Edit tour

Windows Analysis Report
0e46.scr.exe

Overview

General Information

Sample name:	0e46.scr.exe renamed because original name is a hash value
Original sample name:	.scr.exe
Analysis ID:	1436303
MD5:	77dcf984a36098a6e855c54fa36cd5f7
SHA1:	2fe61c4bbfa471c000e28f15373c33559d60e25d
SHA256:	59519819b7d8381418c3bcc7448c8702e19ca46a65c5e9f6823fce90d9603564
Tags:	AgentTeslaexescr
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

0e46.scr.exe (PID: 652 cmdline: "C:\Users\user\Desktop\0e46.scr.exe" MD5: 77DCF984A36098A6E855C54FA36CD5F7)

0e46.scr.exe (PID: 940 cmdline: "C:\Users\user\Desktop\0e46.scr.exe" MD5: 77DCF984A36098A6E855C54FA36CD5F7)

chrome.exe (PID: 728 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2040,i,3301420170973166231,14062020265948935474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp5ua.hyperhost.ua", "Username": "projectlog@aflacltd.top", "Password": " 7213575aceACE@#  "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2002461828.00000000054B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x64c6b:$x1: In$J$ct0r
00000001.00000002.3250604761.0000000002469000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3250604761.000000000243E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 0e46.scr.exe PID: 652	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0e46.scr.exe PID: 652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 0e46.scr.exe PID: 652	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 0e46.scr.exe PID: 940	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0e46.scr.exe PID: 940	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.0e46.scr.exe.402a420.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0e46.scr.exe.402a420.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0e46.scr.exe.402a420.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31719:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3178b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31815:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31911:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31983:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a19:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aa9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0e46.scr.exe.3fef9f0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0e46.scr.exe.3fef9f0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0e46.scr.exe.3fef9f0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31719:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3178b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31815:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31911:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31983:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a19:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aa9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.0e46.scr.exe.500000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.0e46.scr.exe.500000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.0e46.scr.exe.500000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33519:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33615:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33711:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33783:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33819:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0e46.scr.exe.54b0000.5.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x64c6b:$x1: In$J$ct0r
0.2.0e46.scr.exe.3f0dd90.2.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x64c6b:$x1: In$J$ct0r
0.2.0e46.scr.exe.3f0dd90.2.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x62e6b:$x1: In$J$ct0r
0.2.0e46.scr.exe.54b0000.5.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0x62e6b:$x1: In$J$ct0r
0.2.0e46.scr.exe.402a420.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0e46.scr.exe.402a420.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0e46.scr.exe.402a420.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33519:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd39:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ddab:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33615:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de35:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6dec7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33711:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df31:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33783:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6dfa3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33819:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e039:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338a9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e0c9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.0e46.scr.exe.3fef9f0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0e46.scr.exe.3fef9f0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.0e46.scr.exe.3fef9f0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33519:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6df49:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8769:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dfbb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa87db:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33615:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e045:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8865:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e0d7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa88f7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33711:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e141:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8961:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33783:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e1b3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa89d3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33819:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e249:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a69:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.0e46.scr.exe.2eb1ba0.1.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xc9890:$x1: In$J$ct0r 0xcb544:$a1: WriteProcessMemory 0xcb5d0:$a1: WriteProcessMemory 0xcb6a4:$a4: VirtualAllocEx 0xcb8c8:$a4: VirtualAllocEx 0xcb948:$a4: VirtualAllocEx 0xe4a4:$s3: net.pipe 0xc9b38:$s3: net.pipe 0xc9b58:$s4: vsmacros
0.2.0e46.scr.exe.2eaf360.0.raw.unpack	MALWARE_Win_DLInjector02	Detects downloader injector	ditekSHen	0xcc0d0:$x1: In$J$ct0r 0xcdd84:$a1: WriteProcessMemory 0xcde10:$a1: WriteProcessMemory 0xcdee4:$a4: VirtualAllocEx 0xce108:$a4: VirtualAllocEx 0xce188:$a4: VirtualAllocEx 0x10ce4:$s3: net.pipe 0xcc378:$s3: net.pipe 0xcc398:$s4: vsmacros
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 91.235.128.141, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\0e46.scr.exe, Initiated: true, ProcessId: 940, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp5ua.hyperhost.ua", "Username": "projectlog@aflacltd.top", "Password": " 7213575aceACE@# "}

Multi AV Scanner detection for submitted file

Source: 0e46.scr.exe	Virustotal: Detection: 70%			Perma Link
Source: 0e46.scr.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: 0e46.scr.exe

Joe Sandbox ML: detected

Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en	HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en	HTTP Parser: No favicon
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en	HTTP Parser: No favicon

Source: 0e46.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49725 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.247.96.147:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.247.96.147:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49742 version: TLS 1.2

Source: 0e46.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: 0e46.scr.exe, 00000000.00000002.2003160997.0000000005590000.00000004.08000000.00040000.00000000.sdmp, 0e46.scr.exe, 00000000.00000002.2001431433.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 91.235.128.141:587

Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 91.235.128.141 91.235.128.141

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 91.235.128.141:587

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49725 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 72.247.96.147
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dg+uS4uaRpFXHHv&MD=p8faHFV4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dg+uS4uaRpFXHHv&MD=p8faHFV4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=EYr6cnrRAAEbx9B9S_C9cajnLlaQBUmKFyzMrUZBAei_V9LOYiMmisV7U6YkKONCPJujzzrOGtgJy-9KwtEqX54XUPzbdgb3ce54RAyN2Dm9W0bQ1cITNvw07xv6LQ9qFjNMhp5tHHb8WTnaZfrfWxGxfg3yeVVD9myKTJFBkTU

Source: global traffic	DNS traffic detected: DNS query: cp5ua.hyperhost.ua
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: ogs.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown

HTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 787sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Content-Type: text/plain;charset=UTF-8X-Goog-AuthUser: 0sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Origin: https://ogs.google.comX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ogs.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=XmH_gibrb4C3PvdgFV5OZbumoUeiL2En-lB_mjdL1cfaDi8oeDU1Od-r8cqdfqnp62p7q5vvXgHyq3CODyYE3k6oDEfBhu8op1NMjAiitcAwEd0n2u33siAF_uBH7vM5Q-64c9VE5vLTbIJZQ3q3pkF8-Rst9oPmLdWSZE3mJSc

Source: 0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp5ua.hyperhost.ua
Source: 0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3253781324.0000000005E82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 0e46.scr.exe, 00000001.00000002.3253781324.0000000005EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: 0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3253781324.0000000005E82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: chromecache_77.5.dr	String found in binary or memory: http://www.broofa.com
Source: 0e46.scr.exe, 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: chromecache_90.5.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_90.5.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_90.5.dr, chromecache_77.5.dr	String found in binary or memory: https://apis.google.com
Source: chromecache_81.5.dr	String found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_90.5.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_90.5.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_90.5.dr	String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_90.5.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_77.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_77.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_77.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_77.5.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_92.5.dr	String found in binary or memory: https://ogs.google.com/
Source: chromecache_92.5.dr	String found in binary or memory: https://ogs.google.com/widget/app/so
Source: chromecache_77.5.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_90.5.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_90.5.dr	String found in binary or memory: https://plus.googleapis.com
Source: 0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: chromecache_92.5.dr	String found in binary or memory: https://ssl.gstatic.com
Source: chromecache_81.5.dr	String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_90.5.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: chromecache_81.5.dr	String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_90.5.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_90.5.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_92.5.dr	String found in binary or memory: https://www.gstatic.com
Source: chromecache_92.5.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
Source: chromecache_77.5.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_77.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_77.5.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.247.96.147:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 72.247.96.147:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49742 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, 8WWn.cs	.Net Code: PiOIPdZen
Source: 0.2.0e46.scr.exe.3fef9f0.4.raw.unpack, 8WWn.cs	.Net Code: PiOIPdZen

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.0e46.scr.exe.402a420.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0e46.scr.exe.3fef9f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.0e46.scr.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0e46.scr.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.0e46.scr.exe.3f0dd90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.0e46.scr.exe.3f0dd90.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.0e46.scr.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0e46.scr.exe.3fef9f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.0e46.scr.exe.2eb1ba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.0e46.scr.exe.2eaf360.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000000.00000002.2002461828.00000000054B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen

Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 0_2_0145AA28	0_2_0145AA28
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 0_2_01459150	0_2_01459150
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_0238B06F	1_2_0238B06F
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02384A98	1_2_02384A98
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02383E80	1_2_02383E80
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_0238CE80	1_2_0238CE80
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_023841C8	1_2_023841C8
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02389BF8	1_2_02389BF8
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_0599BCF0	1_2_0599BCF0
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_0599DCF0	1_2_0599DCF0
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_05993F38	1_2_05993F38
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_059956C8	1_2_059956C8
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_05992EE8	1_2_05992EE8
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_05990040	1_2_05990040
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_05998B73	1_2_05998B73
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_05994FE8	1_2_05994FE8
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_05993623	1_2_05993623
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_0238D230	1_2_0238D230

Source: 0e46.scr.exe, 00000000.00000002.2002461828.00000000054B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000000.00000002.2003160997.0000000005590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000000.00000002.2001431433.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000000.00000002.2001431433.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename96d8990f-a506-4040-ac41-4524d69afa68.exe4 vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000000.00000002.2001634046.0000000003EA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename96d8990f-a506-4040-ac41-4524d69afa68.exe4 vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000000.00000000.1994785634.0000000000AC6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedxdiag.exel% vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename96d8990f-a506-4040-ac41-4524d69afa68.exe4 vs 0e46.scr.exe
Source: 0e46.scr.exe, 00000001.00000002.3249010467.00000000004F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 0e46.scr.exe
Source: 0e46.scr.exe	Binary or memory string: OriginalFilenamedxdiag.exel% vs 0e46.scr.exe

Source: 0e46.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.0e46.scr.exe.402a420.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0e46.scr.exe.3fef9f0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.0e46.scr.exe.500000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0e46.scr.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.0e46.scr.exe.3f0dd90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.0e46.scr.exe.3f0dd90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.0e46.scr.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0e46.scr.exe.3fef9f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.0e46.scr.exe.2eb1ba0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.0e46.scr.exe.2eaf360.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000000.00000002.2002461828.00000000054B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector

Source: 0e46.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.0e46.scr.exe.3f0dd90.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, G39cBQ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, sDtvQjPGfa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, b1PPCKov2KZ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, b1PPCKov2KZ.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.0e46.scr.exe.3f0dd90.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.0e46.scr.exe.54b0000.5.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/39@11/7

Source: C:\Users\user\Desktop\0e46.scr.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0e46.scr.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Mutant created: NULL

Source: 0e46.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0e46.scr.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\0e46.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\0e46.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\0e46.scr.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0e46.scr.exe	Virustotal: Detection: 70%
Source: 0e46.scr.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\0e46.scr.exe "C:\Users\user\Desktop\0e46.scr.exe"
Source: C:\Users\user\Desktop\0e46.scr.exe	Process created: C:\Users\user\Desktop\0e46.scr.exe "C:\Users\user\Desktop\0e46.scr.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2040,i,3301420170973166231,14062020265948935474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0e46.scr.exe	Process created: C:\Users\user\Desktop\0e46.scr.exe "C:\Users\user\Desktop\0e46.scr.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2040,i,3301420170973166231,14062020265948935474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\Desktop\0e46.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 0e46.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0e46.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: 0e46.scr.exe

Static PE information: 0xCA00A32F [Sun May 23 23:50:07 2077 UTC]

Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02380600 push eax; ret	1_2_02380712
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02380600 push eax; ret	1_2_02380732
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_023806C8 push eax; ret	1_2_02380702
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02380728 push eax; ret	1_2_02380732
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02380718 push eax; ret	1_2_02380722
Source: C:\Users\user\Desktop\0e46.scr.exe	Code function: 1_2_02380708 push eax; ret	1_2_02380712

Source: 0e46.scr.exe

Static PE information: section name: .text entropy: 7.617251309305968

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 0e46.scr.exe PID: 652, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0e46.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\0e46.scr.exe	Memory allocated: 1450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe	Window / User API: threadDelayed 1230			Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Window / User API: threadDelayed 7852			Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe TID: 528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99870s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4416	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4416	Thread sleep count: 7852 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98420s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -98093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -97092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96545s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95994s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe TID: 4068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\0e46.scr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\0e46.scr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99870	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99106	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98753	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98640	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98420	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97203	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 97092	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96984	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96875	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96765	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96656	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96545	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96437	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96328	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95994	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95890	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95343	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95219	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\0e46.scr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0e46.scr.exe, --.cs	Reference to suspicious API methods: _FFFDt_26CA.OpenProcess(_06DA_FFFD, _FFFD_FFFDZ_FFFD, _FFFD_06DA_FFFD)
Source: 0e46.scr.exe, ---.cs	Reference to suspicious API methods: _FFFDt_26CA.GetAsyncKeyState(16)
Source: 0e46.scr.exe, R-.cs	Reference to suspicious API methods: _FFFDt_26CA.MapVirtualKey(i_FFFD.union.keyboardInput.wVk, 0)
Source: 0.2.0e46.scr.exe.5590000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.0e46.scr.exe.5590000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.0e46.scr.exe.5590000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\0e46.scr.exe

Memory written: C:\Users\user\Desktop\0e46.scr.exe base: 500000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Process created: C:\Users\user\Desktop\0e46.scr.exe "C:\Users\user\Desktop\0e46.scr.exe"

Jump to behavior

Source: 0e46.scr.exe	Binary or memory string: Progman
Source: 0e46.scr.exe	Binary or memory string: IsProgmanWindow
Source: 0e46.scr.exe	Binary or memory string: tUser32FocusedMenuhwndMenuhMenuNonClientSysMenuRawTextRange_ScrollIntoViewRawScrollItemPattern_ScrollIntoViewget_CurrentViewRawMultipleViewPattern_SetCurrentViewget_Rowget_WindowIsKnownBadWindowRawUiaEventAddWindowGetFirstOrLastOwnedWindowGetFocusedWindowRawUiaEventRemoveWindowFindModalWindowIsTopLevelWindowIsProgmanWindowIsTransformPatternWindowIsWindowPatternWindowGetDesktopWindowIsWindowSwitchToThisWindowGetWindowGetModuleFileNameExpt_xdxCZGwDCEsywxZZUZfkyhhxget_LabeledBypt_yInitializeArrayToArrayToCharArrayPropertyArrayToIntArrayConvertToElementArraydyIsExtendedKeyMapVirtualKeyVirtualKeyFromKeyget_AcceleratorKeyget_AccessKeyRegisterHotKeyUnregisterHotKeyget_AssemblyGetExecutingAssemblyRegisterClientSideProviderAssemblyGetAssemblyRegisterProxyAssemblyget_IsReadOnlyRaiseEventInThisClientOnlyIndexOfAnyOnEventObjectDestroyCopyget_NonClientMenuBarProxyFactoryget_NonClientProxyFactoryget_User32FocusedMenuProxyFactoryget_NonClientSysMenuProxyFactoryGetProxyFromEntryDictionaryEntryop_Equalityop_InequalityAccessibilitySystem.Securityget_EmptyIsNullOrEmptyget_IsEmptyget_PropertyRuntimeIdPropertyFrameworkIdPropertyAutomationIdPropertyProcessIdPropertyIsEnabledPropertyIsSelectionRequiredPropertyIsSelectedPropertyContainingGridPropertyIsPasswordPropertyLargeChangePropertySmallChangePropertyIsGridPatternAvailablePropertyIsInvokePatternAvailablePropertyIsTablePatternAvailablePropertyIsTogglePatternAvailablePropertyIsExpandCollapsePatternAvailablePropertyIsRangeValuePatternAvailablePropertyIsValuePatternAvailablePropertyIsDockPatternAvailablePropertyIsScrollPatternAvailablePropertyIsGridItemPatternAvailablePropertyIsTableItemPatternAvailablePropertyIsScrollItemPatternAvailablePropertyIsSelectionItemPatternAvailablePropertyIsTransformPatternAvailablePropertyIsSelectionPatternAvailablePropertyIsTextPatternAvailablePropertyIsMultipleViewPatternAvailablePropertyIsWindowPatternAvailablePropertyVerticallyScrollablePropertyHorizontallyScrollablePropertyIsKeyboardFocusablePropertyNativeWindowHandlePropertyBoundingRectanglePropertyCanSelectMultiplePropertyClassNamePropertyLocalizedControlTypePropertyItemTypePropertyCulturePropertyToggleStatePropertyExpandCollapseStatePropertyWindowVisualStatePropertyWindowInteractionStatePropertyCanRotatePropertyValuePropertyCanMovePropertyVerticalViewSizePropertyHorizontalViewSizePropertyCanMinimizePropertyCanMaximizePropertyCanResizePropertyIsModalPropertyIsRequiredForFormPropertyMinimumPropertyMaximumPropertyColumnSpanPropertyRowSpanPropertyIsOffscreenPropertyColumnPropertyAutomationPropertyOrientationPropertySelectionPropertyDockPositionPropertySelectionContainerPropertyRowOrColumnMajorPropertyHasPropertyColumnHeaderItemsPropertyRowHeaderItemsPropertyColumnHeadersPropertyRowHeadersPropertyHasKeyboardFocusPropertyItemStatusPropertySupportedViewsPropertyVerticalScrollPercentPropertyHorizontalScrollPercentPropertyIsControlElementPropertyIsContentElementPropertyClickablePointPropertyColumnCountPropertyRowCountPropertyIsTopmostPropert

Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Users\user\Desktop\0e46.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Users\user\Desktop\0e46.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0e46.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.0e46.scr.exe.402a420.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.3fef9f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.0e46.scr.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.3fef9f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3250604761.0000000002469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3250604761.000000000243E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0e46.scr.exe PID: 652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0e46.scr.exe PID: 940, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\0e46.scr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0e46.scr.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\0e46.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.0e46.scr.exe.402a420.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.3fef9f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.0e46.scr.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.3fef9f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0e46.scr.exe PID: 652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0e46.scr.exe PID: 940, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.0e46.scr.exe.402a420.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.3fef9f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.0e46.scr.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.402a420.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0e46.scr.exe.3fef9f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3250604761.0000000002469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3250604761.000000000243E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0e46.scr.exe PID: 652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0e46.scr.exe PID: 940, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	112 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0e46.scr.exe	71%	Virustotal		Browse
0e46.scr.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.FormBook
0e46.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.broofa.com	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://csp.withgoogle.com/csp/lcreport/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cp5ua.hyperhost.ua	91.235.128.141	true	false	high
plus.l.google.com	142.251.40.46	true	false	high
www3.l.google.com	142.250.72.142	true	false	high
play.google.com	142.250.189.14	true	false	high
www.google.com	172.217.14.68	true	false	high
ogs.google.com	unknown	unknown	false	high
apis.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en	false	high
https://www.google.com/async/newtab_promos	false	high
https://play.google.com/log?format=json&hasfast=true&authuser=0	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://ogs.google.com/	chromecache_92.5.dr	false		high
https://play.google.com/log?format=json&hasfast=true	chromecache_77.5.dr	false		high
https://sectigo.com/CPS0	0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.broofa.com	chromecache_77.5.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	0e46.scr.exe, 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp, 0e46.scr.exe, 00000001.00000002.3249400772.0000000000786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://csp.withgoogle.com/csp/lcreport/	chromecache_90.5.dr	false	URL Reputation: safe	unknown
https://apis.google.com/js/api.js	chromecache_81.5.dr	false		high
https://www.google.com/log?format=json&hasfast=true	chromecache_81.5.dr	false		high
http://cp5ua.hyperhost.ua	0e46.scr.exe, 00000001.00000002.3250604761.0000000002446000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	chromecache_90.5.dr, chromecache_77.5.dr	false		high
https://ogs.google.com/widget/app/so	chromecache_92.5.dr	false		high
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1	chromecache_90.5.dr	false		high
https://domains.google.com/suggest/flow	chromecache_90.5.dr	false		high
https://clients6.google.com	chromecache_90.5.dr	false		high
https://plus.google.com	chromecache_90.5.dr	false		high
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=	chromecache_81.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.68.110	unknown	United States	15169	GOOGLEUS	false
172.217.14.68	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
91.235.128.141	cp5ua.hyperhost.ua	Ukraine	15626	ITLASUA	false
142.250.72.142	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.189.14	play.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436303
Start date and time:	2024-05-04 10:02:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0e46.scr.exe renamed because original name is a hash value
Original Sample Name:	.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/39@11/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 61 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.72.163, 142.251.40.46, 74.125.137.84, 34.104.35.123, 23.206.229.76, 142.250.217.131, 199.232.214.172, 192.229.211.108, 142.251.40.35, 142.250.176.3, 142.250.188.227, 142.250.72.131, 172.217.14.110
Excluded domains from analysis (whitelisted): www.bing.com, clients1.google.com, ssl.gstatic.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:02:51	API Interceptor	45x Sleep call for process: 0e46.scr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	#U00d6deme tavsiyesi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W32.Tfr.F.tr.27075.5245.exe	Get hash	malicious	Unknown	Browse
	SW3uxM7BXI.exe	Get hash	malicious	RedLine	Browse
91.235.128.141	Payment-Advice00899383-PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	yMHzNMo3xY.exe	Get hash	malicious	AgentTesla	Browse
	Payment Slip05042024.exe	Get hash	malicious	AgentTesla	Browse
	iiafzj49BP.exe	Get hash	malicious	AgentTesla	Browse
	DHL Shipping notification-PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SWIFT MESAJI_PDF.exe	Get hash	malicious	AgentTesla	Browse
	soya crypted.exe	Get hash	malicious	AgentTesla	Browse
	dekont_html.exe	Get hash	malicious	AgentTesla	Browse
	[#Uc5d0#Uc2a4#Ud53c#Ucf00#Uc774-220620]#Uacac#Uc801#Uc11c.scr.exe	Get hash	malicious	AgentTesla	Browse
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_PDF.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cp5ua.hyperhost.ua	Payment-Advice00899383-PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	91.235.128.141
	yMHzNMo3xY.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	Payment Slip05042024.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	iiafzj49BP.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	DHL Shipping notification-PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	91.235.128.141
	SWIFT MESAJI_PDF.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	soya crypted.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	dekont_html.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	[#Uc5d0#Uc2a4#Ud53c#Ucf00#Uc774-220620]#Uacac#Uc801#Uc11c.scr.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130_PDF.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
plus.l.google.com	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	142.250.176.14
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.217.12.142
	#U00d6deme tavsiyesi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	142.250.72.142
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	142.250.68.46
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	142.250.72.142
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	142.250.68.14
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse	142.250.72.174
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse	142.250.188.238
	SecuriteInfo.com.W32.Tfr.F.tr.27075.5245.exe	Get hash	malicious	Unknown	Browse	142.250.68.78
	SW3uxM7BXI.exe	Get hash	malicious	RedLine	Browse	142.250.72.238

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLASUA	Payment-Advice00899383-PDF.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	91.235.128.141
	IMG_50541_1030_601.exe	Get hash	malicious	Unknown	Browse	5.34.182.232
	IMG#5017316.exe	Get hash	malicious	Unknown	Browse	5.34.182.232
	IMG_50541_1030_601.exe	Get hash	malicious	Unknown	Browse	5.34.182.232
	IMG#5017316.exe	Get hash	malicious	Unknown	Browse	5.34.182.232
	uXUrccWxXO.elf	Get hash	malicious	Unknown	Browse	217.12.214.75
	yMHzNMo3xY.exe	Get hash	malicious	AgentTesla	Browse	91.235.128.141
	copy#10476235.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.34.182.232
	Receipt_681002.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer	Browse	5.34.182.232
	SecuriteInfo.com.Win32.RansomX-gen.10689.14408.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	5.34.182.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.1.237.91
	#U00d6deme tavsiyesi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	23.1.237.91
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://xdywna.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://portal.cpscompressors.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	4iVYDe0VaY.dll	Get hash	malicious	Latrodectus	Browse	23.1.237.91
	GLKJoBXIVE.dll	Get hash	malicious	Latrodectus	Browse	23.1.237.91
	MODULO_RIMBORSO_AGENZIA_ENTRATE.PDF.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://url.us.m.mimecastprotect.com/s/rYQHCYEBgkHWJjw3h0H9oU?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	#U00d6deme tavsiyesi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	E7236252-receipt.vbs	Get hash	malicious	XWorm	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	4365078236450.LnK.lnk	Get hash	malicious	Unknown	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	Pedido-Faturado-398731.msi	Get hash	malicious	Unknown	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	SecuriteInfo.com.Win32.Dropper-CHS.435.30054.exe	Get hash	malicious	Unknown	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	SecuriteInfo.com.W32.A-62389890.Eldorado.13265.15378.exe	Get hash	malicious	Unknown	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	SecuriteInfo.com.W32.Tfr.F.tr.27075.5245.exe	Get hash	malicious	Unknown	Browse	40.127.169.103 40.68.123.157 72.247.96.147
	SW3uxM7BXI.exe	Get hash	malicious	RedLine	Browse	40.127.169.103 40.68.123.157 72.247.96.147

Process:	C:\Users\user\Desktop\0e46.scr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	706
Entropy (8bit):	5.349842958726647
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M9XKbbDLI4MWuPJKAVKhat92n4M6:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84j
MD5:	9BA266AD16952A9A57C3693E0BCFED48
SHA1:	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5
SHA-256:	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
SHA-512:	678E1F639379FC24919B7CF562FA19CE53363CBD4B0EAB66486F6F8D5DD5958DE3AAE8D7842EE868EFCC39D907FDC1A3ACF464E29D37B0DAEE9874C39730FE8E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 07:03:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.976485821189073
Encrypted:	false
SSDEEP:	48:8vDOdaTm6AHMidAKZdA19ehwiZUklqehHy+3:8zrLoy
MD5:	59ABD2A0D3645C471310BC2A7CCA67EF
SHA1:	F200F3D9AF3696CDCE96542D0D3401F6D3DCB68B
SHA-256:	F0B0235DF9F502CDD7177871CC0C565F13561E393021AE60A9F2CFE164700723
SHA-512:	C344B261D2467E4B1D9BD7C3AB09F4AE16DDC1B53054B971016AECF84DC1D2B9E99F717B861D93972D651FCCF3308AB5502F283447E8E6417860B1381FA59F64
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....,.......N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xc@....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xc@....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xc@....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xc@..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xg@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........g.?......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 07:03:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.988111688065726
Encrypted:	false
SSDEEP:	48:8vDOdaTm6AHMidAKZdA1weh/iZUkAQkqehYy+2:8zr59Qdy
MD5:	2485849E26F7860F084610D9E96C93E3
SHA1:	6B6C1CF4B4686027D78CD7041DAE290FCD3B7757
SHA-256:	3003404AF924A041F900B3FD0C3D71D7E3FD7DDEEB43445C6DDD19113442C4FC
SHA-512:	6C4AD0B69ABAF1D0AE94A79D0B3E5FA725A448B0BC4DA9EE4C71F4C0FE3B89EF94727126E894638839ECCF8AC8A590134F41DCAA948B75A55D3B5D873B7BB234
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......s.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xc@....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xc@....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xc@....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xc@..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xg@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........g.?......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.001235663210138
Encrypted:	false
SSDEEP:	48:8xGDOdaTm6sHMidAKZdA14tseh7sFiZUkmgqeh7s2y+BX:8x0r1nky
MD5:	D2DAE52A258DAA7C755CD1CCCEA86B81
SHA1:	5DBF53FAA090AA07A85A330E1C9A109910A8BE52
SHA-256:	A3C63C62B0FF890FF27BA2B56C40FF6F8B4696EF34EAE50975C0F1CD5B8BEFBA
SHA-512:	D4F185B1273EB604A204F559199ACD9D527A2DC5CA2C516881A1F7E207A54CCA1AADDFC7D1D38D1EE659EB68A3E51F896D00D32592A5B7022EA0530F250A6319
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xc@....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xc@....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xc@....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xc@..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........g.?......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 07:03:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9888283443634296
Encrypted:	false
SSDEEP:	48:8+DOdaTm6AHMidAKZdA1vehDiZUkwqehcy+R:8srauy
MD5:	5095B9BF1547540B171EB54616117131
SHA1:	4573A6653265529BEEC508F1E5BB4A7B9C04B343
SHA-256:	8793FDC4498CAC4606FCDA2970CB2CA8B3A2BB742C3EFD0DB58A6F723AF6EF53
SHA-512:	EDCDF682F6B57123EF33894FA51568656179002289C51F21E3EF9565BB09725CB92F8CAF9DAF9F2AB0F001324BDE3EC36ED4176CED9EF217E22D1BA2AA1951FC
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......l.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xc@....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xc@....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xc@....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xc@..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xg@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........g.?......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 07:03:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.977643732114216
Encrypted:	false
SSDEEP:	48:8CDOdaTm6AHMidAKZdA1hehBiZUk1W1qehyy+C:8Ira9Sy
MD5:	F3D509CDFEA9DD0EF6BC60A98664C3CD
SHA1:	8D5C1E602CFB817116A701986ED91F925222D92E
SHA-256:	A1CC217FD603C3EEB8B8B2F68F5EB915A0572F73A068F6FD2465412AC504E4CF
SHA-512:	1067ECE1CB5E02AE7E8E2B25B6B8E248178A56599B3731758E945D0CDE1B53111FEEA897F3BD145EAD8826A8FED79F6CC11736C3B702B13DB4928540CC59C60F
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,......z.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xc@....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xc@....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xc@....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xc@..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xg@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........g.?......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat May 4 07:03:12 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.989435731293536
Encrypted:	false
SSDEEP:	48:88DOdaTm6AHMidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbky+yT+:8SrkT/TbxWOvTbky7T
MD5:	DE5458475BBD4CFE9BA03C6C2743537D
SHA1:	D6105AFF28A7C883182BBC978AB4BD6943514D3C
SHA-256:	19A5934F957A35461891CF40ACFBD17B5D9F371D4E35F2B34344D5B3965932D4
SHA-512:	A6AEF4E2DA2432C7F73AFDC4939E91D29CBA586A82E1D6550569F59AC4C0AB0851BF1C17B090BCBC2FA8E3A1204530DFF55E9C018EAFF42B5EBA9F8EFF5A9E54
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....v$`.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.Xc@....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Xc@....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Xc@....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Xc@..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Xg@...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........g.?......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 76

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1657)
Category:	downloaded
Size (bytes):	264743
Entropy (8bit):	5.479126042995795
Encrypted:	false
SSDEEP:	3072:XdPMHc2NQzfk5eINolYDt6QYGfOvNoK42TCboc:yNQz4NolQwQz2lVZmboc
MD5:	951F5CB1728D3C62E6006801A61D2BE3
SHA1:	3B9B0CD9203226263F8E32B336ADC5532E54A308
SHA-256:	A50889187D77C8E3E0439A0D5C155159EAA7A3DBEC35111D7131EC88C0A228F7
SHA-512:	E030EBF4A1683F176C1873DAD0B717D307253CC0EA1D40BF39F22E3B95C71FCD58907A6B1DFE9F9740FBE1303C59DF1FE70E4B102BFA86269EC49AAA29664FB8
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQM/d=1/exm=_b,_tp/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHsB0Pas7nSw8Vhs7WLnzEaRZWd_gA/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=ws9Tlc,n73qwf,GkRiKb,e5qFLc,IZT63,UUJqVe,O1Gjze,byfTOb,lsjVmc,xUdipf,OTA3Ae,COQbmf,fKUV3e,aurFic,U0aPgd,ZwDk9d,V3dDOb,mI3LFb,aDfbSd,O6y8ed,PrPYRd,MpJwZc,LEikZe,NwH0H,OmgaI,lazG7b,XVMNvd,L1AAkb,KUM7Z,Mlhmy,s39S4,lwddkf,gychg,w9hDv,EEDORb,RMhBfe,SdcwHb,aW3pY,pw70Gc,EFQ78c,Ulmmrd,ZfAoz,mdR7q,wmnU7d,xQtZb,JNoxi,kWgXee,MI6k7c,kjKdXe,BVgquf,QIhFr,ovKuLd,hKSk3e,yDVVkb,hc6Ubd,SpsfSb,KG2eXe,Z5uLle,MdUzUe,VwDzFe,zbML3c,A7fCU,zr1jrb,Uas9Hd,pjICDe"
Preview:	"use strict";_F_installCss(".KL4X6e{background:#eee;bottom:0;left:0;opacity:0;position:absolute;right:0;top:0}.TuA45b{opacity:.8}sentinel{}");.this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{.var Ky;_.Cy=function(a,b,c,d,e,f,g){a=a.ua;var h=(0,_.Wc)(a);_.lc(h);b=_.rd(a,h,c,b,2,f,!0);c=null!=d?d:new c;if(g&&("number"!==typeof e\|\|0>e\|\|e>b.length))throw Error();void 0!=e?b.splice(e,g,c):b.push(c);(0,_.jc)(c.ua)&2?(0,_.gk)(b,8):(0,_.gk)(b,16)};_.Qr.prototype.Mb=_.ca(28,function(){if(0<this.ub.length){var a=this.ub[0];if("textContent"in a)return(0,_.Eh)(a.textContent);if("innerText"in a)return(0,_.Eh)(a.innerText)}return""});._.Qr.prototype.kc=_.ca(27,function(){return 0==this.ub.length?null:new _.M(this.ub[0])});_.M.prototype.kc=_.ca(26,function(){return this});_.Qr.prototype.Ka=_.ca(25,function(){return this.ub.length?this.ub[0]:null});_.M.prototype.Ka=_.ca(24,function(){return this.ub[0]});_.Dy=function(a,b,c){if(!b&&!c)return null;var

Chrome Cache Entry: 77

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2294)
Category:	downloaded
Size (bytes):	163286
Entropy (8bit):	5.544045381504343
Encrypted:	false
SSDEEP:	3072:CMiFOP4roKgkk/EFZMQbxjZW1BKo6JMI6l0nt8Uv1ziwtXOmDsY+WwYLF/HrY7+A:CMiroKfbMQbxjZW1BKo6JMI6l0nt8Uvq
MD5:	9D9987F6E83F101A097A0BD64A14C71B
SHA1:	E71E10897E0E874DE4D12125D5DF2F7FCE08F585
SHA-256:	D0975FC00A61201A54714BE8DF5E50F02B277E133BA08ABD9DEEA33934FA28A9
SHA-512:	5AE557145F0E0FF3E768AFC63B3E4855F53DCA49D46A22ACB169CC6DC58FF2B11C776B419141EB12C8B0CF7BBD16E928F9EE5AF5014DD976130B00A1995B325E
Malicious:	false
Reputation:	moderate, very likely benign file
URL:	"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.Ics7SFQVxbg.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTtpRznzVJk75Y4TcT-zpGGUjebtAg"
Preview:	this.gbar_=this.gbar_\|\|{};(function(_){var window=this;.try{._.cj=function(a,b,c){return c?a\|b:a&~b};_.dj=function(a,b,c,d){a=_.jb(a,b,c,d);return Array.isArray(a)?a:_.kc};_.ej=function(a,b){a=_.cj(a,2,!!(2&b));a=_.cj(a,32,!0);return a=_.cj(a,2048,!1)};_.fj=function(a,b){0===a&&(a=_.ej(a,b));return a=_.cj(a,1,!0)};_.gj=function(a){return!!(2&a)&&!!(4&a)\|\|!!(2048&a)};_.hj=function(a,b,c){32&b&&c\|\|(a=_.cj(a,32,!1));return a};._.ij=function(a,b,c,d,e,f){var g=!!(2&b),h=g?1:2;const k=1===h;h=2===h;e=!!e;f&&(f=!g);g=_.dj(a,b,d);var l=g[_.v]\|0;const n=!!(4&l);if(!n){l=_.fj(l,b);var p=g,t=b,r;(r=!!(2&l))&&(t=_.cj(t,2,!0));let B=!r,aa=!0,K=0,F=0;for(;K<p.length;K++){const ba=_.Ua(p[K],c,t);if(ba instanceof c){if(!r){const Ca=!!((ba.ka[_.v]\|0)&2);B&&(B=!Ca);aa&&(aa=Ca)}p[F++]=ba}}F<K&&(p.length=F);l=_.cj(l,4,!0);l=_.cj(l,16,aa);l=_.cj(l,8,B);_.ya(p,l);r&&Object.freeze(p)}c=!!(8&l)\|\|k&&!g.length;if(f&&!c){_.gj(l)&&(g=_.xa(g),.l=_.ej(l,b),b=_.ib(a,b,d,g));f=g;c=l;for(p=0;p<f.length;p++)l=f[p],t=_

Chrome Cache Entry: 78

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (814)
Category:	downloaded
Size (bytes):	819
Entropy (8bit):	5.11320768925757
Encrypted:	false
SSDEEP:	24:tNi8xXJkXRMN0GBaBHslgT9lCuABuoB7eHHHHHYqmffffffo:tNi8xXJ3eGoKlgZ01BuSvqmffffffo
MD5:	9F7DFE32AF79D1BCB335AEB18EA88923
SHA1:	2CDD844795A521BC02FAE6D6F36F8FC1C6FD0174
SHA-256:	D1ACFF199C5949F2C139FFCEB6B8868A514D391C32B019DACBF64C6084DA0ABD
SHA-512:	374B820EBD7354825F6CCB31A0D5C14DB6F3BF3E8CED349467D0E0C4B5420063EA59FEC9DDA9CF3007C6195A90455D70A35E9DB6CD2A91D9C80E5743B78404D5
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["luis arraez san diego padres","lucha libre loot rewards monopoly go","apex legends playoffs","wisconsin elementary school teacher","national nurses week discounts","severance release date","tennessee baseball florida","the bold and the beautiful spoilers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362,10],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2956)
Category:	downloaded
Size (bytes):	18834
Entropy (8bit):	5.407489764960331
Encrypted:	false
SSDEEP:	384:aRFPTuu4q5oOTm1j8B0K5WXv/8bU2wnO/mgzI4QSIZ0n9vDBTTY0TXCnh/9Clf9c:a/Tuu4q5oOTLB0K5WXv/8bU2wnO/mgze
MD5:	676CD2F5702D832A1E3E2F08257FEB37
SHA1:	1019B84107A8F84A77A651BDCBE0A7F425DE3661
SHA-256:	F58B6E0D4393A8BB15423EC49867875FB38EB820E0A7D13A7E80F4DCE7EB342E
SHA-512:	FF43FA6A37CE55F660052AE71F9301064638BC6D14F0DE8161E3E4E9C66D7CC5BE72D752540031BFF801228F905DDBA515DFAE15DFC6AAAC0654691C2A0AE365
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQM/d=1/exm=A7fCU,BVgquf,COQbmf,EEDORb,EFQ78c,GkRiKb,IZT63,JNoxi,KG2eXe,KUM7Z,L1AAkb,LEikZe,MI6k7c,MdUzUe,Mlhmy,MpJwZc,NwH0H,O1Gjze,O6y8ed,OTA3Ae,OmgaI,PrPYRd,QIhFr,RMhBfe,SdcwHb,SpsfSb,U0aPgd,UUJqVe,Uas9Hd,Ulmmrd,V3dDOb,VwDzFe,XVMNvd,Z5uLle,ZfAoz,ZwDk9d,_b,_tp,aDfbSd,aW3pY,aurFic,byfTOb,e5qFLc,fKUV3e,gychg,hKSk3e,hc6Ubd,kWgXee,kjKdXe,lazG7b,lsjVmc,lwddkf,mI3LFb,mdR7q,n73qwf,ovKuLd,pjICDe,pw70Gc,s39S4,w9hDv,wmnU7d,ws9Tlc,xQtZb,xUdipf,yDVVkb,zbML3c,zr1jrb/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHsB0Pas7nSw8Vhs7WLnzEaRZWd_gA/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=RqjULd"
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._.q("RqjULd");.var sha=function(a){if(_.n&&_.n.performance&&_.n.performance.memory){var b=_.n.performance.memory;if(b){var c=new cF;isNaN(b.jsHeapSizeLimit)\|\|_.ae(c,1,_.Ec(Math.round(b.jsHeapSizeLimit).toString()));isNaN(b.totalJSHeapSize)\|\|_.ae(c,2,_.Ec(Math.round(b.totalJSHeapSize).toString()));isNaN(b.usedJSHeapSize)\|\|_.ae(c,3,_.Ec(Math.round(b.usedJSHeapSize).toString()));_.sk(a,cF,1,c)}}},tha=function(a){if(dF()){var b=performance.getEntriesByType("navigation");if(b&&b.length){var c=new eF;if(b=b[0]){switch(b.type){case "navigate":c.tg(1);.break;case "reload":c.tg(2);break;case "back_forward":c.tg(3);break;case "prerender":c.tg(4);break;default:c.tg(0)}var d=_.Gk(c,2,Math.round(b.startTime));d=_.Gk(d,3,Math.round(b.fetchStart));d=_.Gk(d,4,Math.round(b.domainLookupStart));d=_.Gk(d,5,Math.round(b.domainLookupEnd));d=_.Gk(d,6,Math.round(b.connectStart));d=_.Gk(d,7,Math.ro

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	137432
Entropy (8bit):	7.981759932974614
Encrypted:	false
SSDEEP:	3072:SWkkEsWBwvkw/2i4fhpATVmE6383x4L6EWL3UQ7lE7sPE:SVAwwswerUv3S4nhdPE
MD5:	387ED93F42803B1EC6697E3B57FBCEF0
SHA1:	2EA8A5BFBF99144BD0EBAEBE60AC35406A8B613E
SHA-256:	982AAC952E2C938BD55550D0409ECE5F4430D38F370161D8318678FA25316587
SHA-512:	7C90F69A53E49BAD03C4CEFD9868B4C4BA145E5738218E8C445FF6AE5347153E3A2F2B918CBE184B0366AFD53B984634D2894FEA6F31A4603E58CCB6BFA5C625
Malicious:	false
URL:	https://ssl.gstatic.com/gb/images/sprites/p_2x_387ed93f4280.png
Preview:	.PNG........IHDR...j...Z.......{.....IDATx...S`......V.4gzl.>.m.m.m.>c......8.J..p....k..i.k...f..v.VeG....V.^,.Y8>..U.(+...fbJ...q.G.kb#.T)F......~..&)+&....'..].~.j5....!.j.<..xJ..&.T91<.......3...\|.4.Uu...c..t..\<#S.........+...M?ew.(....w..h.c.PU.>.C.:.P..Wq...4..[.......k{TG.C.~.$=U..>.....4c+9.s...d.,...h...$.dk..0T3..63$.l.6...O.O..z..J..C...fjZ...i...J..P-T.B5-T..PM..B5-T.B.PM..P-T.B5.].....9...cZ../.b.I....Z..\......^...(..............u.G..O.c.....`k....qx/..U-.U..0.[.:..$.......fx5.l..h..g..O'9..%.E=...x&.P.....?R.\..../.......s.-MU..U..o..Q.1.%.l.gb.....I.zxD..t.&.u[.:R.N..:.d.............].{..z.M..-}Sw@b....[.D..#1$s.I..0..L....I.....i.Z....... MZ...j....i.Z...jZ...i.....jZ...i......z"/...._....q...gU.b.IHO.5....,n........PX..$.._.9(Mw..D../.C......l.....x..Q\|...(..$#../.....GB...7bS..B..G.....Tb.Yx6^.9..C.F..oMrx..p..<N3.=.1...$.....-N.t.jt6..&..J...G..z!..Ff.i...v._..a.....R%I....f....t....._..5.l...A..C.=c(V..)......0$.jg..KT..*E.r

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2200)
Category:	downloaded
Size (bytes):	184069
Entropy (8bit):	5.457765888899575
Encrypted:	false
SSDEEP:	3072:JaXH2HHSBV2qoSKRd8mQ3jfA8j3yViKE5rmVqpzE:fHgxohRdUfFyQKEnpzE
MD5:	92EEFFE57524E80329BE5C39E3442D12
SHA1:	EAA1A2226A503A59A2506BFC5031077DBED51AE1
SHA-256:	A206F391DFA17782AF610C772392E25F2DF7EA947A7CE17B449ACF45DD5BF854
SHA-512:	8B2C2FC7D6A938493A1437B5901A369D228E4AB1183144AF9582301E0C5A7CBE31E7DADF4B51E75ECF113C3D5F2935FD2FAAD6D64F9FA1FC65D06BE5959029B0
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/am=EGDQuQM/d=1/excm=_b,_tp,appwidgetnoauthview/ed=1/dg=0/wt=2/ujg=1/rs=AM-SdHvidsrb0WJIkPFTwXnDxsLdoIl5-Q/m=_b,_tp"
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x39d06010, 0xe, ]);./.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. SPDX-License-Identifier: Apache-2.0././. SPDX-License-Identifier: Apache-2.0././.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT./.var ia,aaa,Ha,caa,Qa,Sa,Ta,Ua,Va,Wa,Xa,ab,daa,eaa,cb,eb,tb,xb,Lb,Nb,Rb,Ub,Wb,gaa,ac,cc,dc,kc,rc,uc,wc,oc,jaa,Fc,Gc,kaa,Nc,laa,Rc,Tc,cd,dd,hd,jd,kd,pd,id,ld,Sc,Cd,Ad,Dd,y,Hd,Kd,raa,saa,taa,uaa,vaa,waa,xaa,yaa,xe,Be,Eaa,Caa,Qe,Ye,Haa,Iaa,$e,of,Maa,Naa,vf,Oaa,Paa,Qaa,Raa,Kf,Lf,Mf,Saa,Taa,Uaa,Vaa,Waa,Xaa,Yaa,$aa,aba,aa,hg,ig,bba,kg,lg,og,cba,tg,ug,vg,fba,gba,Bg,Cg,hba,iba;_.ba=function(a){return function(){return aa[a].apply(this,arguments)}};_.ca=function(a,b){ret

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (736)
Category:	downloaded
Size (bytes):	3505
Entropy (8bit):	5.552095288109031
Encrypted:	false
SSDEEP:	96:86yHtxMPvVSbAtxNYiSJ6vq67pSlIcBfGx:FwIOT6L0IIc
MD5:	6745EB04C880EA1849D0DD81B61F4FE9
SHA1:	EF6EDD0581F24E02C423FBC551B9D9F060F2404C
SHA-256:	F196C197EF86BA3427D8284E2273FE8932BBC2AFF02931E4273F6840927518B2
SHA-512:	7AB9D78668D5E83FBCFF092223379426141EDEDE6088136BD578E86D2E59ACCC2ABF1A86C34001DCB6528E6F735B46816259ED2F4E82D69BA9CCB97DFA42C49A
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQM/d=1/exm=A7fCU,BVgquf,COQbmf,EEDORb,EFQ78c,GkRiKb,IZT63,JNoxi,KG2eXe,KUM7Z,L1AAkb,LEikZe,MI6k7c,MdUzUe,Mlhmy,MpJwZc,NwH0H,O1Gjze,O6y8ed,OTA3Ae,OmgaI,PrPYRd,QIhFr,RMhBfe,RqjULd,SdcwHb,SpsfSb,U0aPgd,UUJqVe,Uas9Hd,Ulmmrd,V3dDOb,VwDzFe,XVMNvd,Z5uLle,ZfAoz,ZwDk9d,_b,_tp,aDfbSd,aW3pY,aurFic,bm51tf,byfTOb,e5qFLc,fKUV3e,gychg,hKSk3e,hc6Ubd,kWgXee,kjKdXe,lazG7b,lsjVmc,lwddkf,mI3LFb,mdR7q,n73qwf,ovKuLd,pjICDe,pw70Gc,s39S4,w9hDv,wmnU7d,ws9Tlc,xQtZb,xUdipf,yDVVkb,zbML3c,zr1jrb/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHsB0Pas7nSw8Vhs7WLnzEaRZWd_gA/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._.q("Wt6vjf");.var uy=function(a){this.ua=_.x(a,0,uy.ob)};_.G(uy,_.C);uy.prototype.Ya=function(){return _.nk(this,1)};uy.prototype.oc=function(a){_.Fk(this,1,a)};uy.ob="f.bo";var vy=function(){_.ln.call(this)};_.G(vy,_.ln);vy.prototype.mb=function(){this.Fq=!1;wy(this);_.ln.prototype.mb.call(this)};vy.prototype.j=function(){xy(this);if(this.Tj)return yy(this),!1;if(!this.Qr)return zy(this),!0;this.dispatchEvent("p");if(!this.So)return zy(this),!0;this.Nn?(this.dispatchEvent("r"),zy(this)):yy(this);return!1};.var Ay=function(a){var b=new _.mt(a.gx);null!=a.Ip&&b.l.set("authuser",a.Ip);return b},yy=function(a){a.Tj=!0;var b=Ay(a),c="rt=r&f_uid="+_.mi(a.So);_.Qo(b,(0,_.E)(a.l,a),"POST",c)};.vy.prototype.l=function(a){a=a.target;xy(this);if(_.Xo(a)){this.Pm=0;if(this.Nn)this.Tj=!1,this.dispatchEvent("r");else if(this.Qr)this.dispatchEvent("s");else{try{var b=_.Yo(a),c=JSON.pars

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3572), with no line terminators
Category:	downloaded
Size (bytes):	3572
Entropy (8bit):	5.140651484312947
Encrypted:	false
SSDEEP:	48:vZUJVKLICJEconBdpZUvGCUvGULHg7OTehn5hsbrc7g8IO8u0Y8D2n:yJYI/coXqCg7OSfg8IO8uB8D2n
MD5:	122C0858F7D38991F14E5ADC6BDB3C3B
SHA1:	FFC64755EB42990A73C4878426A641CFB94B57EE
SHA-256:	06D1296A6F6611AC795B27882FE88823EE857D0F49F7018CF00C6A199976DC0D
SHA-512:	149A1FB533C8C7D5EA363B80982DC1EC4C39E5EF9BB37E45BC80E105B18C3FA4DC610449BBD70DE9B9AC7339FEBBBD4FF76C2A9D1FD104D1943A386539AC4D44
Malicious:	false
URL:	"https://www.gstatic.com/og/_/ss/k=og.qtm.RS0dNtaZmo0.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTuhe2hCYlalU7rKCW-qT_-zMhVRaw"
Preview:	.gb_2e{background:rgba(60,64,67,.9);-webkit-border-radius:4px;border-radius:4px;color:#fff;font:500 12px "Roboto",arial,sans-serif;letter-spacing:.8px;line-height:16px;margin-top:4px;min-height:14px;padding:4px 8px;position:absolute;z-index:1000;-webkit-font-smoothing:antialiased}.gb_Fc{text-align:left}.gb_Fc>*{color:#bdc1c6;line-height:16px}.gb_Fc div:first-child{color:white}.gb_pa{background:none;border:1px solid transparent;-webkit-border-radius:50%;border-radius:50%;-webkit-box-sizing:border-box;box-sizing:border-box;cursor:pointer;height:40px;margin:8px;outline:none;padding:1px;position:absolute;right:0;top:0;width:40px}.gb_pa:hover{background-color:rgba(68,71,70,.08)}.gb_pa:focus,.gb_pa:active{background-color:rgba(68,71,70,.12)}.gb_pa:focus-visible{border-color:#0b57d0;outline:1px solid transparent;outline-offset:-1px}.gb_i .gb_pa:hover,.gb_i .gb_pa:focus,.gb_i .gb_pa:active{background-color:rgba(227,227,227,.08)}.gb_i .gb_pa:focus-visible{border-color:#a8c7fa}.gb_qa{-webkit-box

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (769)
Category:	downloaded
Size (bytes):	1424
Entropy (8bit):	5.31660097498527
Encrypted:	false
SSDEEP:	24:kWfS+Xg1QmYTY29/RbFTVebYaThG8VgI4+O6tp41SZGbwfKGbeZPx/sMGOwsNEZ9:ZfS+wmmc/bFpw/A8R3fpWgGb+KGbipsZ
MD5:	13D1BE6BC9AA2CA332D553D2D4491DE1
SHA1:	F7E7A540E69006ED7470EB2AED4EF19BE4A1AF0C
SHA-256:	4C205DD66FDACFF32EB2B63273FB74DB1E29DBD5C9B97F0F6641378174257F39
SHA-512:	A1DD99D4ED179D4FA138A7C500589896F3A5DA06758ED72F67D05243519FB5EADF2184D9B67F0F9337FF55B5F5982D93245A8FF41E6F8F1D619CAC8D47C9FF4A
Malicious:	false
URL:	"https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.es5.O/ck=boq-one-google.OneGoogleWidgetUi.tmXdt9lP4MI.L.B1.O/am=EGDQuQM/d=1/exm=A7fCU,BVgquf,COQbmf,EEDORb,EFQ78c,GkRiKb,IZT63,JNoxi,KG2eXe,KUM7Z,L1AAkb,LEikZe,MI6k7c,MdUzUe,Mlhmy,MpJwZc,NwH0H,O1Gjze,O6y8ed,OTA3Ae,OmgaI,PrPYRd,QIhFr,RMhBfe,RqjULd,SdcwHb,SpsfSb,U0aPgd,UUJqVe,Uas9Hd,Ulmmrd,V3dDOb,VwDzFe,XVMNvd,Z5uLle,ZfAoz,ZwDk9d,_b,_tp,aDfbSd,aW3pY,aurFic,byfTOb,e5qFLc,fKUV3e,gychg,hKSk3e,hc6Ubd,kWgXee,kjKdXe,lazG7b,lsjVmc,lwddkf,mI3LFb,mdR7q,n73qwf,ovKuLd,pjICDe,pw70Gc,s39S4,w9hDv,wmnU7d,ws9Tlc,xQtZb,xUdipf,yDVVkb,zbML3c,zr1jrb/excm=_b,_tp,appwidgetnoauthview/ed=1/wt=2/ujg=1/rs=AM-SdHsB0Pas7nSw8Vhs7WLnzEaRZWd_gA/ee=EVNhjf:pw70Gc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:SdcwHb;Me32dd:MEeYgc;NPKaK:SdcwHb;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SNUn3:ZwDk9d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:QIhFr;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:s39S4;oGtAuc:sOXFj;pXdRYb:MdUzUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;wR5FRb:O1Gjze;xqZiqf:wmnU7d;yxTchf:KUM7Z;zxnPse:GkRiKb/m=bm51tf"
Preview:	"use strict";this.default_OneGoogleWidgetUi=this.default_OneGoogleWidgetUi\|\|{};(function(_){var window=this;.try{._.q("bm51tf");.var Uoa=!!(_.Jg[0]>>17&1);var Voa=function(a,b,c,d,e){this.o=a;this.N=b;this.v=c;this.O=d;this.W=e;this.j=0;this.l=tW(this)},Woa=function(a){var b={};_.Da(a.tq(),function(e){b[e]=!0});var c=a.kq(),d=a.mq();return new Voa(a.lq(),1E3c.j(),a.fq(),1E3d.j(),b)},tW=function(a){return Math.random()Math.min(a.NMath.pow(a.v,a.j),a.O)},uW=function(a,b){return a.j>=a.o?!1:null!=b?!!a.W[b]:!0};var vW=function(a){_.Q.call(this,a.oa);this.o=a.service.Jr;this.v=a.service.metadata;a=a.service.ID;this.l=a.o.bind(a)};_.G(vW,_.Q);vW.qa=_.Q.qa;vW.V=function(){return{service:{Jr:_.rW,metadata:_.nW,ID:_.DU}}};vW.prototype.j=function(a,b){if(1!=this.v.getType(a.Cb()))return _.Nn(a);var c=this.o.j;(c=c?Woa(c):null)&&uW(c)?(b=wW(this,a,b,c),a=new _.Mn(a,b,2)):a=_.Nn(a);return a};.var wW=function(a,b,c,d){return c.then(function(e){return e},function(e){if(Uoa)if(e instanceof _.ee)

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	137077
Entropy (8bit):	5.441039560747592
Encrypted:	false
SSDEEP:	1536:jdGuEyfn2zuFRDP6nWysx3DMqPKnrzNSpGiV1p+RHPGb4gujB68jZRLM9rZxMkPr:DVnoap3DTKnrQpG4nQUdut6ZxMkmwXd
MD5:	4630FEC6612229DEAF27D17817739538
SHA1:	031FA6BFD2B255CC17506FF37E30BD97D51BB78F
SHA-256:	DA08B73A6E01EEB45AC75A5AD195797D6C67B20ECFAFCF565232F0D0BE49CF92
SHA-512:	B7695C31BA921CC4D90C648C0B9400B527C2C2B393438DFB85F24335DF688A82A38FA7AC62116D38F719D45090CA8475A0043E11E3777FB957AC479EF9DFC81A
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Qa gb_hb gb_Td gb_nd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Hd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_rd gb_kd gb_xd gb_wd\"\u003e\u003cdiv class\u003d\"gb_qd gb_gd\"\u003e\u003cdiv class\u003d\"gb_Oc gb_q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Oc gb_Rc gb_q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 106 x 5210, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	137432
Entropy (8bit):	7.981759932974614
Encrypted:	false
SSDEEP:	3072:SWkkEsWBwvkw/2i4fhpATVmE6383x4L6EWL3UQ7lE7sPE:SVAwwswerUv3S4nhdPE
MD5:	387ED93F42803B1EC6697E3B57FBCEF0
SHA1:	2EA8A5BFBF99144BD0EBAEBE60AC35406A8B613E
SHA-256:	982AAC952E2C938BD55550D0409ECE5F4430D38F370161D8318678FA25316587
SHA-512:	7C90F69A53E49BAD03C4CEFD9868B4C4BA145E5738218E8C445FF6AE5347153E3A2F2B918CBE184B0366AFD53B984634D2894FEA6F31A4603E58CCB6BFA5C625
Malicious:	false
Preview:	.PNG........IHDR...j...Z.......{.....IDATx...S`......V.4gzl.>.m.m.m.>c......8.J..p....k..i.k...f..v.VeG....V.^,.Y8>..U.(+...fbJ...q.G.kb#.T)F......~..&)+&....'..].~.j5....!.j.<..xJ..&.T91<.......3...\|.4.Uu...c..t..\<#S.........+...M?ew.(....w..h.c.PU.>.C.:.P..Wq...4..[.......k{TG.C.~.$=U..>.....4c+9.s...d.,...h...$.dk..0T3..63$.l.6...O.O..z..J..C...fjZ...i...J..P-T.B5-T..PM..B5-T.B.PM..P-T.B5.].....9...cZ../.b.I....Z..\......^...(..............u.G..O.c.....`k....qx/..U-.U..0.[.:..$.......fx5.l..h..g..O'9..%.E=...x&.P.....?R.\..../.......s.-MU..U..o..Q.1.%.l.gb.....I.zxD..t.&.u[.:R.N..:.d.............].{..z.M..-}Sw@b....[.D..#1$s.I..0..L....I.....i.Z....... MZ...j....i.Z...jZ...i.....jZ...i......z"/...._....q...gU.b.IHO.5....,n........PX..$.._.9(Mw..D../.C......l.....x..Q\|...(..$#../.....GB...7bS..B..G.....Tb.Yx6^.9..C.F..oMrx..p..<N3.=.1...$.....-N.t.jt6..&..J...G..z!..Ff.i...v._..a.....R%I....f....t....._..5.l...A..C.=c(V..)......0$.jg..KT..*E.r

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 15344, version 1.0
Category:	downloaded
Size (bytes):	15344
Entropy (8bit):	7.984625225844861
Encrypted:	false
SSDEEP:	384:ctE5KIuhGO+DSdXwye6i9Xm81v4vMHCbppV0pr3Ll9/w:cqrVO++tw/9CICFbQLlxw
MD5:	5D4AEB4E5F5EF754E307D7FFAEF688BD
SHA1:	06DB651CDF354C64A7383EA9C77024EF4FB4CEF8
SHA-256:	3E253B66056519AA065B00A453BAC37AC5ED8F3E6FE7B542E93A9DCDCC11D0BC
SHA-512:	7EB7C301DF79D35A6A521FAE9D3DCCC0A695D3480B4D34C7D262DD0C67ABEC8437ED40E2920625E98AAEAFBA1D908DEC69C3B07494EC7C29307DE49E91C2EF48
Malicious:	false
URL:	https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2
Preview:	wOF2......;........H..;..........................d..@..J.`..L.T..<.....x.....^...x.6.$..6. ..t. ..I.h\|.l....A....b6........(......@e.]...:..-.0..r.)..hS..h...N.).D.........b.].......^..t?.m{...."84...9......c...?..r3o....}...S]....zbO.../z..{.....~cc....I...#.G.D....#e.A..b...b`a5P.4........M....v4..fI#X.z,.,...=avy..F.a.\9.P\|.[....r.Q@M.I.._.9..V..Q..]......[ {u..L@...]..K......]C....l$.Z.Z...Zs.4........ x.........F.?.7N..].\|.wb\....Z{1L#..t....0.dM...$JV...{..oX...i....6.v.~......)\|.TtAP&).KQ.]y........'...:.d..+..d..."C.h..p.2.M..e,.UP..@.q..7..D.@...,......B.n. r&.......F!.....\...;R.?-.i...,7..cb../I...Eg...!X.)5.Aj7...Ok..l7.j.A@B`".}.w.m..R.9..T.X.X.d....S..`XI..1... .$C.H.,.\. ..A(.AZ.................`Wr.0]y..-..K.1.............1.tBs..n.0...9.F[b.3x...$....T..PM.Z-.N.rS?I.<8eR'.3..27..?;..OLf.Rj.@.o.W...........j~ATA....vX.N:.3dM.r.)Q.B...4i.f..K.l..s....e.U.2...k..a.GO.}..../.'..%$..ed..'..qP....M..j....../.z&.=...q<....-..?.A.%..K..

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1660
Entropy (8bit):	4.301517070642596
Encrypted:	false
SSDEEP:	48:A/S9VU5IDhYYmMqPLmumtrYW2DyZ/jTq9J:A2VUSDhYYmM5trYFw/jmD
MD5:	554640F465EB3ED903B543DAE0A1BCAC
SHA1:	E0E6E2C8939008217EB76A3B3282CA75F3DC401A
SHA-256:	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
SHA-512:	462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
Malicious:	false
URL:	https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2124)
Category:	downloaded
Size (bytes):	121628
Entropy (8bit):	5.506662476672723
Encrypted:	false
SSDEEP:	3072:QI9yvwslCsrCF9f/U2Dj3Fkk7rEehA5L1kx:l9ygsrieDkVaL1kx
MD5:	F46ACD807A10216E6EEE8EA51E0F14D6
SHA1:	4702F47070F7046689432DCF605F11364BC0FBED
SHA-256:	D6B84873D27E7E83CF5184AAEF778F1CCB896467576CD8AF2CAD09B31B3C6086
SHA-512:	811263DC85C8DAA3A6E5D8A002CCCB953CD01E6A77797109835FE8B07CABE0DEE7EB126274E84266229880A90782B3B016BA034E31F0E3B259BF9E66CA797028
Malicious:	false
URL:	"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0"
Preview:	gapi.loaded_0(function(_){var window=this;._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a\|\|[]};(0,_._F_toggles_initialize)([0x20000, ]);.var ba,ca,da,na,pa,va,wa,za;ba=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};ca="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype\|\|a==Object.prototype)return a;a[b]=c.value;return a};.da=function(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw Error("a");};_.ma=da(this);na=function(a,b){if(b)a:{var c=_.ma;a=a.split(".");for(var d=0;d<a.length-1;d++){var e=a[d];if(!(e in c))break a;c=c[e]}a=a[a.length-1];d=c[a];b=b(d);b!=d&&null!=b&&ca(c,a,{configurable:!0,writable:!0,value:b})}};.na("Symbol",function(a){if(a)re

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1136)
Category:	dropped
Size (bytes):	1555
Entropy (8bit):	5.249530958699059
Encrypted:	false
SSDEEP:	24:hY6svN/6zSU6pedQf3Zvcn1BZdAe1nCr1LTHI5z1sW:3qN/2+pUAew85zf
MD5:	FBE36EB2EECF1B90451A3A72701E49D2
SHA1:	AE56EA57C52D1153CEC33CEF91CF935D2D3AF14D
SHA-256:	E8F2DED5D74C0EE5F427A20B6715E65BC79ED5C4FC67FB00D89005515C8EFE63
SHA-512:	7B1FD6CF34C26AF2436AF61A1DE16C9DBFB4C43579A9499F4852A7848F873BAC15BEEEA6124CF17F46A9F5DD632162364E0EC120ACA5F65E7C5615FF178A248F
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang=en>. <meta charset=utf-8>. <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">. <title>Error 400 (Bad Request)!!1</title>. <style>. {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//ww

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (21071)
Category:	downloaded
Size (bytes):	53486
Entropy (8bit):	5.738025015697146
Encrypted:	false
SSDEEP:	768:22EghhvpugW71C6kKb2aFe04iV6HbWb1puaI1QzFJ/N4Zx5AyvG:w1CLbWvbII1GxHvG
MD5:	1A43E805647D50EAE2087AA180E4FB15
SHA1:	81A772CC83C391C9F0C1F15B76E56106E080723A
SHA-256:	5DDD489EEDACC505DE6F83C6511FE954FB71CE8F73325F15C0483D175F135CD2
SHA-512:	4A73982E4411E75814730F53FBEED2149306BA48E924F4747DBDE5D59E76601E96E572508AC3C8B02E13D8069833EF70DB9FB7BB7754D48CB5BC75D3A5CD9E73
Malicious:	false
URL:	https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en
Preview:	<!doctype html><html lang="en" dir="ltr"><head><base href="https://ogs.google.com/"><link ref="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><link rel="canonical" href="https://ogs.google.com/widget/app/so"><link rel="preconnect" href="https://www.gstatic.com"><link rel="preconnect" href="https://ssl.gstatic.com"><script data-id="_gd" nonce="KFcGgKtP9hp0p4ESjdGrrA">window.WIZ_global_data = {"DpimGf":false,"EP1ykd":["/_/*"],"FdrFJe":"-3514030005099313539","Im6cmf":"/_/OneGoogleWidgetUi","LVIXXb":1,"LoQv7e":true,"MT7f9b":[],"NrSucd":false,"OwAJ6e":false,"QrtxK":"","S06Grb":"","S6lZl":128566913,"TSDtV":"%.@.[[null,[[45459555,null,false,null,null,null,\"Imeoqb\"]],\"CAMSEx0W2eicEJbkAdysuBIIgvnaBgg\\u003d\"]]]","Vvafkd":false,"Yllh3e":"%.@.1714809824311712,174412293,1678503598]","ZwjLXe":243,"cfb2h":"boq_onegooglehttpserver_20240430.01_p1","eptZe":"/_/OneGoogleWidgetUi/","fPDxwd":[48691166,48802160,93880156,97517170],"gGcLoe":false,"nQyAE":{},"qwAQke":"OneGoogl

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.604687554535669
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	0e46.scr.exe
File size:	602'624 bytes
MD5:	77dcf984a36098a6e855c54fa36cd5f7
SHA1:	2fe61c4bbfa471c000e28f15373c33559d60e25d
SHA256:	59519819b7d8381418c3bcc7448c8702e19ca46a65c5e9f6823fce90d9603564
SHA512:	2c09699d9ec30cda9953941af359a96b7e12ff1152106f3d130e82c2a2f39208f658020fe91d75a8fd93e9a0cc6c4286cc9e4cac03569ac2bf5f65fdc76df67d
SSDEEP:	12288:B057eE8PLjVt1wxAG3mlzkNSnBgwfl7wvnb46jsh00CFwz:ugV7wOztnBgewE6jssFw
TLSH:	F2D4E0764FC80874C3FE5B7BC4F72923C779E2AE3142CB4C66906DA52A02B75A58161F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.................0..&..........~D... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x49447e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCA00A32F [Sun May 23 23:50:07 2077 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x94430	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x646	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x92484	0x92600	e00fb96fcee7a148a5adf04407f1c3c8	False	0.7225878656063194	data	7.617251309305968	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x646	0x800	b6f05d1d39848fb350ad9955a2349415	False	0.34912109375	data	3.5328734243060844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	b2d18ac6d0b70805e108780c7203b311	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x960a0	0x3bc	data			0.42573221757322177
RT_MANIFEST	0x9645c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:02:48.788058996 CEST	49674	443	192.168.2.5	23.1.237.91
May 4, 2024 10:02:48.789052010 CEST	49675	443	192.168.2.5	23.1.237.91
May 4, 2024 10:02:48.913074970 CEST	49673	443	192.168.2.5	23.1.237.91
May 4, 2024 10:02:52.543204069 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:52.882105112 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:52.882200956 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:53.356204987 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:53.357381105 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:53.696346998 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:53.696578026 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:54.037676096 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.046600103 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:54.395718098 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.395745039 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.395757914 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.395772934 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.395890951 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:54.395922899 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:54.399095058 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.435926914 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:54.783930063 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:54.814652920 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:55.153575897 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:55.154846907 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:55.495445013 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:55.496778011 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:55.836682081 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:55.837004900 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:56.176069975 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:56.176388025 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:56.555041075 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:56.588370085 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:56.588625908 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:56.928575039 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:56.928601027 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:56.929327965 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:56.929388046 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:56.929411888 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:56.929434061 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:57.268249035 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:57.268275023 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:57.268536091 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:57.275011063 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:02:57.319315910 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:02:58.397414923 CEST	49675	443	192.168.2.5	23.1.237.91
May 4, 2024 10:02:58.397418976 CEST	49674	443	192.168.2.5	23.1.237.91
May 4, 2024 10:02:58.522464037 CEST	49673	443	192.168.2.5	23.1.237.91
May 4, 2024 10:02:59.896454096 CEST	443	49703	23.1.237.91	192.168.2.5
May 4, 2024 10:02:59.896578074 CEST	49703	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:09.130961895 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.131000042 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.131160975 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.131366968 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.131382942 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.185204983 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.185242891 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.185602903 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.185848951 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.185851097 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.185862064 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.185879946 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.186014891 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.186121941 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.186130047 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.271836042 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.271867037 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.272154093 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.272154093 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.272186995 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.468746901 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.492116928 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.492139101 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.493237972 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.493314028 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.510426998 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.510535955 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.512679100 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.512692928 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.515319109 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.517162085 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.517185926 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.517554045 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.518246889 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.518507004 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.519757986 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.519782066 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.520920038 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.521004915 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.521243095 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.521250010 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.521393061 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.521461964 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.523277044 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.523277998 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.523361921 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.603342056 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.604687929 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.604712009 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.605849028 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.605976105 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.606736898 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.606736898 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.606859922 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.629092932 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.629203081 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.644906044 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.644927979 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.699172974 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.699222088 CEST	443	49710	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.699286938 CEST	49710	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.754046917 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.754049063 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.754070997 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.810403109 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.811738968 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.811891079 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.813545942 CEST	49708	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.813561916 CEST	443	49708	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.875672102 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.875816107 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.875967979 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.876038074 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.876079082 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.876111984 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.876254082 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.876327038 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.876705885 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.879611969 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.890841961 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.890924931 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.891022921 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.891038895 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.891155958 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.902115107 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.913690090 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.915132046 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.915143967 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.950987101 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.951066971 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.952575922 CEST	49711	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:09.952594995 CEST	443	49711	172.217.14.68	192.168.2.5
May 4, 2024 10:03:09.958909035 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:09.958934069 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:09.959007025 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:09.962038994 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:09.962050915 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:10.037480116 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.037540913 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.037564039 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.042206049 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.042257071 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.042267084 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.053487062 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.053548098 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.053563118 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.064868927 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.064918995 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.064933062 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.074058056 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.074103117 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.074115992 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.086519957 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.086577892 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.086594105 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.096216917 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.096271038 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.096283913 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.106030941 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.106084108 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.106092930 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.115927935 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.115993023 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.116002083 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.135588884 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.135634899 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.135648012 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.145536900 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.145603895 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.145617962 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.155541897 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.155631065 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.155657053 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.165160894 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.165211916 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.165220976 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.165234089 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.165263891 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.196643114 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.201436996 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.201488018 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.201495886 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.201530933 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.201579094 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.211419106 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.221044064 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.221098900 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.221106052 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.221122026 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.221165895 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.230808973 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.239677906 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.239727974 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.239734888 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.239761114 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.239800930 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.239808083 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.248667002 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.248713970 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.248729944 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.257474899 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.257548094 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.257564068 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.266350985 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.266400099 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.266417027 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.275247097 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.275294065 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.275309086 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.288347960 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.288394928 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.288408041 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.288428068 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.288470984 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.296835899 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.304637909 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.304680109 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.304709911 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.304733992 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.304774046 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.312047958 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.319216013 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.319262028 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.319272995 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.319292068 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.319324017 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.326204062 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.332963943 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.333009005 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.333025932 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.333046913 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.333077908 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.339485884 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.346106052 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.346164942 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.346167088 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.346187115 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.346230984 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.352358103 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.358557940 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.358620882 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.358632088 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.364979982 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.365040064 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.365047932 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.371166945 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.371243954 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.371253967 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.373248100 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.373301029 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.373310089 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.377302885 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.377379894 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.377391100 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.381592989 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.381653070 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.381668091 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.385133028 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.385188103 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.385201931 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.389066935 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.389136076 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.389147997 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.392901897 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.392954111 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.392962933 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.396703005 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.396758080 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.396764994 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.400505066 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.400548935 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.400556087 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.404385090 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.404427052 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.404428005 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.404437065 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.404472113 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.408346891 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.412179947 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.412209034 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.412237883 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.412256956 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.412287951 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.415963888 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.419828892 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.419872999 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.419883966 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.419928074 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.419960976 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.420104027 CEST	49709	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:10.420121908 CEST	443	49709	172.217.14.68	192.168.2.5
May 4, 2024 10:03:10.904963970 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:10.905071974 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:12.145324945 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:12.145343065 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:12.145673990 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:12.230679035 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:13.208292007 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:13.208314896 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:13.208395958 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:13.209954977 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:13.209986925 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:13.341911077 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:13.384114981 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.479840994 CEST	49703	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:13.480077982 CEST	49703	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:13.480658054 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:13.480679035 CEST	443	49725	23.1.237.91	192.168.2.5
May 4, 2024 10:03:13.480807066 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:13.481105089 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:13.481116056 CEST	443	49725	23.1.237.91	192.168.2.5
May 4, 2024 10:03:13.541114092 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:13.541420937 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:13.541445971 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:13.541790962 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:13.542109966 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:13.542184114 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:13.641531944 CEST	443	49703	23.1.237.91	192.168.2.5
May 4, 2024 10:03:13.641582012 CEST	443	49703	23.1.237.91	192.168.2.5
May 4, 2024 10:03:13.642460108 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:13.814529896 CEST	443	49725	23.1.237.91	192.168.2.5
May 4, 2024 10:03:13.814603090 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:13.962101936 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962147951 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962153912 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962202072 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962209940 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962220907 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962229967 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:13.962234020 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962296963 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:13.962779045 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962786913 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962847948 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:13.962852001 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962883949 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:13.962922096 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:14.323748112 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:14.323771000 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:14.323786974 CEST	49715	443	192.168.2.5	40.68.123.157
May 4, 2024 10:03:14.323803902 CEST	443	49715	40.68.123.157	192.168.2.5
May 4, 2024 10:03:16.949536085 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:16.949584007 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:16.949657917 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:16.951005936 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:16.951020002 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.278844118 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.278913975 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.285223961 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.285238981 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.285471916 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.329516888 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.333029032 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.380125999 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.593106031 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.593177080 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.593238115 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.593419075 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.593444109 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.593473911 CEST	49729	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.593482018 CEST	443	49729	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.632774115 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.632817030 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.633076906 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.633369923 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.633380890 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.957443953 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.957520962 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.959414005 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:17.959422112 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.959652901 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:17.961081028 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:18.004129887 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:18.277414083 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:18.277492046 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:18.277611971 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:18.278367043 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:18.278388023 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:18.278405905 CEST	49730	443	192.168.2.5	72.247.96.147
May 4, 2024 10:03:18.278413057 CEST	443	49730	72.247.96.147	192.168.2.5
May 4, 2024 10:03:23.559860945 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:23.559932947 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:23.560012102 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:23.876521111 CEST	49723	443	192.168.2.5	172.217.14.68
May 4, 2024 10:03:23.876543999 CEST	443	49723	172.217.14.68	192.168.2.5
May 4, 2024 10:03:32.967818022 CEST	443	49725	23.1.237.91	192.168.2.5
May 4, 2024 10:03:32.967886925 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:39.477906942 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:39.477938890 CEST	443	49725	23.1.237.91	192.168.2.5
May 4, 2024 10:03:39.477962017 CEST	49725	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:39.477968931 CEST	443	49725	23.1.237.91	192.168.2.5
May 4, 2024 10:03:39.478303909 CEST	49731	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:39.478337049 CEST	443	49731	23.1.237.91	192.168.2.5
May 4, 2024 10:03:39.478413105 CEST	49731	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:39.478482962 CEST	49731	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:39.478563070 CEST	443	49731	23.1.237.91	192.168.2.5
May 4, 2024 10:03:39.478617907 CEST	49731	443	192.168.2.5	23.1.237.91
May 4, 2024 10:03:43.630042076 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.630088091 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.630150080 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.630445957 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.630460978 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.961148024 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.963103056 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.963121891 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.963514090 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.963582993 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.964262009 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.964312077 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.965542078 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.965601921 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:43.965735912 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:43.965747118 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.011301994 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.437536001 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.437562943 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.437675953 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.437695026 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.448393106 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.449626923 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.449635983 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.459506989 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.461620092 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.461628914 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.470643044 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.473623037 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.473632097 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.481852055 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.485637903 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.485650063 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.492934942 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.493504047 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.493515015 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.504122019 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.505620003 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.505639076 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.550112963 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.596602917 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.596728086 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.602063894 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.602148056 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.613327026 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.613403082 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.624341965 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.624424934 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.635550022 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.635629892 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.646688938 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.646764994 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.646780968 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.646820068 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.647618055 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.657841921 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.657885075 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.657967091 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.657977104 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.668988943 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.671828985 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.671844959 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.680186987 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.684163094 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.684185028 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.695805073 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.695837975 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.695925951 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.695944071 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.699615002 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.705745935 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.715581894 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.715627909 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.715701103 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.715711117 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.719614983 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.725466013 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.735347986 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.735382080 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.735460997 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.735469103 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.735505104 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.735512972 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.735536098 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:44.735585928 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.735717058 CEST	49732	443	192.168.2.5	142.250.72.142
May 4, 2024 10:03:44.735733986 CEST	443	49732	142.250.72.142	192.168.2.5
May 4, 2024 10:03:52.979377985 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:52.979427099 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:52.979515076 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:52.979897976 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:52.979908943 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:53.857343912 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:53.857450008 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:53.859337091 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:53.859349012 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:53.859607935 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:53.868907928 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:53.916120052 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:54.728703976 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:54.728732109 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:54.728760004 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:54.728955984 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:54.728991985 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:54.729067087 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:54.732949018 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:54.732984066 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:03:54.733000994 CEST	49742	443	192.168.2.5	40.127.169.103
May 4, 2024 10:03:54.733009100 CEST	443	49742	40.127.169.103	192.168.2.5
May 4, 2024 10:04:13.888283014 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:13.888328075 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:13.888392925 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:13.888895035 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:13.888906956 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:14.217763901 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:14.218494892 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:14.218529940 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:14.218890905 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:14.219734907 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:14.219803095 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:14.268625021 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:18.109612942 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.109652996 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.109709024 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.109957933 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.109972954 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.438242912 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.438565016 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.438592911 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.438997030 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.439076900 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.439723015 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.439799070 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.441464901 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.441529989 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.441646099 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.441653967 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.487823009 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.767754078 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.767836094 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.767894983 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.770132065 CEST	49746	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.770157099 CEST	443	49746	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.771136999 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.771177053 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:18.771243095 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.772547960 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:18.772558928 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.105241060 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.105596066 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.105609894 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.106245995 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.106326103 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.106956959 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.107019901 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.110481024 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.110553980 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.110723019 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.110728979 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.110757113 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.152124882 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.163270950 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.460302114 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.460442066 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.460516930 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.461580992 CEST	49747	443	192.168.2.5	142.250.189.14
May 4, 2024 10:04:19.461601019 CEST	443	49747	142.250.189.14	192.168.2.5
May 4, 2024 10:04:19.626317024 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.626348019 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.626430988 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.626650095 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.626662970 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.953744888 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.954051971 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.954083920 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.954520941 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.954576969 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.955272913 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.955322981 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.955728054 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.955801964 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:19.956084967 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:19.956091881 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:20.002091885 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:20.285514116 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:20.285581112 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:20.285670042 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:20.285684109 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:20.286432028 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:20.286474943 CEST	443	49748	142.250.68.110	192.168.2.5
May 4, 2024 10:04:20.286525011 CEST	49748	443	192.168.2.5	142.250.68.110
May 4, 2024 10:04:24.216252089 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:24.216335058 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:24.216408014 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:24.372221947 CEST	49744	443	192.168.2.5	172.217.14.68
May 4, 2024 10:04:24.372252941 CEST	443	49744	172.217.14.68	192.168.2.5
May 4, 2024 10:04:32.767942905 CEST	49704	587	192.168.2.5	91.235.128.141
May 4, 2024 10:04:33.109061956 CEST	587	49704	91.235.128.141	192.168.2.5
May 4, 2024 10:04:33.112792969 CEST	49704	587	192.168.2.5	91.235.128.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:02:52.347326994 CEST	53188	53	192.168.2.5	1.1.1.1
May 4, 2024 10:02:52.511845112 CEST	53	53188	1.1.1.1	192.168.2.5
May 4, 2024 10:03:08.839205027 CEST	53	53963	1.1.1.1	192.168.2.5
May 4, 2024 10:03:08.923726082 CEST	53	51102	1.1.1.1	192.168.2.5
May 4, 2024 10:03:08.968997002 CEST	62204	53	192.168.2.5	1.1.1.1
May 4, 2024 10:03:08.968997002 CEST	57630	53	192.168.2.5	1.1.1.1
May 4, 2024 10:03:09.128803015 CEST	53	62204	1.1.1.1	192.168.2.5
May 4, 2024 10:03:09.128947020 CEST	53	57630	1.1.1.1	192.168.2.5
May 4, 2024 10:03:09.914674044 CEST	53	54102	1.1.1.1	192.168.2.5
May 4, 2024 10:03:12.621124983 CEST	53	57089	1.1.1.1	192.168.2.5
May 4, 2024 10:03:13.873331070 CEST	59129	53	192.168.2.5	1.1.1.1
May 4, 2024 10:03:13.873496056 CEST	59089	53	192.168.2.5	1.1.1.1
May 4, 2024 10:03:14.033205986 CEST	53	59129	1.1.1.1	192.168.2.5
May 4, 2024 10:03:14.037383080 CEST	53	59089	1.1.1.1	192.168.2.5
May 4, 2024 10:03:30.133382082 CEST	53	53019	1.1.1.1	192.168.2.5
May 4, 2024 10:03:43.468429089 CEST	60237	53	192.168.2.5	1.1.1.1
May 4, 2024 10:03:43.468580008 CEST	60924	53	192.168.2.5	1.1.1.1
May 4, 2024 10:03:43.628582954 CEST	53	60237	1.1.1.1	192.168.2.5
May 4, 2024 10:03:43.629398108 CEST	53	60924	1.1.1.1	192.168.2.5
May 4, 2024 10:03:44.618201017 CEST	53	58451	1.1.1.1	192.168.2.5
May 4, 2024 10:03:45.977695942 CEST	53	63262	1.1.1.1	192.168.2.5
May 4, 2024 10:03:47.161622047 CEST	53	58683	1.1.1.1	192.168.2.5
May 4, 2024 10:03:49.130534887 CEST	53	59961	1.1.1.1	192.168.2.5
May 4, 2024 10:04:10.597099066 CEST	53	54765	1.1.1.1	192.168.2.5
May 4, 2024 10:04:12.023416042 CEST	53	56019	1.1.1.1	192.168.2.5
May 4, 2024 10:04:17.948669910 CEST	63531	53	192.168.2.5	1.1.1.1
May 4, 2024 10:04:17.948834896 CEST	56116	53	192.168.2.5	1.1.1.1
May 4, 2024 10:04:18.108978987 CEST	53	63531	1.1.1.1	192.168.2.5
May 4, 2024 10:04:18.109097004 CEST	53	56116	1.1.1.1	192.168.2.5
May 4, 2024 10:04:19.465567112 CEST	64472	53	192.168.2.5	1.1.1.1
May 4, 2024 10:04:19.465759993 CEST	61886	53	192.168.2.5	1.1.1.1
May 4, 2024 10:04:19.625571012 CEST	53	64472	1.1.1.1	192.168.2.5
May 4, 2024 10:04:19.625855923 CEST	53	61886	1.1.1.1	192.168.2.5
May 4, 2024 10:04:39.585660934 CEST	53	51388	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:02:52.347326994 CEST	192.168.2.5	1.1.1.1	0x8efc	Standard query (0)	cp5ua.hyperhost.ua	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:08.968997002 CEST	192.168.2.5	1.1.1.1	0xe888	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:08.968997002 CEST	192.168.2.5	1.1.1.1	0x8a54	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 4, 2024 10:03:13.873331070 CEST	192.168.2.5	1.1.1.1	0x598d	Standard query (0)	apis.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:13.873496056 CEST	192.168.2.5	1.1.1.1	0xa659	Standard query (0)	apis.google.com	65	IN (0x0001)	false
May 4, 2024 10:03:43.468429089 CEST	192.168.2.5	1.1.1.1	0x126b	Standard query (0)	ogs.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:43.468580008 CEST	192.168.2.5	1.1.1.1	0x4ee6	Standard query (0)	ogs.google.com	65	IN (0x0001)	false
May 4, 2024 10:04:17.948669910 CEST	192.168.2.5	1.1.1.1	0xd319	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:04:17.948834896 CEST	192.168.2.5	1.1.1.1	0xecc0	Standard query (0)	play.google.com	65	IN (0x0001)	false
May 4, 2024 10:04:19.465567112 CEST	192.168.2.5	1.1.1.1	0x2c1d	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
May 4, 2024 10:04:19.465759993 CEST	192.168.2.5	1.1.1.1	0x9e47	Standard query (0)	play.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:02:52.511845112 CEST	1.1.1.1	192.168.2.5	0x8efc	No error (0)	cp5ua.hyperhost.ua		91.235.128.141	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:09.128803015 CEST	1.1.1.1	192.168.2.5	0xe888	No error (0)	www.google.com		172.217.14.68	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:09.128947020 CEST	1.1.1.1	192.168.2.5	0x8a54	No error (0)	www.google.com			65	IN (0x0001)	false
May 4, 2024 10:03:14.033205986 CEST	1.1.1.1	192.168.2.5	0x598d	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:03:14.033205986 CEST	1.1.1.1	192.168.2.5	0x598d	No error (0)	plus.l.google.com		142.251.40.46	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:14.037383080 CEST	1.1.1.1	192.168.2.5	0xa659	No error (0)	apis.google.com	plus.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:03:43.628582954 CEST	1.1.1.1	192.168.2.5	0x126b	No error (0)	ogs.google.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:03:43.628582954 CEST	1.1.1.1	192.168.2.5	0x126b	No error (0)	www3.l.google.com		142.250.72.142	A (IP address)	IN (0x0001)	false
May 4, 2024 10:03:43.629398108 CEST	1.1.1.1	192.168.2.5	0x4ee6	No error (0)	ogs.google.com	www3.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:04:18.108978987 CEST	1.1.1.1	192.168.2.5	0xd319	No error (0)	play.google.com		142.250.189.14	A (IP address)	IN (0x0001)	false
May 4, 2024 10:04:19.625571012 CEST	1.1.1.1	192.168.2.5	0x2c1d	No error (0)	play.google.com		142.250.68.110	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

slscr.update.microsoft.com

fs.microsoft.com

ogs.google.com

https:

play.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	172.217.14.68	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:09 UTC	615	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 08:03:09 UTC	1191	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:03:09 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-lRNfIQ8RSPk9TSgP3ypwqQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 08:03:09 UTC	64	IN	Data Raw: 33 33 33 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6c 75 69 73 20 61 72 72 61 65 7a 20 73 61 6e 20 64 69 65 67 6f 20 70 61 64 72 65 73 22 2c 22 6c 75 63 68 61 20 6c 69 62 72 65 20 6c 6f 6f 74 20 Data Ascii: 333)]}'["",["luis arraez san diego padres","lucha libre loot
2024-05-04 08:03:09 UTC	762	IN	Data Raw: 72 65 77 61 72 64 73 20 6d 6f 6e 6f 70 6f 6c 79 20 67 6f 22 2c 22 61 70 65 78 20 6c 65 67 65 6e 64 73 20 70 6c 61 79 6f 66 66 73 22 2c 22 77 69 73 63 6f 6e 73 69 6e 20 65 6c 65 6d 65 6e 74 61 72 79 20 73 63 68 6f 6f 6c 20 74 65 61 63 68 65 72 22 2c 22 6e 61 74 69 6f 6e 61 6c 20 6e 75 72 73 65 73 20 77 65 65 6b 20 64 69 73 63 6f 75 6e 74 73 22 2c 22 73 65 76 65 72 61 6e 63 65 20 72 65 6c 65 61 73 65 20 64 61 74 65 22 2c 22 74 65 6e 6e 65 73 73 65 65 20 62 61 73 65 62 61 6c 6c 20 66 6c 6f 72 69 64 61 22 2c 22 74 68 65 20 62 6f 6c 64 20 61 6e 64 20 74 68 65 20 62 65 61 75 74 69 66 75 6c 20 73 70 6f 69 6c 65 72 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 Data Ascii: rewards monopoly go","apex legends playoffs","wisconsin elementary school teacher","national nurses week discounts","severance release date","tennessee baseball florida","the bold and the beautiful spoilers"],["","","","","","","",""],[],{"google:clientda
2024-05-04 08:03:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	172.217.14.68	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:09 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	172.217.14.68	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:09 UTC	518	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 08:03:09 UTC	967	IN	HTTP/1.1 200 OK Version: 629707551 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sat, 04 May 2024 08:03:09 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 08:03:09 UTC	288	IN	Data Raw: 31 30 64 34 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 51 61 20 67 62 5f 68 62 20 67 62 5f 54 64 20 67 62 5f 6e 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 10d4)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Qa gb_hb gb_Td gb_nd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 72 64 20 67 62 5f 6b 64 20 67 62 5f 78 64 20 67 62 5f 77 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 71 64 20 67 62 5f 67 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4f 63 20 67 62 5f 71 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 Data Ascii: 03e\u003c\/div\u003e\u003cdiv class\u003d\"gb_rd gb_kd gb_xd gb_wd\"\u003e\u003cdiv class\u003d\"gb_qd gb_gd\"\u003e\u003cdiv class\u003d\"gb_Oc gb_q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u00
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4e 63 20 67 62 5f 35 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 71 64 20 67 62 5f 65 64 20 67 62 Data Ascii: label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Nc gb_5d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_qd gb_ed gb
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 22 67 62 5f 55 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 37 63 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 78 20 67 62 5f 4b 20 67 62 5f 6a 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 66 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 53 65 61 72 63 68 20 4c 61 62 73 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 68 74 74 70 73 3a 2f 2f 6c 61 62 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 61 72 63 68 3f 73 6f 75 72 63 65 5c 75 30 30 33 64 6e 74 70 5c 22 20 74 Data Ascii: "gb_Ud\"\u003e\u003cdiv class\u003d\"gb_7c\"\u003e \u003cdiv class\u003d\"gb_x gb_K gb_j\"\u003e \u003cdiv class\u003d\"gb_f\"\u003e \u003ca class\u003d\"gb_d\" aria-label\u003d\"Search Labs\" href\u003d\"https://labs.google.com/search?source\u003dntp\" t
2024-05-04 08:03:09 UTC	263	IN	Data Raw: 6d 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 5c 75 30 30 33 64 72 68 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 68 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 36 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c Data Ascii: m/intl/en/about/products?tab\u003drh\" aria-expanded\u003d\"false\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg class\u003d\"gb_h\" focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M6,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,
2024-05-04 08:03:09 UTC	724	IN	Data Raw: 32 63 64 0d 0a 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 36 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 36 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 32 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 Data Ascii: 2cd0.9 -2,2 0.9,2 2,2zM12,20c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM6,20c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM6,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM12,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 38 30 30 30 0d 0a 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 76 67 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 79 64 20 67 62 5f 6b 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 68 65 61 64 65 72 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 57 63 20 67 Data Ascii: 8000\u003e\u003c\/svg\u003e\u003c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_yd gb_kd\"\u003e\u003c\/div\u003e\u003c\/header\u003e\u003cdiv class\u003d\"gb_Wc g
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 65 7b 64 5c 75 30 30 33 64 28 30 2c 5f 2e 79 29 28 61 2e 43 2c 61 2c 62 29 3b 63 6f 6e 73 74 20 65 5c 75 30 30 33 64 61 2e 76 2b 63 3b 61 2e 76 2b 2b 3b 62 2e 64 61 74 61 73 65 74 2e 65 71 69 64 5c 75 30 30 33 64 65 3b 61 2e 42 5b 65 5d 5c 75 30 30 33 64 64 3b 62 5c 75 30 30 32 36 5c 75 30 30 32 36 62 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 3f 62 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 63 2c 64 2c 21 31 29 3a 62 5c 75 30 30 32 36 5c 75 30 30 32 36 62 2e 61 74 74 61 63 68 45 76 65 6e 74 3f 62 2e 61 74 74 61 63 68 45 76 65 6e 74 28 5c 22 6f 6e 5c 22 2b 63 2c 64 29 3a 61 2e 6f 2e 6c 6f 67 28 45 72 72 6f 72 28 5c 22 7a 60 5c 22 2b 62 29 29 7d 7d 3b 5c 6e 7d 63 61 74 63 68 28 65 29 7b 5f 2e 5f 44 75 6d 70 45 78 63 65 70 74 69 6f 6e 28 Data Ascii: e{d\u003d(0,_.y)(a.C,a,b);const e\u003da.v+c;a.v++;b.dataset.eqid\u003de;a.B[e]\u003dd;b\u0026\u0026b.addEventListener?b.addEventListener(c,d,!1):b\u0026\u0026b.attachEvent?b.attachEvent(\"on\"+c,d):a.o.log(Error(\"z`\"+b))}};\n}catch(e){_._DumpException(
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 74 69 6f 6e 28 65 29 7d 5c 6e 74 72 79 7b 5c 6e 2f 2a 5c 6e 5c 6e 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 5c 6e 2a 2f 5c 6e 76 61 72 20 77 64 2c 46 64 2c 48 64 3b 5f 2e 72 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 6e 75 6c 6c 5c 75 30 30 33 64 5c 75 30 30 33 64 61 29 72 65 74 75 72 6e 20 61 3b 69 66 28 5c 22 73 74 72 69 6e 67 5c 22 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 74 79 70 65 6f 66 20 61 29 7b 69 66 28 21 61 29 72 65 74 75 72 6e 3b 61 5c 75 30 30 33 64 2b 61 7d 69 66 28 5c 22 6e 75 6d 62 65 72 5c 22 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 74 79 70 65 6f 66 20 61 29 72 65 74 75 72 6e 20 4e 75 6d 62 65 72 2e 69 73 46 69 6e 69 74 65 Data Ascii: tion(e)}\ntry{\n/\n\n SPDX-License-Identifier: Apache-2.0\n/\nvar wd,Fd,Hd;_.rd\u003dfunction(a){if(null\u003d\u003da)return a;if(\"string\"\u003d\u003d\u003dtypeof a){if(!a)return;a\u003d+a}if(\"number\"\u003d\u003d\u003dtypeof a)return Number.isFinite
2024-05-04 08:03:09 UTC	1255	IN	Data Raw: 65 28 61 29 3f 61 7c 30 3a 76 6f 69 64 20 30 7d 3b 5f 2e 53 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 5c 75 30 30 33 64 30 29 7b 72 65 74 75 72 6e 20 5f 2e 6c 62 28 5f 2e 45 64 28 61 2c 62 29 2c 63 29 7d 3b 46 64 5c 75 30 30 33 64 30 3b 5f 2e 47 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 4f 62 6a 65 63 74 2e 70 72 6f 74 6f 74 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 61 2c 5f 2e 78 62 29 5c 75 30 30 32 36 5c 75 30 30 32 36 61 5b 5f 2e 78 62 5d 7c 7c 28 61 5b 5f 2e 78 62 5d 5c 75 30 30 33 64 2b 2b 46 64 29 7d 3b 48 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 49 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 Data Ascii: e(a)?a\|0:void 0};_.S\u003dfunction(a,b,c\u003d0){return _.lb(_.Ed(a,b),c)};Fd\u003d0;_.Gd\u003dfunction(a){return Object.prototype.hasOwnProperty.call(a,_.xb)\u0026\u0026a[_.xb]\|\|(a[_.xb]\u003d++Fd)};Hd\u003dfunction(a){return a};_.Id\u003dfunction(a){var

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	172.217.14.68	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:09 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 08:03:09 UTC	922	IN	HTTP/1.1 200 OK Version: 629707551 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Sat, 04 May 2024 08:03:09 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 08:03:09 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-05-04 08:03:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49715	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:13 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dg+uS4uaRpFXHHv&MD=p8faHFV4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-04 08:03:13 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: dd881697-443b-4f15-b0d9-6555c6b81477 MS-RequestId: 85c61667-77e0-48cd-95c3-3f2b431aa86f MS-CV: TF3LxoILKkyn8yeg.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 04 May 2024 08:03:12 GMT Connection: close Content-Length: 24490
2024-05-04 08:03:13 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-04 08:03:13 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49729	72.247.96.147	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:17 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-04 08:03:17 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (sac/2518) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=169179 Date: Sat, 04 May 2024 08:03:17 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49730	72.247.96.147	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:17 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-04 08:03:18 UTC	531	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0Fz4RYwAAAACZW8dCTzveR7lI76J6Z2l5U0pDRURHRTA1MTgAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=169173 Date: Sat, 04 May 2024 08:03:18 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-04 08:03:18 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49732	142.250.72.142	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:43 UTC	872	OUT	GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1 Host: ogs.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 08:03:44 UTC	2491	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 X-Frame-Options: ALLOW-FROM chrome-untrusted://new-tab-page Content-Security-Policy: frame-ancestors chrome-untrusted://new-tab-page chrome://new-tab-page Content-Security-Policy: script-src 'report-sample' 'nonce-KFcGgKtP9hp0p4ESjdGrrA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/OneGoogleWidgetUi/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/OneGoogleWidgetUi/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/OneGoogleWidgetUi/cspreport x-ua-compatible: IE=edge Expires: Sat, 04 May 2024 08:03:44 GMT Date: Sat, 04 May 2024 08:03:44 GMT Cache-Control: private, max-age=259200 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Strict-Transport-Security: max-age=31536000 Cross-Origin-Resource-Policy: same-site Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Embedder-Policy-Report-Only: require-corp; report-to="CoepOneGoogleWidgetUi" Report-To: {"group":"CoepOneGoogleWidgetUi","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/OneGoogleWidgetUi"}]} Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin reporting-endpoints: default="/_/OneGoogleWidgetUi/web-reports?context=eJzjstDikmLw0ZBiuPf9GVPByhdMEl9fMmkAsVP6DNYgIPapn8EaA8StN8-xTgXipH_nWYuAWIiH48H16xvZBGbsbZjPCAD4YR41" Server: ESF X-XSS-Protection: 0 X-Content-Type-Options: nosniff Set-Cookie: NID=513=XmH_gibrb4C3PvdgFV5OZbumoUeiL2En-lB_mjdL1cfaDi8oeDU1Od-r8cqdfqnp62p7q5vvXgHyq3CODyYE3k6oDEfBhu8op1NMjAiitcAwEd0n2u33siAF_uBH7vM5Q-64c9VE5vLTbIJZQ3q3pkF8-Rst9oPmLdWSZE3mJSc; expires=Sun, 03-Nov-2024 08:03:44 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 67 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6c 69 6e 6b 20 72 65 66 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6f 67 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 77 69 64 67 65 74 2f 61 70 70 2f 73 6f 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 Data Ascii: 8000<!doctype html><html lang="en" dir="ltr"><head><base href="https://ogs.google.com/"><link ref="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><link rel="canonical" href="https://ogs.google.com/widget/app/so"><link rel="p
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 72 65 63 6f 72 64 49 6d 6c 45 6c 3d 6d 3b 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 6c 6f 61 64 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 62 3d 62 2e 74 61 72 67 65 74 3b 76 61 72 20 63 3b 22 49 4d 47 22 21 3d 62 2e 74 61 67 4e 61 6d 65 7c 7c 62 2e 68 61 73 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 69 69 64 22 29 7c 7c 61 2e 5f 69 73 4c 61 7a 79 49 6d 61 67 65 28 62 29 7c 7c 62 2e 68 61 73 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 6e 6f 61 66 74 22 29 7c 7c 28 63 3d 6d 28 62 29 29 3b 69 66 28 61 2e 61 66 74 5f 63 6f 75 6e 74 65 72 26 26 28 62 3d 61 2e 61 66 74 5f 63 6f 75 6e 74 65 72 2e 69 6e 64 65 78 4f 66 28 62 29 2c 2d 31 21 3d 3d 62 26 26 28 62 3d 31 3d Data Ascii: recordImlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;"IMG"!=b.tagName\|\|b.hasAttribute("data-iid")\|\|a._isLazyImage(b)\|\|b.hasAttribute("data-noaft")\|\|(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),-1!==b&&(b=1=
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 6e 64 65 78 3a 33 7d 2e 41 4f 71 34 74 62 7b 68 65 69 67 68 74 3a 35 36 70 78 7d 2e 6b 46 77 50 65 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 68 65 69 67 68 74 3a 31 30 30 25 7d 2e 79 64 4d 4d 45 62 7b 68 65 69 67 68 74 3a 35 36 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 53 53 50 47 4b 66 7b 6f 76 65 72 66 6c 6f 77 2d 79 3a 68 69 64 64 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 62 6f 74 74 6f 6d 3a 30 3b 6c 65 66 74 3a 30 3b 72 69 67 68 74 3a 30 3b 74 6f 70 3a 30 7d 2e 65 63 4a 45 69 62 20 2e 41 4f 71 34 74 62 2c 2e 65 63 4a 45 69 62 20 2e 79 64 4d 4d 45 62 7b 68 65 69 67 68 74 3a 36 34 70 78 7d 2e 65 32 47 33 46 62 2e 45 57 5a 63 75 64 20 2e 41 4f 71 34 74 62 2c 2e 65 32 47 33 46 62 2e Data Ascii: ndex:3}.AOq4tb{height:56px}.kFwPee{position:relative;z-index:1;height:100%}.ydMMEb{height:56px;width:100%}.SSPGKf{overflow-y:hidden;position:absolute;bottom:0;left:0;right:0;top:0}.ecJEib .AOq4tb,.ecJEib .ydMMEb{height:64px}.e2G3Fb.EWZcud .AOq4tb,.e2G3Fb.
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 31 62 3a 61 63 74 69 76 65 20 2e 52 71 35 47 63 62 2c 2e 6e 7a 39 73 71 62 2e 6f 30 37 47 35 20 2e 74 58 39 75 31 62 3a 61 63 74 69 76 65 3a 68 6f 76 65 72 20 2e 52 71 35 47 63 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 32 64 32 65 33 30 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 6f 70 61 63 69 74 79 3a 2e 38 7d 2e 74 58 39 75 31 62 5b 64 72 61 67 67 61 62 6c 65 3d 66 61 6c 73 65 5d 7b 2d 77 65 62 6b 69 74 2d 74 6f 75 63 68 2d 63 61 6c 6c 6f 75 74 3a 6e 6f 6e 65 3b 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 4d 72 45 66 4c 63 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 35 33 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 3b 77 69 64 74 Data Ascii: 1b:active .Rq5Gcb,.nz9sqb.o07G5 .tX9u1b:active:hover .Rq5Gcb{background-color:#2d2e30;border-color:transparent;opacity:.8}.tX9u1b[draggable=false]{-webkit-touch-callout:none;user-select:none}.MrEfLc{display:inline-block;height:53px;vertical-align:top;widt
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 7a 39 73 71 62 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 68 75 6d 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 28 39 35 2c 39 39 2c 31 30 34 29 7d 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 2c 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 7d 2e 6a 46 56 30 6e 7b 68 65 69 67 68 74 3a 34 30 70 78 3b 6d 61 72 67 69 6e 3a 38 70 78 3b 77 69 64 74 68 3a 34 30 70 78 7d 2e 6e 7a 39 73 71 62 20 2e 6a 46 56 30 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 4f 75 6e 5a 39 63 7b 62 61 63 Data Ascii: z9sqb.EHzcec::-webkit-scrollbar-thumb{background-color:rgb(95,99,104)}.EHzcec::-webkit-scrollbar-track,.EHzcec::-webkit-scrollbar-track:hover{background:none;border:none}.jFV0n{height:40px;margin:8px;width:40px}.nz9sqb .jFV0n{position:relative}.OunZ9c{bac
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 78 20 34 70 78 20 32 34 70 78 20 32 34 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 7d 2e 75 34 52 63 55 64 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 2e 6e 7a 39 73 71 62 2e 45 48 7a 63 65 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 32 38 32 61 32 63 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 68 69 67 68 2c 23 32 38 32 61 32 63 29 7d 2e 6e 7a 39 73 71 62 2e 45 48 7a 63 65 63 20 2e 4c 56 61 6c 37 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 62 31 62 31 62 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 6c 6f 77 2c 23 31 62 31 62 31 Data Ascii: x 4px 24px 24px;margin-bottom:10px}.u4RcUd{padding-top:0}.nz9sqb.EHzcec{background:#282a2c;background:var(--gm3-sys-color-surface-container-high,#282a2c)}.nz9sqb.EHzcec .LVal7b{background:#1b1b1b;background:var(--gm3-sys-color-surface-container-low,#1b1b1
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 6f 70 61 63 69 74 79 3a 30 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 30 62 35 37 64 30 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 70 72 69 6d 61 72 79 2c 23 30 62 35 37 64 30 29 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 6f 70 61 63 69 74 79 20 2e 35 73 20 65 61 73 65 2d 6f 75 74 7d 2e 4e 51 56 33 6d 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 34 37 37 37 35 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 6f 75 74 6c 69 Data Ascii: e;top:0;left:0;width:100%;height:100%;opacity:0;border-radius:100px;background:#0b57d0;background:var(--gm3-sys-color-primary,#0b57d0);transition:opacity .5s ease-out}.NQV3m:hover{background:none;border-color:#747775;border-color:var(--gm3-sys-color-outli
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 2d 63 6f 6c 6f 72 3a 23 61 38 63 37 66 61 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 70 72 69 6d 61 72 79 2c 23 61 38 63 37 66 61 29 7d 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 7b 77 69 64 74 68 3a 38 70 78 7d 2e 45 48 7a 63 65 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 68 75 6d 62 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6c 69 70 3a 70 61 64 64 69 6e 67 2d 62 6f 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 33 31 2c 33 31 2c 33 31 2c 2e 31 36 29 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 38 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 78 2d 73 68 61 64 6f Data Ascii: -color:#a8c7fa;border-color:var(--gm3-sys-color-primary,#a8c7fa)}.EHzcec::-webkit-scrollbar{width:8px}.EHzcec::-webkit-scrollbar-thumb{background-clip:padding-box;background-color:rgba(31,31,31,.16);border-radius:8px;border:1px solid transparent;box-shado
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 6e 74 3a 63 65 6e 74 65 72 3b 6c 65 66 74 3a 31 33 70 78 3b 6d 69 6e 2d 77 69 64 74 68 3a 31 32 70 78 3b 70 61 64 64 69 6e 67 3a 32 70 78 20 33 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 31 70 78 3b 62 6f 72 64 65 72 3a 2e 35 70 78 20 73 6f 6c 69 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 66 38 66 61 66 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 67 6d 33 2d 73 79 73 2d 63 6f 6c 6f 72 2d 73 75 72 66 61 63 65 2d 63 6f 6e 74 61 69 6e 65 72 2d 6c 6f 77 2c 23 66 38 66 61 66 64 29 7d 2e 51 67 64 64 55 63 20 2e 6b 69 62 50 36 62 3a 66 6f 63 75 73 2c 2e 51 67 64 64 55 63 20 2e 6c 48 74 53 62 64 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 64 Data Ascii: nt:center;left:13px;min-width:12px;padding:2px 3px;position:absolute;top:1px;border:.5px solid;border-color:#f8fafd;border-color:var(--gm3-sys-color-surface-container-low,#f8fafd)}.QgddUc .kibP6b:focus,.QgddUc .lHtSbd:focus{border:1px solid;background:#dd
2024-05-04 08:03:44 UTC	2491	IN	Data Raw: 2d 30 31 31 31 2c 55 2b 30 31 32 38 2d 30 31 32 39 2c 55 2b 30 31 36 38 2d 30 31 36 39 2c 55 2b 30 31 41 30 2d 30 31 41 31 2c 55 2b 30 31 41 46 2d 30 31 42 30 2c 55 2b 30 33 30 30 2d 30 33 30 31 2c 55 2b 30 33 30 33 2d 30 33 30 34 2c 55 2b 30 33 30 38 2d 30 33 30 39 2c 55 2b 30 33 32 33 2c 55 2b 30 33 32 39 2c 55 2b 31 45 41 30 2d 31 45 46 39 2c 55 2b 32 30 41 42 3b 7d 40 66 6f 6e 74 2d 66 61 63 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 52 6f 62 6f 74 6f 27 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 73 72 63 3a 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 47 78 4b 4f 7a 59 2e Data Ascii: -0111,U+0128-0129,U+0168-0169,U+01A0-01A1,U+01AF-01B0,U+0300-0301,U+0303-0304,U+0308-0309,U+0323,U+0329,U+1EA0-1EF9,U+20AB;}@font-face{font-family:'Roboto';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu7GxKOzY.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49742	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:03:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Dg+uS4uaRpFXHHv&MD=p8faHFV4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-04 08:03:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: f10af373-66b1-4643-b801-0a30e862d558 MS-RequestId: 852763db-e7d4-4f48-8cb2-ed7ceae38f24 MS-CV: GgwetmMx5ESruWMU.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 04 May 2024 08:03:54 GMT Connection: close Content-Length: 25457
2024-05-04 08:03:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-04 08:03:54 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49746	142.250.189.14	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:04:18 UTC	539	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://ogs.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://ogs.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-04 08:04:18 UTC	515	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://ogs.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Sat, 04 May 2024 08:04:18 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49747	142.250.189.14	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:04:19 UTC	947	OUT	POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Content-Length: 787 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Content-Type: text/plain;charset=UTF-8 X-Goog-AuthUser: 0 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Origin: https://ogs.google.com X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://ogs.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=513=XmH_gibrb4C3PvdgFV5OZbumoUeiL2En-lB_mjdL1cfaDi8oeDU1Od-r8cqdfqnp62p7q5vvXgHyq3CODyYE3k6oDEfBhu8op1NMjAiitcAwEd0n2u33siAF_uBH7vM5Q-64c9VE5vLTbIJZQ3q3pkF8-Rst9oPmLdWSZE3mJSc
2024-05-04 08:04:19 UTC	787	OUT	Data Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 6f 6e 65 67 6f 6f 67 6c 65 68 74 74 70 73 65 72 76 65 72 5f 32 30 32 34 30 34 33 30 2e 30 31 5f 70 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_onegooglehttpserver_20240430.01_p1",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.132"],[4,0,0,0,0]]],1
2024-05-04 08:04:19 UTC	920	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://ogs.google.com Cross-Origin-Resource-Policy: cross-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web Set-Cookie: NID=513=EYr6cnrRAAEbx9B9S_C9cajnLlaQBUmKFyzMrUZBAei_V9LOYiMmisV7U6YkKONCPJujzzrOGtgJy-9KwtEqX54XUPzbdgb3ce54RAyN2Dm9W0bQ1cITNvw07xv6LQ9qFjNMhp5tHHb8WTnaZfrfWxGxfg3yeVVD9myKTJFBkTU; expires=Sun, 03-Nov-2024 08:04:19 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Type: text/plain; charset=UTF-8 Date: Sat, 04 May 2024 08:04:19 GMT Server: Playlog Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Expires: Sat, 04 May 2024 08:04:19 GMT Connection: close Transfer-Encoding: chunked
2024-05-04 08:04:19 UTC	137	IN	Data Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
2024-05-04 08:04:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49748	142.250.68.110	443	4980	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-04 08:04:19 UTC	664	OUT	GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=513=EYr6cnrRAAEbx9B9S_C9cajnLlaQBUmKFyzMrUZBAei_V9LOYiMmisV7U6YkKONCPJujzzrOGtgJy-9KwtEqX54XUPzbdgb3ce54RAyN2Dm9W0bQ1cITNvw07xv6LQ9qFjNMhp5tHHb8WTnaZfrfWxGxfg3yeVVD9myKTJFBkTU
2024-05-04 08:04:20 UTC	270	IN	HTTP/1.1 400 Bad Request Date: Sat, 04 May 2024 08:04:20 GMT Content-Type: text/html; charset=UTF-8 Server: Playlog Content-Length: 1555 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-04 08:04:20 UTC	985	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 30 20 28 42 61 64 20 52 65 71 75 65 73 74 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 400 (Bad Request)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-
2024-05-04 08:04:20 UTC	570	IN	Data Raw: 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 Data Ascii: -image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-rep

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 4, 2024 10:02:53.356204987 CEST	587	49704	91.235.128.141	192.168.2.5	220-cp5ua.hyperhost.ua ESMTP Exim 4.96.2 #2 Sat, 04 May 2024 11:02:51 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
May 4, 2024 10:02:53.357381105 CEST	49704	587	192.168.2.5	91.235.128.141	EHLO 358075
May 4, 2024 10:02:53.696346998 CEST	587	49704	91.235.128.141	192.168.2.5	250-cp5ua.hyperhost.ua Hello 358075 [81.181.54.104] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
May 4, 2024 10:02:53.696578026 CEST	49704	587	192.168.2.5	91.235.128.141	STARTTLS
May 4, 2024 10:02:54.037676096 CEST	587	49704	91.235.128.141	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	10:02:50
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\0e46.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0e46.scr.exe"
Imagebase:	0xa30000
File size:	602'624 bytes
MD5 hash:	77DCF984A36098A6E855C54FA36CD5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector02, Description: Detects downloader injector, Source: 00000000.00000002.2002461828.00000000054B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2001634046.0000000003F7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:02:50
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\0e46.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0e46.scr.exe"
Imagebase:	0x80000
File size:	602'624 bytes
MD5 hash:	77DCF984A36098A6E855C54FA36CD5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.3250604761.0000000002469000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.3249046802.0000000000502000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.3250604761.000000000243E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.3250604761.00000000023F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:03:05
Start date:	04/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:03:07
Start date:	04/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=2040,i,3301420170973166231,14062020265948935474,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	77.8%
Total number of Nodes:	27
Total number of Limit Nodes:	1

Executed Functions

Function 01459150 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xnq, xrefs: 0145917F
$jq, xrefs: 01459166

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID:
String ID: Xnq$$jq
API String ID: 0-65531410
Opcode ID: c40d1279de5be6bae0e2328b33f59ee17406b3b6558bd320c740e2d3e3534ce6
Instruction ID: 838298af20fa791dcac394ca01ebf18f79c0ecb17362487ac0b0030282537f47
Opcode Fuzzy Hash: c40d1279de5be6bae0e2328b33f59ee17406b3b6558bd320c740e2d3e3534ce6
Instruction Fuzzy Hash: 8D818034B04259EBDB58EF79945427E7AB7BFC8700F05852EE406EB299DE34DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 0145AA28 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 0145B1D8

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 99de178b824df6f2cacbef063e6454426bbf9eb63c301f58b7606ef05bb9bfdf
Instruction ID: 81a4e72bc60d33867d805ec3c1dbdc0683b4ad28faa11205ca79e46d559f2877
Opcode Fuzzy Hash: 99de178b824df6f2cacbef063e6454426bbf9eb63c301f58b7606ef05bb9bfdf
Instruction Fuzzy Hash: 1252D370D01229CFDB64DF69C994BDEBBB2BF89300F5081EA9509A72A5DB345E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01459B1C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0145B729

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e3001a5ae1e81be10311e455c12ac6222d34b2e0ef61dce4b107ed88b6cfdd40
Instruction ID: 567ef36c71e64398893650d775c8da60f0a1dfbfb61e7c1b280a4cd3b0b0b0a6
Opcode Fuzzy Hash: e3001a5ae1e81be10311e455c12ac6222d34b2e0ef61dce4b107ed88b6cfdd40
Instruction Fuzzy Hash: 7581C074C00259DFDB65CFA9C980BEDBBF6BB09300F1091AAE509B7221DB749A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0145A600 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0145A6D3

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f92e39b72f1449730fb7ffefa3933339c811791db1a039cc9582a40fb9229f89
Instruction ID: c7f2b3b2ba119b028e91ad2757c7d7dd05fd6a69bfb17d883fdc28b57f2134a7
Opcode Fuzzy Hash: f92e39b72f1449730fb7ffefa3933339c811791db1a039cc9582a40fb9229f89
Instruction Fuzzy Hash: E5418BB5D012589FCF00CFA9D984ADEFBF1BF49310F24902AE819B7250D735AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01459B40 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0145BA35

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: fda18f097a985fcefa397fdb45a40f48a44527c13d7c056bbafe7cc60c9d4011
Instruction ID: c0e99f061a62fbd48c167739bf292674559bfe39895993c009e05507814a9d72
Opcode Fuzzy Hash: fda18f097a985fcefa397fdb45a40f48a44527c13d7c056bbafe7cc60c9d4011
Instruction Fuzzy Hash: E54177B9D042589FCF10CFAAD984AEEFBB5FB19310F10902AE914B7211D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0145A758 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0145A802

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c626c7ffa00444344552c72ec155083fbbf2ebc12be717b80645993bddd9b8a4
Instruction ID: 8c7d1410bf0f66c6798a3058f9af37374d3db1e5c1d1ad4cf40211d40be2f0e3
Opcode Fuzzy Hash: c626c7ffa00444344552c72ec155083fbbf2ebc12be717b80645993bddd9b8a4
Instruction Fuzzy Hash: 103188B8D002589FCF10CFA9D984A9EFBB5BF49310F10942AE819B7310D735A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0145A4D8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0145A587

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7bc91fa43ad0b1aa93751b492676ddd6ff330f6add73cc0c0d0d0af6acc8b642
Instruction ID: 1cdd71559263652acec7d7e6274640a86a8683b9b6857f47379f276dd6105d30
Opcode Fuzzy Hash: 7bc91fa43ad0b1aa93751b492676ddd6ff330f6add73cc0c0d0d0af6acc8b642
Instruction Fuzzy Hash: 5A31BDB4D012589FCB10DFAAD984AEEFBF1BF49314F24802AE418B7250D738A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01459B28 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64GetThreadContext.KERNEL32(?,?), ref: 0145B922

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0bf17321ed9090abbbd75a38dcadc0bd5184653ca1d6cb5d5023b91d555075fd
Instruction ID: cde50e8625a5cf782fdca7c18169b098b99e43aeee1c3bd00ca18e423001a947
Opcode Fuzzy Hash: 0bf17321ed9090abbbd75a38dcadc0bd5184653ca1d6cb5d5023b91d555075fd
Instruction Fuzzy Hash: B6319AB4D012589FCB10CFAAD484AAEFBF1FB09310F14902AE818B7311D378A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0145A878 Relevance: 1.6, APIs: 1, Instructions: 73
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 0145A8F6

Memory Dump Source

Source File: 00000000.00000002.2001153280.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1450000_0e46.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5d09bb392f0b1b0bf6de8c956f986ad446e7ef25126d0c432c9e8f7823e05459
Instruction ID: 09ae0c293a3205b6697eb0d0bf4e589759c3aa2e64d65d8a991782d9826f1d4c
Opcode Fuzzy Hash: 5d09bb392f0b1b0bf6de8c956f986ad446e7ef25126d0c432c9e8f7823e05459
Instruction Fuzzy Hash: 5031ACB4D012189FCB14DFAAD984A9EFBB5FF49310F10942AE819B7310C735A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013BD4CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000918846.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13bd000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2812321bcb8c61b0ffb9aa1b6c62e4ba42352a8e24a5952ff32fdc634fd2f1
Instruction ID: eb5bdedbd7fbcab46d39185cd4b921e8bbf47f6b986b634c96d6e34f71f82bff
Opcode Fuzzy Hash: 7f2812321bcb8c61b0ffb9aa1b6c62e4ba42352a8e24a5952ff32fdc634fd2f1
Instruction Fuzzy Hash: E2216A71500204DFDB05DF98D9C0F66BF65FB9831CF20C56ADA090B656D33AD446C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 013BD4C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000918846.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13bd000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: fc705315f7782224760e3ea646e4bd26197f3c138183eab87549d0b45058dcf0
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 82112672404244CFCB06CF54D9C4B56BF72FB88318F24C6AAD9090B657C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 0e46.scr.exePID: 940, Parent PID: 652COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 0238B06F Relevance: 2.8, Instructions: 2757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258cabebf4d0facbf3d15b07b7952f2fbeeb9c4beef5a51f70dcd9bb5812500c
Instruction ID: d41378a04033964fa569d94271d1607099f9b4b18b2ca761cfb1e5117b5514bd
Opcode Fuzzy Hash: 258cabebf4d0facbf3d15b07b7952f2fbeeb9c4beef5a51f70dcd9bb5812500c
Instruction Fuzzy Hash: 8253E971D10B1A8ACB11EF68C8446A9F7B1FF99300F51D79AE4587B121FB70AAD4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0238CE80 Relevance: 2.3, Instructions: 2318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f07694da96947d6a47ebfbda62ffb765fd136645b4835cc3d302d37611f8975
Instruction ID: 08f9c53663b10cf192f63991098af8cefe543fc0b160d59d7a8b8029f6971f16
Opcode Fuzzy Hash: 9f07694da96947d6a47ebfbda62ffb765fd136645b4835cc3d302d37611f8975
Instruction Fuzzy Hash: 00332131D107198ECB15EF68C88069DF7B1FF89300F55D69AE458AB125EB70EAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02384A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27b94fd9b2b8118ebf9b12d65839a1137d4c19e7320b9a65a8cc3c45820a736
Instruction ID: 3459225e8ebb07d936b53e3456bf4861a16f49172f903b5633df18c806aa166a
Opcode Fuzzy Hash: e27b94fd9b2b8118ebf9b12d65839a1137d4c19e7320b9a65a8cc3c45820a736
Instruction Fuzzy Hash: FAB18D70E0030A9FDB10DFA9C9817ADBBF6BF88314F148129D915EB694EB349845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02383E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9154dcea73cb7d674aabdfd1d8a47cefdea5448aa79ee7a0d1ecc445fa596a07
Instruction ID: a0cfd3f2bc45c2def17e564732aa211d9a2ecd44ba1ce09490bb8c2a612e1711
Opcode Fuzzy Hash: 9154dcea73cb7d674aabdfd1d8a47cefdea5448aa79ee7a0d1ecc445fa596a07
Instruction Fuzzy Hash: 40916070E1030A8FDB14DFA9C9857AEBBF2BF88704F148129E515AB754EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02386EDA Relevance: 2.6, Strings: 2, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRjq, xrefs: 02386FFC
LRjq, xrefs: 02386F0E

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID: LRjq$LRjq
API String ID: 0-348097489
Opcode ID: ffe52a734d53191532b6ea762530112ecdce784d0b6588a6bdeb135ae342f2c3
Instruction ID: 2f4a9bb9ba05f0f1a4fd19b2097aa45957e268812f7d361207789968fa0ffde6
Opcode Fuzzy Hash: ffe52a734d53191532b6ea762530112ecdce784d0b6588a6bdeb135ae342f2c3
Instruction Fuzzy Hash: 6251CF70A003199FDB25EF78C4517AEB7B6EF85300F20846AE405EB391EB719C46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0599E188 Relevance: 1.6, APIs: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3253527798.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5990000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6902e9ec2096cd527347ba17497639516075252bc65961faa10f4995db74126d
Instruction ID: 7ddb4b36bac83b1899694235bef568b91d5a3e2bce3b472a68bda0c2c5d15ed9
Opcode Fuzzy Hash: 6902e9ec2096cd527347ba17497639516075252bc65961faa10f4995db74126d
Instruction Fuzzy Hash: 72410472D043558FCB14CFAAD8446EEBFF5EF89210F1485AAD408A7251DB78A885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0599E270 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0599E2D7

Memory Dump Source

Source File: 00000001.00000002.3253527798.0000000005990000.00000040.00000800.00020000.00000000.sdmp, Offset: 05990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5990000_0e46.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b9bd1705f06351b05d103600357307346b442c9ec23795161680157e88f4db5f
Instruction ID: 560bf037b2e59fa909191a679955eebbbab5c717df4cf5208ba32ffccf9835da
Opcode Fuzzy Hash: b9bd1705f06351b05d103600357307346b442c9ec23795161680157e88f4db5f
Instruction Fuzzy Hash: 5A11EFB1C006599BCB10DFAAC544BDEFBF8BF48320F15816AE918A7240D778A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 0238F3BD Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

PHjq, xrefs: 0238F50B

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID: PHjq
API String ID: 0-751881793
Opcode ID: d97a4bf1a6d19a0120b37a9ef9dd655205fb43fa014f918c9657859e788b3f44
Instruction ID: 3158c770c912c4226b5ec7b02a1fc0935fbce84f0ff64135908295c49a9a7b8d
Opcode Fuzzy Hash: d97a4bf1a6d19a0120b37a9ef9dd655205fb43fa014f918c9657859e788b3f44
Instruction Fuzzy Hash: 7941CC30B003008FCB19AB34965476F7BE6AF8A210FA44569D406DF3AAEF35DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02386F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02386FFC

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: b8bc9f9f0ef77b8bc600d31f47f2b6f5ac4278e63f1962fdaf440430bb069f55
Instruction ID: 5f9c19856f4111340df0318672c71876da63b12664012a959bb0f1cf0b873be6
Opcode Fuzzy Hash: b8bc9f9f0ef77b8bc600d31f47f2b6f5ac4278e63f1962fdaf440430bb069f55
Instruction Fuzzy Hash: 35318F74E103098BDB15DFA4D95179EF7B6EF85300F208526E505EB250DB71D946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02386B8F Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

LRjq, xrefs: 02386BD7

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID: LRjq
API String ID: 0-665714880
Opcode ID: 2f757135fc2e40a5068f1d4d80294e3f5a5f39a5b6562e1ae13627039f9154c6
Instruction ID: b3ccb5200f8bfda50525a20e32a6276ecc1d90088519565740b6401c0e5ec465
Opcode Fuzzy Hash: 2f757135fc2e40a5068f1d4d80294e3f5a5f39a5b6562e1ae13627039f9154c6
Instruction Fuzzy Hash: 5C1127717082805FC717AB78945466E7FB6EF86300B1588EFD042CB2A6DE348842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0238790A Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb02887c87496efeed85b5e3c9dd45a8d464dd6336af39140d64088c838af59
Instruction ID: 19bac19491677a82ce80b4ef3d63158191f80ec66d46a43a7efcfdfd3cc75e0a
Opcode Fuzzy Hash: fdb02887c87496efeed85b5e3c9dd45a8d464dd6336af39140d64088c838af59
Instruction Fuzzy Hash: 69126A757002058FDF1ABB38E98572972ABEB89318F605939E105CB765CF75EC86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02389364 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1607802ada0fd45836ceec7c30630d32b0b34c67ffa9a572535e1d4e0a2f69
Instruction ID: 04f76bce3c20aee16f744b1b7e6460e9ace1a1e10bde317a2bcaa845654436fe
Opcode Fuzzy Hash: 5d1607802ada0fd45836ceec7c30630d32b0b34c67ffa9a572535e1d4e0a2f69
Instruction Fuzzy Hash: 3DE17C34A002058FDB14EFA5D594BBDBBF6EB89311F248469E406EB3A5DB35DD42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 023896E0 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b6de3cd18e013ca3f640acba2115df74fa3e48202eeb80d1a1681d7e9339be
Instruction ID: 562a952251f359615babf5490e43d34025b4a68df7a3985cea28b0d12196f38a
Opcode Fuzzy Hash: 71b6de3cd18e013ca3f640acba2115df74fa3e48202eeb80d1a1681d7e9339be
Instruction Fuzzy Hash: 99D1AC71A002058FDB14EFA9D9807AEBBB6FF89310F20856AE409EF395D774D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02384A8E Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d3c3b82c3244d3144091483d455296b75e48af6cc402c2fb8875868f4be77c
Instruction ID: 48bfac3a5f381241f7ba1eeeb51381b2003d666164772788df53eea40cb8f66f
Opcode Fuzzy Hash: 54d3c3b82c3244d3144091483d455296b75e48af6cc402c2fb8875868f4be77c
Instruction Fuzzy Hash: 8AB16BB0E0030A9FDB10EFA8C98179DBBF5BF48314F248129E954EB654EB749885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02383E76 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611b519fbd5be14c1491d74a13760ad2521a9c58cad9cb09f2a58d70c741b8f2
Instruction ID: 5e686ab8d5b9b8af32b36f2c9fb922f60e7ea08d80190c99a78ebae7ae97aec4
Opcode Fuzzy Hash: 611b519fbd5be14c1491d74a13760ad2521a9c58cad9cb09f2a58d70c741b8f2
Instruction Fuzzy Hash: 34914CB0E1030ACFDB10DFA9C9857AEBBF2BF48704F148129E515AB754EB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02384810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa38e52ea789eae19f9c122d85e102c38c596eca25a8c397a3eb4c2faad4276
Instruction ID: f1862ff4499bbe80f94c0b85301c5828b584081157886c21e768f9aa5464c33b
Opcode Fuzzy Hash: 3fa38e52ea789eae19f9c122d85e102c38c596eca25a8c397a3eb4c2faad4276
Instruction Fuzzy Hash: 4C716CB0E0034ACFDB14EFA9C98079EBBF2BF88314F148129E515AB654EB749841CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02384804 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a35087cf4b9c69f283f9f02cb940f35785112d2012f28ddbb4f27ea7325c1e8
Instruction ID: f75e42424355b9305f1af3243fefc8afd52ebd198e3a79a7968b3ac07f80ad97
Opcode Fuzzy Hash: 0a35087cf4b9c69f283f9f02cb940f35785112d2012f28ddbb4f27ea7325c1e8
Instruction Fuzzy Hash: 85716AB0E0034ACFDB10EFA9C98479EBBF1BF88314F148129E515AB654EB749841CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02386CDC Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd788b6bee0d52494499e4c12f9fd55a07e5896017b82c89e1d260dca52a474b
Instruction ID: 07a40808b2464dda8b15857d5e95ec26fc12bfba7797861683e0932cf0867b81
Opcode Fuzzy Hash: cd788b6bee0d52494499e4c12f9fd55a07e5896017b82c89e1d260dca52a474b
Instruction Fuzzy Hash: FE512371D003188FDB14DFAAC985B9DFBB5BF48700F14851AE819AB3A5D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02386CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305c255e452716fbdd750bfed80e7454801736c47da5737aec1e37b9e500ccd2
Instruction ID: 36466f03d65fa7f74bb055cdfc9936de377ace45c6a73143baa6c32214e15cf0
Opcode Fuzzy Hash: 305c255e452716fbdd750bfed80e7454801736c47da5737aec1e37b9e500ccd2
Instruction Fuzzy Hash: 9D512371D003188FDB18DFAAC985B9DBBB5BF48704F14841AE819BB365D774A844CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02381128 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125d5b62284aec96b454365b472a1e5de745a7f498449f8c7969363037e91cd8
Instruction ID: ca9e7f2c215d94ed791c26f5bdfc51731881b6cdd954c01eb90cd3bd24bb3794
Opcode Fuzzy Hash: 125d5b62284aec96b454365b472a1e5de745a7f498449f8c7969363037e91cd8
Instruction Fuzzy Hash: 6E51F375245146CFC706EF68F9C1D5B3F6DFB96314B84496AD0048B27DDB70A91ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 02381138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741385eeca9446c53b97795689b9c5c0657d08c5075cd10e1b0a5538527fd0a0
Instruction ID: f78503385194f4d2aed8db1d210b2bad87872dbec97e953065412d7bab9791b9
Opcode Fuzzy Hash: 741385eeca9446c53b97795689b9c5c0657d08c5075cd10e1b0a5538527fd0a0
Instruction Fuzzy Hash: 2751AD79255146CFC70AFF68F9C1D6B3B6EFB96314B80496AD0048B27DDB70A919CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0238F280 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062973b6177c18f2aa44567eb8a9c4aa287e05beabc43fcfa80227311f8bbb3e
Instruction ID: aaab6e24cc26efd569ed5245db0ba4a668fc4f2535608334ad3678234335852a
Opcode Fuzzy Hash: 062973b6177c18f2aa44567eb8a9c4aa287e05beabc43fcfa80227311f8bbb3e
Instruction Fuzzy Hash: 8D319E34E003069BDB15EF65D99469EB7F6EF89310F108569E805EB754DB74EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 023826DC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eba6ce92172824bab170c8e8ac513844fa35c880dace1a531c72e35e191b71d9
Instruction ID: c57766b12393190e172f199246a0c2a835a291f2cff18dad239fb2462566c8a3
Opcode Fuzzy Hash: eba6ce92172824bab170c8e8ac513844fa35c880dace1a531c72e35e191b71d9
Instruction Fuzzy Hash: 8141FFB0D003499FDB10DFA9C584ADEBFF5FF48310F24842AE809AB254DB75A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0238F290 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e336dc51d3001867ca9c9794f9fc3c365a9bcc54baa23c7f3ea49077d4b4c55d
Instruction ID: db1e8c97d7866013e4d4c1f2842a44dca0b02583f06b8b39071fb8feab7c1ea1
Opcode Fuzzy Hash: e336dc51d3001867ca9c9794f9fc3c365a9bcc54baa23c7f3ea49077d4b4c55d
Instruction Fuzzy Hash: F4317C34E003099BDB19EF69D9546AEB7B6FF89300F508529E806EB754DB74EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 023826E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7060ee0620ebd419c3d2cf8031799668e355c832298bda36b6e0ccad178214
Instruction ID: 01c6292e02d60a23827a37391ae3475b676fae4970ab94ce9b81290f8ffb8310
Opcode Fuzzy Hash: 2e7060ee0620ebd419c3d2cf8031799668e355c832298bda36b6e0ccad178214
Instruction Fuzzy Hash: 9941EEB0D003489FDB14DFAAC584ADEBFF5FF48310F24842AE809AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 023850A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f70cfdca17f5d576a1320f5565b0e7725a160ca08cfef21e67f9c3df8df0d5c
Instruction ID: 4c02cb3029625f705f62ee3518437d86ca112000f49abc7e2de840132eb079ff
Opcode Fuzzy Hash: 1f70cfdca17f5d576a1320f5565b0e7725a160ca08cfef21e67f9c3df8df0d5c
Instruction Fuzzy Hash: 19310674600315CFDB28FB74C9516AE77B6AF89344FA10469D806AB3A8DB36DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02385098 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5ec74d8ef2c547e28e3787265f467cffac30e3e5c27575561ebc98321b20e5
Instruction ID: 50ce7e3885b8fbfc6f7c276d1a1db381a4fb5e85d39f460546e71560ced47cb3
Opcode Fuzzy Hash: cf5ec74d8ef2c547e28e3787265f467cffac30e3e5c27575561ebc98321b20e5
Instruction Fuzzy Hash: 3E311874600315CFDF29FB74C9516AE77B6AF89344FA104A9D805AB3A8DB36CC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0238924F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121c4b1ffbb23a3ef8c75f075c26ed1d59163972d0d870df5508fbe0629968d4
Instruction ID: 83c884a37bb559a86b76d5a3029b56083135e32415eefb65f46e7bdf6b9064fb
Opcode Fuzzy Hash: 121c4b1ffbb23a3ef8c75f075c26ed1d59163972d0d870df5508fbe0629968d4
Instruction Fuzzy Hash: 8531A030E102099BDB05EFA5D9507AEB7B6EF8A300F10C529E805AF355DB70D886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 023816A2 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a157d20d90cb4369a4601d6bdb0c08baca5b50d63dc498e50c1c15358dec52cd
Instruction ID: 721faeb756aa9df37806e89b3f9e31f90af5fbdcc42057e58b08e1125056e230
Opcode Fuzzy Hash: a157d20d90cb4369a4601d6bdb0c08baca5b50d63dc498e50c1c15358dec52cd
Instruction Fuzzy Hash: 0621A6746002414FDF26FB34E9C4B6A3B6DEB85324F500A69D48ECF26ADB35D846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0238137F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1596fc28636601848cb6c2979cbdbb75022f0430381532cc488aadedbb00549
Instruction ID: e20e99f4e134918a4f3bf59d09ffa71993797b8466ec9359d337ecd106f16c80
Opcode Fuzzy Hash: b1596fc28636601848cb6c2979cbdbb75022f0430381532cc488aadedbb00549
Instruction Fuzzy Hash: 0B217C74B003018FDF266A28E5887693B7DDB46329F90082AE58ECF695DB65D887C742

Uniqueness

Uniqueness Score: -1.00%

Function 02389260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbf4c0bd20b90ecd8f637b3cee00f1d90be4ee92f14e53a81795f9349293771
Instruction ID: 96149e2d77facbac472c9bd8cf79fe090c286c6bc84adf8b4cd20dffa55ec2b0
Opcode Fuzzy Hash: dbbf4c0bd20b90ecd8f637b3cee00f1d90be4ee92f14e53a81795f9349293771
Instruction Fuzzy Hash: 16216F30E1030A9BDB05DFA5D9807AEB7B6FF89300F108529E805AB355DB70D845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02389150 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61dd0d2a274304d17fb1e00eda2a83ddf24e996843ee22a290a3145a1618b3a
Instruction ID: e6dcb9eda740840303e584f730bed7081554cb73ade473d7b5d5caacb767c5c7
Opcode Fuzzy Hash: c61dd0d2a274304d17fb1e00eda2a83ddf24e996843ee22a290a3145a1618b3a
Instruction Fuzzy Hash: F121B030E043099BDB19DFA4D9547EEF7B2AF89300F10862AE812BB350DB70AD46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02381878 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55044e5227fff8b94fe5a19fb6147bf440f95905a5220861f8a1a82d60d11568
Instruction ID: eab2875ad27ed5cae3559c9a8ab6ad058135f0ef45a252a55acb65117c7bcdda
Opcode Fuzzy Hash: 55044e5227fff8b94fe5a19fb6147bf440f95905a5220861f8a1a82d60d11568
Instruction Fuzzy Hash: 75213B71B003098FDB24EB78C5557AE77B6AF49304F200469D48AFB364EB368D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02384F8A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4657adf7196f7ffdefdcf95ecc94a35b678c02731b663c120ec64c60d50ecb90
Instruction ID: b193e16a11ac9cb8af8632dcdda00743df635022b907f598730e241453cb9cd8
Opcode Fuzzy Hash: 4657adf7196f7ffdefdcf95ecc94a35b678c02731b663c120ec64c60d50ecb90
Instruction Fuzzy Hash: 182126B4600205CFCB14EF79C959BAEB7F2AF89304F5104A9E406EB361DB329D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250021208.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aad000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52b3f9f5d7b25aa4ef52e7abdf78fae97a78536f95d7bab1c7d9ba4f4b52cb5
Instruction ID: 3d028e38ae8ad7c8cd3006831ed2e50a82a727978e910fbf41ed06e96b29a061
Opcode Fuzzy Hash: d52b3f9f5d7b25aa4ef52e7abdf78fae97a78536f95d7bab1c7d9ba4f4b52cb5
Instruction Fuzzy Hash: 1C21F271504204DFCB14DF14D980B26BFA5FB89314F24C56ED98B4B696C33AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 02389160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507ba735261e659c79792e0b452a5bfb95f6f992ad55525af8b1929d3e812c04
Instruction ID: 39d238d2d1242c6610e4d97c227d1d3db3aa614045011322d7a94143ac7ecc64
Opcode Fuzzy Hash: 507ba735261e659c79792e0b452a5bfb95f6f992ad55525af8b1929d3e812c04
Instruction Fuzzy Hash: 92219234E003099BDB19DFA4D944BAEF7B2AF89300F10862AE815FB350DB70A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02381888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d943f20627773a958da44398f4a72db0dd93ad260e5f46d30f2598b02a2f5ed
Instruction ID: c7563e1dec4a6edfd9d1ecf4af9026dc672e2403fedb74e2f2b4fd47cb13eca6
Opcode Fuzzy Hash: 3d943f20627773a958da44398f4a72db0dd93ad260e5f46d30f2598b02a2f5ed
Instruction Fuzzy Hash: 95212870B003098FDB64FB68C6557AE77F6AF49304F200469D44AEB364EB369D42DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 023816B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baba859fd71082225dbfa4a998ffcd494f011f6d9614f5dd5cafb9582a33ff0
Instruction ID: b9778c072d889897af1cb563e2e5183163e3f84b448154bb8be0593d8dd75cd6
Opcode Fuzzy Hash: 0baba859fd71082225dbfa4a998ffcd494f011f6d9614f5dd5cafb9582a33ff0
Instruction Fuzzy Hash: 1C211F746402014FDB26FB38F984B6A376DEB85324F504A29E54ECB269DB38D846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02384F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2784786a0bc5ada056dc0ca91a14f4e243922dea3b6203682047a73e27c9f0f
Instruction ID: f7f986882897d5145d8cb427e6af26c36abdf09830125e3c0c14cd28075fe3f4
Opcode Fuzzy Hash: a2784786a0bc5ada056dc0ca91a14f4e243922dea3b6203682047a73e27c9f0f
Instruction Fuzzy Hash: 69211674600204CFDB14EB79C958BAE77F2AB89304F510468E406EB3A1DB329D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02380838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4985e114ff56e38c79ad1e687f6e9217ca99b151ccbd2a96eb861a70c2358ba0
Instruction ID: bffc4925bde29340d8d0068a722a181c1b0d4192d9e547865203f7269544c176
Opcode Fuzzy Hash: 4985e114ff56e38c79ad1e687f6e9217ca99b151ccbd2a96eb861a70c2358ba0
Instruction Fuzzy Hash: 75119434A443085FEF296A74D85137D3BA9EB46310F144979D446CF252DB65D8CD8FC1

Uniqueness

Uniqueness Score: -1.00%

Function 023817C0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0851f62b26637d550cf801816caa69a93f987631c4eb654c216c836a247b7595
Instruction ID: 27e6353980953d63e88adb7d20b0cb436eb471de9ed4c7200ec8923ef991c806
Opcode Fuzzy Hash: 0851f62b26637d550cf801816caa69a93f987631c4eb654c216c836a247b7595
Instruction Fuzzy Hash: F711A7F5F512158FCF21AB79644979F7BE9EB88711F10082AD549D7304DB3088128B81

Uniqueness

Uniqueness Score: -1.00%

Function 02380848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7e76a39073d6cba062d84c6211cc304ed5d3c047888596d03a700adf390bb2
Instruction ID: e212165fabf4fa6ff399f62848783002aa94a596513cbc037b6c277cef45114e
Opcode Fuzzy Hash: be7e76a39073d6cba062d84c6211cc304ed5d3c047888596d03a700adf390bb2
Instruction Fuzzy Hash: EF115134B403084FEF6DBA79D94572E3699EB86315F204939D006CF256DB65DCC98BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02381488 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1861af81dce130e17548b4ae8a242ebd945c3b73c66ce2742b37a8cfaa6f55
Instruction ID: c60323c81d5cde83cb11cb1e209944416e40832fd83a92fd72709141f459dfe6
Opcode Fuzzy Hash: ea1861af81dce130e17548b4ae8a242ebd945c3b73c66ce2742b37a8cfaa6f55
Instruction Fuzzy Hash: 9A111C31A013159BCF65AFB884612EE7BF6AF49220B154479D849EB241E735C843CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02381498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2467244f5852b08e0863f63c9c121b00b67b880d5d39afc51cd499f72713819b
Instruction ID: 8ab9d8d00452dc4c5766f53559c3951f7ea3156583a560701179fb9f7ae2abf0
Opcode Fuzzy Hash: 2467244f5852b08e0863f63c9c121b00b67b880d5d39afc51cd499f72713819b
Instruction Fuzzy Hash: D2014C31B013159FCB65FFB884502AEBBF6EF48210B24447AD84AEB341EB35D942CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250021208.0000000000AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_aad000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 5edada63b9882fcdc7f060e4c6684ec18b67e7c534a4dd935a575fc6aa3d3fef
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1511D075504280CFCB11CF14D5C4B15FF71FB85314F24C6AAD88A4B696C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02389890 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa778e973867118843ec265f378ee44a42ee395c3ca3aaeded7be318449a5346
Instruction ID: 984266f50b1e0301b44dbc3a0d5885648bbac0b4b74fc794539aed2120dd544a
Opcode Fuzzy Hash: aa778e973867118843ec265f378ee44a42ee395c3ca3aaeded7be318449a5346
Instruction Fuzzy Hash: DD118831A002044FCF14EF65D98479A7BB5EF85310F658174C80C5F2AAD774DD4AC791

Uniqueness

Uniqueness Score: -1.00%

Function 023880F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260c6ff46511fa7cf3d8cb43d5a9e4c8d5bb4834aac41ec27158b4a0b3fc9d0e
Instruction ID: c4bd803fe9828c62ea3a0c3849546713a788f6c6b734a5dc1ac258618985d43e
Opcode Fuzzy Hash: 260c6ff46511fa7cf3d8cb43d5a9e4c8d5bb4834aac41ec27158b4a0b3fc9d0e
Instruction Fuzzy Hash: 130188709052499FCB05EFA8FA926AD7BBDDF80300F504675C0059B269EE385E4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 02381524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0130464bee6123b0209bb0e859ea18100bab9f3fb77390780e1c880ca1b5bc2
Instruction ID: 504e3ea18b4f1390728bb3189c717a5bd38b156d672c729388928509ecbd36ee
Opcode Fuzzy Hash: d0130464bee6123b0209bb0e859ea18100bab9f3fb77390780e1c880ca1b5bc2
Instruction Fuzzy Hash: 3BF02B77A04350CFCB22ABF494502ACBBB5EE94221B1940E7C98ADF251D325D403CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02387090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b525e6ba0a8320699d45fafce5e8da5e888bbe49cfb9f6116c9541a73f9704
Instruction ID: a1f4d604c1a41697f0f6787953d9bc6af7d0ba9eed0c789205d61a904d64d360
Opcode Fuzzy Hash: e0b525e6ba0a8320699d45fafce5e8da5e888bbe49cfb9f6116c9541a73f9704
Instruction Fuzzy Hash: 23F01979B40208CFC714DB64D598A6CB7B2EF88311F5144A8E5068B3A4DB31AD02CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02388100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3250383514.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2380000_0e46.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e19823ca3cff1a8c6e78de760072b9710fa4fd21fdd7d8de630b64081f6968e
Instruction ID: 338373b666ea00d5fbc4ab5add36aab4e0d82eeecb4c5144abe261dc851547c9
Opcode Fuzzy Hash: 6e19823ca3cff1a8c6e78de760072b9710fa4fd21fdd7d8de630b64081f6968e
Instruction Fuzzy Hash: 94F01D70A001099FDB05EFA8FA919AD7BBDEF80300F50467880059B269EF396E49CB80

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0e46.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0e46.scr.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 76

Chrome Cache Entry: 77

Chrome Cache Entry: 78

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Windows Analysis Report
0e46.scr.exe

Function 01459150 Relevance: 2.8, Strings: 2, Instructions: 260
COMMON

Function 0145AA28 Relevance: 1.9, Strings: 1, Instructions: 615
COMMON

Function 01459B1C Relevance: 1.7, APIs: 1, Instructions: 223
processCOMMON

Function 0145A600 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Function 01459B40 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 0145A758 Relevance: 1.6, APIs: 1, Instructions: 101
memoryCOMMON

Function 0145A4D8 Relevance: 1.6, APIs: 1, Instructions: 94
threadCOMMON

Function 01459B28 Relevance: 1.6, APIs: 1, Instructions: 91
threadCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre