fb69a587f2aed9517f7d98f716e0ad1cba097f18863e
Instruction Fuzzy Hash: 71F17E70919A4E8FFBA8DF28C8557F937D1FB59310F14827AE80DC7291DE78A9448B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870740 Relevance: 4.1, Strings: 3, Instructions: 373COMMON

Download Yara Rule

Strings

r6Y, xrefs: 00007FFAAC87995B
r6Y, xrefs: 00007FFAAC879BC3
6Y, xrefs: 00007FFAAC879AA5

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 6Y$r6Y$r6Y
API String ID: 0-1975993156
Opcode ID: 9f85159add69e8914410ed5e9a0e56e1ba69809010f643461956bf77cbc1ed38
Instruction ID: 913ef1d6de581b04e2245fa59925dd3ee308d11baaca61057007384efe603550
Opcode Fuzzy Hash: 9f85159add69e8914410ed5e9a0e56e1ba69809010f643461956bf77cbc1ed38
Instruction Fuzzy Hash: E9C107B1A18A29CFE798EB28C094BA4B7D1FB9E311B4445B8D04EC72D6DE34F8458780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871918 Relevance: 4.0, Strings: 3, Instructions: 204COMMON

Download Yara Rule

Strings

/Y, xrefs: 00007FFAAC871A29
/Y, xrefs: 00007FFAAC8719CA
HBc, xrefs: 00007FFAAC8719E9

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: HBc$/Y$/Y
API String ID: 0-332040419
Opcode ID: b9df855ef43d2b481617bd8049b42546b8d1c59ba40392d576a9cc55b4aca99c
Instruction ID: fa72d192c84bc7221ad35d19562393ce61ce4bcddf0dcb489d0c8d5887e1890c
Opcode Fuzzy Hash: b9df855ef43d2b481617bd8049b42546b8d1c59ba40392d576a9cc55b4aca99c
Instruction Fuzzy Hash: EC611431D0D6868FEB46977484126A9BBA1FF4B320F1842F9D05DC75D3EE28B846C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8723EB Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

HBc, xrefs: 00007FFAAC872621
r6Y, xrefs: 00007FFAAC872451

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: HBc$r6Y
API String ID: 0-2902684365
Opcode ID: faef0b08ec6597e626c66892f4a4bb39b5432e5957f69c10570f5b91007eb738
Instruction ID: b12cb0b2643077deb88ce4c2dc7edf11637b84138ce238e44f21af666a5d9431
Opcode Fuzzy Hash: faef0b08ec6597e626c66892f4a4bb39b5432e5957f69c10570f5b91007eb738
Instruction Fuzzy Hash: B9812AA2B19A098FE798E73C80557F9A7D1FB9D351F5485B9D00EC32C2ED28A84687C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870925 Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

0Dc, xrefs: 00007FFAAC870AA1
0Dc, xrefs: 00007FFAAC870A50

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 0Dc$0Dc
API String ID: 0-1675028598
Opcode ID: da0549ad268bcaffa061f37a25a46829ee47661cbb1dde767e0abf5cb1dfa32b
Instruction ID: 78bfc0658058236f4ee1868ed2ccaf740891e0eca45747bbf27e43a5f2a9ba76
Opcode Fuzzy Hash: da0549ad268bcaffa061f37a25a46829ee47661cbb1dde767e0abf5cb1dfa32b
Instruction Fuzzy Hash: E0510C61B59A4A4FE788F77894696FDB7A1FF8D214B8045B9D00EC31C3EE28A90583D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8727D5 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

6Y, xrefs: 00007FFAAC87284A

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 6Y
API String ID: 0-3853756761
Opcode ID: 3bdeccce98722e056731f15d457741f34ba042840b96b82bd2009aaade1fbc36
Instruction ID: 4ad8f543920a6943031e8330cddf4550d7dd962c08ca374d94c95a6f2ff7d03f
Opcode Fuzzy Hash: 3bdeccce98722e056731f15d457741f34ba042840b96b82bd2009aaade1fbc36
Instruction Fuzzy Hash: 4BB16EA07689058BF749B77CC856BF9A2D6FF99301F5485BAE00DC33E3DD18A8428681

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871670 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

0?v, xrefs: 00007FFAAC871789

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 0?v
API String ID: 0-1743303294
Opcode ID: e4ab5da0059b040a2461b8d05014dbbb1e7adffb8a251647d9bf42675f25900f
Instruction ID: d3dc3b3a58c99caf520af87188b34c163ab0a6d94e8504a87d5832cda55c4423
Opcode Fuzzy Hash: e4ab5da0059b040a2461b8d05014dbbb1e7adffb8a251647d9bf42675f25900f
Instruction Fuzzy Hash: 6F51C1B0909A5DCFEB58EF28C455AA977E0FF5A311F00416ED00EC3692DB35E845CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870B5E Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

r6Y, xrefs: 00007FFAAC870BD2

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: r6Y
API String ID: 0-1261969706
Opcode ID: b71328e26080978c14aacb0f24f1713b98b18aab4c28574c68f6188d2181e521
Instruction ID: a6276ea69de3400ca94b88263eb00197a1455cd1bbe67bd78c79f85a37d34d6e
Opcode Fuzzy Hash: b71328e26080978c14aacb0f24f1713b98b18aab4c28574c68f6188d2181e521
Instruction Fuzzy Hash: 1F41476170DA890FE789A77C84296797BD1EF8A314F0841FFE04EC72A3CD589C068341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8704C8 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

r6Y, xrefs: 00007FFAAC870BD2

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: r6Y
API String ID: 0-1261969706
Opcode ID: 12b0def2fe347257e347cba9829af8e168b655dc4593ed328757618174321e03
Instruction ID: 1eb7ebb5b76807bcf5b4b882ffd12c7d9b3d02a812250d18b85acc78423201c2
Opcode Fuzzy Hash: 12b0def2fe347257e347cba9829af8e168b655dc4593ed328757618174321e03
Instruction Fuzzy Hash: DC319562B1C9494FE788EB7C945A779A6C5FF9D315F0845BEE00EC32A3DE589C428381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870CC1 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

HBc, xrefs: 00007FFAAC870CF9

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: HBc
API String ID: 0-2734630682
Opcode ID: 4c376f3c0b10bd8737f22490d9fdd32fe9d1829c3640331ebabfff84b9c52aac
Instruction ID: 22636420fe02fcd463d20e33547259c8841cb518d3c977294f1197f30dac45df
Opcode Fuzzy Hash: 4c376f3c0b10bd8737f22490d9fdd32fe9d1829c3640331ebabfff84b9c52aac
Instruction Fuzzy Hash: 9341D2B4A0861A8FEB45EB78C4556F9BBB1FF89301F5085B9D00DD3392EE38A9018780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870E1B Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

6Y, xrefs: 00007FFAAC870E32

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 6Y
API String ID: 0-3853756761
Opcode ID: 730452dfe3b9c84bcd1022d85320ae1b2074438f596f3dcc7c544c5d8f52f15e
Instruction ID: d71fbf76344f355043cdbe9de2e061f48b465b546107ecdfed84da35757d0ea3
Opcode Fuzzy Hash: 730452dfe3b9c84bcd1022d85320ae1b2074438f596f3dcc7c544c5d8f52f15e
Instruction Fuzzy Hash: 1B31BC52B189194FF784B7BC985A7FD66D5FF9C311F1081B6E00DC32D2ED18A8414791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870E20 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

6Y, xrefs: 00007FFAAC870E32

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 6Y
API String ID: 0-3853756761
Opcode ID: 9a7a8441acded203fe2c5a492166c158e86875a55d1b8ee4ac67d0954bcbe33e
Instruction ID: c77537288d9b477a19f304e66f4146c58d5e911338259ebce915fcc5150c797a
Opcode Fuzzy Hash: 9a7a8441acded203fe2c5a492166c158e86875a55d1b8ee4ac67d0954bcbe33e
Instruction Fuzzy Hash: FA31AB62B189194FF744B7BC985A7FD66D5FF9C351F1082BAE00DC32D2ED18A8414791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC877F4B Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFAAC877F93

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 393dc6435e91e536c6774f0c0981f889d6839e3cc6046f79f630d70471a8c667
Instruction ID: 236948e98b326e5a399a84cd377fa0a650ce7fc8f0043437d0c32bc8025bd2bc
Opcode Fuzzy Hash: 393dc6435e91e536c6774f0c0981f889d6839e3cc6046f79f630d70471a8c667
Instruction Fuzzy Hash: C1118271D0962ACBFB55AB6885092FDB6E0FF49304F00407AD91DE2281EE29B958C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871421 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

HBc, xrefs: 00007FFAAC871446

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: HBc
API String ID: 0-2734630682
Opcode ID: dc1facfaba27e6e0dc616e5c6dd3a1590648c8138f1d29b09eba738cb75f9ef5
Instruction ID: 0f4e3926e7e8811579dc7eba31fc8d61ac8cc62e2e6a219cba60583363934020
Opcode Fuzzy Hash: dc1facfaba27e6e0dc616e5c6dd3a1590648c8138f1d29b09eba738cb75f9ef5
Instruction Fuzzy Hash: BB01F951E0EA558FFB94777880652792AA1FF9B340F4485F9E00EC65D3EE1CB8158382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8710DB Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

8ec, xrefs: 00007FFAAC8710ED

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID: 8ec
API String ID: 0-4106409955
Opcode ID: e18d348c6a58697fd9bc1e71167956daeb00b0bfcc3692cb418ad09752af8d8f
Instruction ID: 0db2483f6d8dcd6ce89a6fcdab36bae309175d258143516286ebff8563b0e2f2
Opcode Fuzzy Hash: e18d348c6a58697fd9bc1e71167956daeb00b0bfcc3692cb418ad09752af8d8f
Instruction Fuzzy Hash: 64F05C91A0DA654FF384F73C948A4767FD1E798351B044479F84DC22E5FC18EA8203C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC87869E Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2198849275d32fc1106bd025181c78ffb9bd29b804f7af3fc6e76f3c50d0ca6a
Instruction ID: c9e1f6214e8aa23e3d7d63540f7b808d92a4d20773d5321143dc01d29f917753
Opcode Fuzzy Hash: 2198849275d32fc1106bd025181c78ffb9bd29b804f7af3fc6e76f3c50d0ca6a
Instruction Fuzzy Hash: 8A510471D0AA268FF749E73884456A57BD1FF4A351F4486B9D00ED7192EE2CF84A83C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870538 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ed15d00fd40831cc743ae50106381be43363c86dd0b0842c5895e33d8777be
Instruction ID: 58b6948cae91e2b2dede00789c2d4cb2c6ca9fc0643814b6507ad3f23194fd6f
Opcode Fuzzy Hash: d7ed15d00fd40831cc743ae50106381be43363c86dd0b0842c5895e33d8777be
Instruction Fuzzy Hash: E651167190D6598FE718DB68C845AF97BE0FF9A320F0481BED00EC7592EB39A446C791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC87894B Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224a20bca5030ec1658f02d554dea12525e08ad0dbe21a213799e8bfa636ad82
Instruction ID: 4cc9945eb2888af672ac0e44ac7c922f4092dbadfce447b3ccaefafb5f319116
Opcode Fuzzy Hash: 224a20bca5030ec1658f02d554dea12525e08ad0dbe21a213799e8bfa636ad82
Instruction Fuzzy Hash: 37518771B19A198FEB94EB78D455ABCB7E1FF89301F4045B9E00DE3292DE28F8458781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC87803B Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0d8139a25767a7bbbf7e011d68792e54ea6cee30b012737bfa9466fb94539b
Instruction ID: 13cdda12b37d6f49e5c54fd3af3f6855c3f049f2392318f28f82ca920a25ec34
Opcode Fuzzy Hash: ef0d8139a25767a7bbbf7e011d68792e54ea6cee30b012737bfa9466fb94539b
Instruction Fuzzy Hash: C8515170A08A1C8FDB98DF68D845BEDB7F1FF98311F10826AD44ED3256DA34A9458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8738CB Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66a98d06666a5d208fb3a79d72d782b58b01da596c3a881c99912c563a81179
Instruction ID: 12ae62df28832a1aaa9d695f4cda3f322e025f539f860ebba39f48f87c7fbda1
Opcode Fuzzy Hash: a66a98d06666a5d208fb3a79d72d782b58b01da596c3a881c99912c563a81179
Instruction Fuzzy Hash: 16512E71918A1C8FDBA8EF58D845BE9B7F1FB59310F1082AAD40DE3251DE34A9858FC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC877803 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8119fd65a45b710bfac2f8d21afe2899d664461f484439e602c336dab04688ef
Instruction ID: 8040df15be5d820a593e62a02a5a6ff08f19785bcdb450406a4323176a489b0b
Opcode Fuzzy Hash: 8119fd65a45b710bfac2f8d21afe2899d664461f484439e602c336dab04688ef
Instruction Fuzzy Hash: 7801C476A1DBAD4FE752E728D4651A97BB0FF9A310B0541F3D04CC3197EA18AC0987C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC878C0B Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da97fcfc12521c9fd7b6058fa90575ada6dee91d584d4596cda7f9722d2228c
Instruction ID: 3f0ed895f3b971b2a26626e6a047d1132874cba827a48dbc094278e01cd78dec
Opcode Fuzzy Hash: 0da97fcfc12521c9fd7b6058fa90575ada6dee91d584d4596cda7f9722d2228c
Instruction Fuzzy Hash: 43419971A1991C8FEB94EB7CD455AA9B7E2FF9D311F044579E00ED32A2DE24EC418780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC878387 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebea77791f9e6c04d610c3e7f2a4639b05d9594532eb1d730afd3b90d1a02acf
Instruction ID: bd288e60943f97e4707856a9b03ffb02c051b7c47d82132cc54ba06a70523bab
Opcode Fuzzy Hash: ebea77791f9e6c04d610c3e7f2a4639b05d9594532eb1d730afd3b90d1a02acf
Instruction Fuzzy Hash: D141A971A0991D8FEF84EB68C4596BD7BE1FF9D301B44447AD40DD3292EF34A8458781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8793A5 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a8bd1f1676d70d2015a87cea641da73e09fda2fee56fc867df18541a86c5a4
Instruction ID: 82f092b1c780d7b3fa29164f69ae25845b2a6936bcddf137c67d9d9d9ee6d35d
Opcode Fuzzy Hash: 46a8bd1f1676d70d2015a87cea641da73e09fda2fee56fc867df18541a86c5a4
Instruction Fuzzy Hash: BB31D43190CB488FDB55DBA8D845AE9BBF0FF56320F0482AFD04DC7592D724A409CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC872662 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53c9f6fb1503a976739b65aee2129bfbd462f0be7e272ef7f7ff49e057fa301
Instruction ID: 5c7e425c86ab430a3f8da5ed84ca97abf9c24a4810bd081901faf53674484a7f
Opcode Fuzzy Hash: b53c9f6fb1503a976739b65aee2129bfbd462f0be7e272ef7f7ff49e057fa301
Instruction Fuzzy Hash: 10112752B2D9558BF758A72C54152BAA6D2FB8E390F4085BEE08EC35D3EE18EC0603C5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC878D71 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791a3381f39563c8b08ecfb862a8f27e496698e1342bd07e2ca80fb4f4589bb4
Instruction ID: c0294d81da8d79006db0e9797fcca6764a562d49fbd60e3f380f083ff21994ec
Opcode Fuzzy Hash: 791a3381f39563c8b08ecfb862a8f27e496698e1342bd07e2ca80fb4f4589bb4
Instruction Fuzzy Hash: 29212872E099198FEB98DB288045ABCB6E1FF59311F0041BED00FE3191DF29A84587C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC879C3D Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd50675e1ef7193b52020c0b459aa27f33128e4b6affd1de5176934b0da946c
Instruction ID: a0a3a380b033b09ce7ff2db58caa3c0615e87d4d335533c0b9935336e7763412
Opcode Fuzzy Hash: 8cd50675e1ef7193b52020c0b459aa27f33128e4b6affd1de5176934b0da946c
Instruction Fuzzy Hash: 9021F62554F6D98FEB42A77858111E67FA4EF47224F0841FBD08DCB0D3E919A51AC382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC87856B Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f13ab9dc1714e02e809cd11c926ba26c33e3460ae337b045b8394829e63b29
Instruction ID: 20fe07e42032faf62dd4f80c8c0e7b3e56a15273d77d7b83d9e5f37a6d8654aa
Opcode Fuzzy Hash: 61f13ab9dc1714e02e809cd11c926ba26c33e3460ae337b045b8394829e63b29
Instruction Fuzzy Hash: D011F062E1491E8FE746EB6CC8522FDBBA1FF89300F504275C01ED32D5EE24A94A97C0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8791B1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17db5d61f115b70fc3a220de8978bbc83a72986e152372a71a717228d29854fb
Instruction ID: 3e3dd78efd2386020295094fcedea3504149e7bb31b7eba6aa0624622f4e74db
Opcode Fuzzy Hash: 17db5d61f115b70fc3a220de8978bbc83a72986e152372a71a717228d29854fb
Instruction Fuzzy Hash: 1C21D190B5C9698AF745A3B89426BE8B7D1FB89310F0082BAE01DC32D3DD18A9048792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8792C9 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2fc6b279bd3b19ca1f98cc735fceb5b9f4ac6ebb94bef4d51f63b20efe30b7
Instruction ID: f346f96779b103ca8407d606f0725b76b5902d8fe717979fe515d6b4c027109b
Opcode Fuzzy Hash: 2c2fc6b279bd3b19ca1f98cc735fceb5b9f4ac6ebb94bef4d51f63b20efe30b7
Instruction Fuzzy Hash: 24210820A5E59A4FE746976488525E57BE5FF8B200F0480F9D08DC31C2ED1CE94AC791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC87827B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf5ebf584ade6b1760bfc2c90527573b52776fb67b1a59e0685db2b2d99e94b
Instruction ID: d8b365cf4798fd9f48ee6f0a3346c6d91eca313e338169f83e14bdb8a5cc87f7
Opcode Fuzzy Hash: 4cf5ebf584ade6b1760bfc2c90527573b52776fb67b1a59e0685db2b2d99e94b
Instruction Fuzzy Hash: 33117FB165992DCFEB85EB2CC4855A933E5FBA9302B4045BAE00CC3352EF34E9418BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871378 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a85e60f4834d4066ea20358f875660d513e79ce708706b491a14c042103d586
Instruction ID: ee16cd5ecc3a546ce9dce14f13d5117c7f4fa54b04b0c27889eeea574f9e11c9
Opcode Fuzzy Hash: 4a85e60f4834d4066ea20358f875660d513e79ce708706b491a14c042103d586
Instruction Fuzzy Hash: 5111E1F1949A4D4FE74CDF2884A92E9BFE1EB9D211F4080AFD44ED3A92EE7422058740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC8712CB Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1165a4bb47e7982a113f36059c2b3d891727a1fb434551d25d71fe5175b19cc7
Instruction ID: 6ccf72e4fbd9e8e25121d2ebefe3641ea7ccc5fbbea24ba64797eaeb77c79f2d
Opcode Fuzzy Hash: 1165a4bb47e7982a113f36059c2b3d891727a1fb434551d25d71fe5175b19cc7
Instruction Fuzzy Hash: 8911E761D1E2528AF319A33988525B936A1BFCB350F8485B8E00DC65C3FE2CF40A43D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC877E61 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5548c83e132fd2352c9ab908a1cb82cff3ac47a26c19722e5182737b99a1db9b
Instruction ID: 60db59fdd95117b7b9cebd06fda36618dc0662577abf9c9be19d7645ac2d51fb
Opcode Fuzzy Hash: 5548c83e132fd2352c9ab908a1cb82cff3ac47a26c19722e5182737b99a1db9b
Instruction Fuzzy Hash: 9301D6B3D19A5D4FEB45EBA4C8155EE7BF1FF29301F4000FBD148C61D2EA2899058781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC878714 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09255e6227879ab598576cb02bb8a6ef95a3d9e1f5bc0044353f7cc03da15d88
Instruction ID: 78fa39d21b96978c2710e263fcd7c38346e6854f5856b4acc1c79bf76d11d4bd
Opcode Fuzzy Hash: 09255e6227879ab598576cb02bb8a6ef95a3d9e1f5bc0044353f7cc03da15d88
Instruction Fuzzy Hash: 34F0DB21A0E4558AF744B7349C5A2E577D1EF16259F4886BDC04ED6092EC0DB48E86C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871318 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15448b508962555f2e64f4e7bedfa370e1f66113d88e555782d393b64014f95a
Instruction ID: 28849276cee2b84289d4b0ce15a265736bb89b7205bc50b956f4531849f00340
Opcode Fuzzy Hash: 15448b508962555f2e64f4e7bedfa370e1f66113d88e555782d393b64014f95a
Instruction Fuzzy Hash: 76F0817180D522DAF354DB28C44166877A1BB9A310F5086B8D01DC7DC1FF28F45A8780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871131 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6ed47024d660c4afa1a3d3751676241a2241460d2629fac4fe9dcc133fcc8e
Instruction ID: 9a2f2e9a717dc543f34b23ea97c0c562818129c8bada8dfa83019c3e0a42c926
Opcode Fuzzy Hash: 4d6ed47024d660c4afa1a3d3751676241a2241460d2629fac4fe9dcc133fcc8e
Instruction Fuzzy Hash: 75E0C23186A3CC8FD7525B6058221E67B24FF96200F4505CBF40CCB0A2E720BA1C87D3

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC871274 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f983280f4fca1c7ba748a034fe0804a0e33d819be6b418ff2fa8325ac4b0b1
Instruction ID: 6cb301d6bb90dbadb2471730ac47caf3e50fea0ca848306e8a638767ab1467df
Opcode Fuzzy Hash: 86f983280f4fca1c7ba748a034fe0804a0e33d819be6b418ff2fa8325ac4b0b1
Instruction Fuzzy Hash: 54D08C10C1A2824AE30A237408924807B20AA4B1A0B4942D1D458CA0D3F95D649E43B2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC870750 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9395bfb79849c663ba6993fcdbdefb6804852b1a421f33992355b84ed348b5c3
Instruction ID: a282d30b34bcbfd5087881865cb7f7acec089c15be1d6b8052b523eafa419c5f
Opcode Fuzzy Hash: 9395bfb79849c663ba6993fcdbdefb6804852b1a421f33992355b84ed348b5c3
Instruction Fuzzy Hash: 32C0123585595DDAEF50AB5054015EAB364FB45204F804592F81D82040EA24B32CC6C2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAAC879CA8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3791494913.00007FFAAC870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffaac870000_xrPfnwOyJZqd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df336241faa8718bafd87af145c64774eda748959aada2b73a4eb9bd9065dcb
Instruction ID: 3ab398f19e5050e26e6e7edb2a18e3bfb2bded9f4b3b772b1799075e938d201b
Opcode Fuzzy Hash: 6df336241faa8718bafd87af145c64774eda748959aada2b73a4eb9bd9065dcb
Instruction Fuzzy Hash: 3FD0C73585D59DCAFF51AB1458421D97B50FF45210F4545D6E91C42041E675B21C86C1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xrPfnwOyJZqd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 49

Chrome Cache Entry: 50

Chrome Cache Entry: 51

Chrome Cache Entry: 52

Chrome Cache Entry: 53

Chrome Cache Entry: 54

Chrome Cache Entry: 55

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
xrPfnwOyJZqd.exe